Decoding the audio of this file crashes ffmpeg: http://drv.nu/temp/fit-roll.wmv
 (~5 MB)

Input audio is wmav2.  The file was created by the Xbox360 game Forza 3.

This is the first problem encountered: if (v >= s->nb_block_sizes) is triggered:

Starting program: /home/daniel/src/ffmpeg/ffmpeg-git/ffmpeg_g -y -i
~/temp/fit-roll.wmv ~/temp/fit-roll.avi
[Thread debugging using libthread_db enabled]
FFmpeg version git-svn-r20416, Copyright (c) 2000-2009 Fabrice Bellard, et al.
  built on Oct 29 2009 23:19:13 with gcc 4.4.1
  configuration: --disable-optimizations --enable-debug
  libavutil     50. 3. 0 / 50. 3. 0
  libavcodec    52.37. 1 / 52.37. 1
  libavformat   52.39. 2 / 52.39. 2
  libavdevice   52. 2. 0 / 52. 2. 0
  libswscale     0. 7. 1 /  0. 7. 1

Seems stream 1 codec frame rate differs from container frame rate: 1000.00
(1000/1) -> 30.00 (30/1)
Input #0, asf, from '/home/daniel/temp/fit-roll.wmv':
  Duration: 00:00:10.02, start: 3.000000, bitrate: 4068 kb/s
    Stream #0.0(eng): Audio: wmav2, 48000 Hz, 2 channels, s16, 128 kb/s
    Stream #0.1(eng): Video: vc1, yuv420p, 640x360, 4194 kb/s, PAR 1:1 DAR 16:9,
30 tbr, 1k tbn, 1k tbc
  Metadata
    title           : Honda Fit on Full Circuit
    author          : I KiZ I
    copyright       :
    comment         : Forza Motorsport 3 Video
    SubTitle        : driven by I KiZ I
    Category        : Forza;Forza Motorsport 3;I KiZ I;Maple Valley Raceway;Full
Circuit;I KiZ I;Honda;Honda Fit
    PromotionURL    : http://forzamotorsport.net
    Forza/EnvironmentId: 9
    Forza/TrackId   : 67
    Forza/TrackConfig: 0
    Forza/FocusCarMakeId: 16
    Forza/FocusCarModelId: 1,037
    MediaFoundationVersion: 1.112
Output #0, avi, to '/home/daniel/temp/fit-roll.avi':
    Stream #0.0(eng): Video: mpeg4, yuv420p, 640x360 [PAR 1:1 DAR 16:9], q=2-31,
200 kb/s, 30 tbn, 30 tbc
    Stream #0.1(eng): Audio: mp2, 48000 Hz, 2 channels, s16, 64 kb/s
Stream mapping:
  Stream #0.1 -> #0.0
  Stream #0.0 -> #0.1
Press [q] to stop encoding
[New Thread 0x7f8d4cf1a6f0 (LWP 23849)]
[Switching to Thread 0x7f8d4cf1a6f0 (LWP 23849)]

Breakpoint 1, wma_decode_block (s=0x1dd89e0) at libavcodec/wmadec.c:444
444                     return -1;
(gdb) p v
$1 = 7
(gdb) p s->nb_block_sizes
$2 = 5




If execution is allowed to continue, it crashes later:

(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00000000006e6064 in ff_imdct_calc (s=0x11ec3a0, output=0x11e7ed0,
input=0x11e3ed0) at libavcodec/dsputil.h:820
#2  0x00000000006e8194 in wma_decode_block (s=0x11db9e0) at libavcodec/wmadec.c:721
#3  0x00000000006e8313 in wma_decode_frame (s=0x11db9e0, samples=0x7f237e0d7010)
at libavcodec/wmadec.c:754
#4  0x00000000006e8899 in wma_decode_superframe (avctx=0x107ec30,
data=0x7f237e0d7010, data_size=0x7fff9e647ebc,
    avpkt=0x7fff9e647d10) at libavcodec/wmadec.c:878
#5  0x00000000004bd23b in avcodec_decode_audio3 (avctx=0x107ec30,
samples=0x7f237e0d7010, frame_size_ptr=0x7fff9e647ebc,
    avpkt=0x7fff9e647d10) at libavcodec/utils.c:644
#6  0x0000000000408376 in output_packet (ist=0x108a530, ist_index=0,
ost_table=0x108a5d0, nb_ostreams=2, pkt=0x7fff9e647ff0)
    at ffmpeg.c:1302
#7  0x000000000040c073 in av_encode (output_files=0xb6c160, nb_output_files=1,
input_files=0xb6a700, nb_input_files=1,
    stream_maps=0xb6cea0, nb_stream_maps=0) at ffmpeg.c:2284
#8  0x00000000004106cb in main (argc=5, argv=0x7fff9e648ab8) at ffmpeg.c:3988

Also note that sample plays fine in Windows Media Player.

Reproduced.
This sample also crashed mplayer and ffdshow.

Sample uploaded to incoming/issue1503.
Works fine with mplayer -ac wmadmo.

Daniel Verkamp wrote:
> New submission from Daniel Verkamp <daniel@drv.nu>:
>
> Decoding the audio of this file crashes ffmpeg: http://drv.nu/temp/fit-roll.wmv
>  (~5 MB)
>
> Input audio is wmav2.  The file was created by the Xbox360 game Forza 3.
>
> This is the first problem encountered: if (v >= s->nb_block_sizes) is triggered:
>   

s->nb_block_sizes is set directly from the extradata parameter flags2. Can you test if setting s->nb_block_sizes to 8 in wma.c:150 works ?

If it works maybe we should reinit in the case of (v >= 
s->nb_block_sizes). It could be that the extradata just is invalid.

MvH
Benjamin Larsson

Tried setting s->nb_block_sizes = 8 both inside if block (line 150) and after
the if block (line 152), still crashes (now at a different location):

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffa168626f0 (LWP 25311)]
0x00000000007862a6 in ff_sine_window_init (window=0x0, n=16) at libavcodec/mdct.c:69
69              window[i] = sinf((i + 0.5) * (M_PI / (2.0 * n)));
(gdb) bt
#0  0x00000000007862a6 in ff_sine_window_init (window=0x0, n=16) at
libavcodec/mdct.c:69
#1  0x00000000006e5459 in ff_wma_init (avctx=0x2edec30, flags2=13) at
libavcodec/wma.c:351
#2  0x00000000006e6159 in wma_decode_init (avctx=0x2edec30) at
libavcodec/wmadec.c:105
#3  0x00000000004bccfa in avcodec_open (avctx=0x2edec30, codec=0xb66600) at
libavcodec/utils.c:504
#4  0x000000000040b281 in av_encode (output_files=0xb6c160, nb_output_files=1,
input_files=0xb6a700, nb_input_files=1,
    stream_maps=0xb6cea0, nb_stream_maps=0) at ffmpeg.c:2051
#5  0x00000000004106cb in main (argc=5, argv=0x7fff01aa5b98) at ffmpeg.c:3988

adding fishsponge to Nosy list.

With the addition of error messages in r20757, this now prints:

[...]
Output #0, avi, to '/home/daniel/temp/fit-roll.avi':
    Stream #0.0(eng), 3/125: Audio: mp2, 48000 Hz, 2 channels, s16, 64 kb/s
Stream mapping:
  Stream #0.0 -> #0.0
Press [q] to stop encoding
[wmav2 @ 0x29bfc30]prev_block_len_bits 4 out of range
Error while decoding stream #0.0
Segmentation fault

The crash is still in ff_imdct_calc calling a null function pointer.

Setting use_variable_block_len to 0 decodes alright, no warnings.

HTH,

diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c
index 74583ab..ad98997 100644
--- a/libavcodec/wmadec.c
+++ b/libavcodec/wmadec.c
@@ -100,7 +100,7 @@ static int wma_decode_init(AVCodecContext * avctx)
 
     s->use_exp_vlc = flags2 & 0x0001;
     s->use_bit_reservoir = flags2 & 0x0002;
-    s->use_variable_block_len = flags2 & 0x0004;
+    s->use_variable_block_len = 0;
 
     if(ff_wma_init(avctx, flags2)<0)
         return -1;

extradata is 10 bytes (0 88 0 0 d 0 0 0 0 0), not 6 like suggested in
http://wiki.multimedia.cx/index.php?title=Windows_Media_Audio

=> flags2 = bits 3:1 set. bit3 isn't documented in FFmpeg source

Perhaps wmav2 flags2 is always last 16 bits of codec specific data and not bytes
4-5 ?

I have an ARMv4 decoder which accepts plays the file fine.

With a quick check it always loads bytes 2-3 unconditionally of wmav1 or v2.
(Not sure what it does with it though).

Who reverse engineered WMA, Fabrice Bellard ? At least he's the author of the
decoder

Tested all samples from http://samples.ffmpeg.org/A-codecs/{WMAV1,WMA2} , all
the wmav2 streams have 10 bytes extradata:

ffwmav2_not_working.asf         00 44 00 00 0f 00 f9 0d 00 00    
ffwma2_broken.wma               00 88 00 00 1f 00 d9 22 00 00
ffwma_dont_work.wmv             00 44 00 00 0f 00 f9 0d 00 00
nintendothemesacappellax.wmv    00 22 00 00 2e 00 80 07 00 00
polski-rajd.wmv                 00 88 00 00 0f 00 b1 2a 00 00
qanda_2008_ep10.wmv             00 88 00 00 0f 00 75 2e 00 00
raam28mb.wmv                    00 48 00 00 0e 00 7e 03 00 00
tc316_3.wmv                     00 44 00 00 0e 00 f9 0d 00 00
theweekend.wmv                  00 44 00 00 0f 00 f9 0f 00 00
wma2failure.wmv                 00 44 00 00 0e 00 f9 0d 00 00

fit-roll.wmv (this issue)       00 88 00 00 0d 00 00 00 00 00
notice those are unset ---------------------------^^^^^

WMA_VBR_Quality90_48KHz_Stereo.wma 
format type: wmav2 , with Extra Data: 00 88 00 00 0F 00 00 00-00 00  
decode error with log "Disabling use_variable_block_len, if this fails contact
the ffmpeg developers and send us the file\n"and"overflow in spectral RLE, ignoring"

decodes without crashing in Libav HEAD