When I executed the following code:
AVFrameSideData* avfsd=NULL;
avfsd = av_frame_get_side_data(frame, AV_FRAME_DATA_MOTION_VECTORS);
if(avfsd->data != NULL)
printf("avfsd->data != NULL\n");
I got a segmentation fault. It seemed to me that avfsd is not allowed to access data field. But when I look up the documentation of AVFrameSideData, I found:
typedef struct AVFrameSideData {
enum AVFrameSideDataType type;
uint8_t *data;
int size;
AVDictionary *metadata;
} AVFrameSideData;
why can't I access unint8_t *data through: avfsd->data? Frankly, avfsd is not Null. The following is some debugging infomation:
(gdb) print avfsd
$5 = <optimized out>
(gdb) print *avfsd
value has been optimized out
(gdb) print avfsd->data
value has been optimized out
(gdb) print frame->side_data
$6 = (AVFrameSideData **) 0x1bc4000
Btw, is the data here the data of motion vector of the frame? Why is it so short: see what I got from gdb:
(gdb) print frame->side_data[0]->type
$2 = AV_FRAME_DATA_MOTION_VECTORS
(gdb) print frame->side_data[0]->data
$1 = (uint8_t *) 0x1c32540 "\377\377\377\377\020\020\006"
I thought motion vector should be kind of a long chain. But from above...why is it that short?
Related
I'm writing a program that uses the following structures to store information:
/* Structure used to hold a graph vertex information. */
typedef struct graph_vertex
{
int identifier;
struct graph_vertex *next_vertex_p;
struct graph_edge *edge_list_p;
boolean_t visited;
} graph_vertex_t;
/* Structure used to hold a graph edge information. */
typedef struct graph_edge
{
struct graph_vertex *adjac_vertex_p;
struct graph_edge *next_edge_p;
} graph_edge_t;
Basically, the first structure is used to store a list of vertices while the second is used by the first to store the connections(edges). Now I'm trying to look through the list of edges for a certain vertex I found and do an operation. I use the following code for this:
/* Find the right vertex to explore*/
for (curr_graph = start;
curr_graph != NULL && curr_graph->identifier != list[0];
curr_graph = curr_graph->next_vertex_p);
/* Explore all it's edges for new vertices. */
for (curr_edge_list = curr_graph->edge_list_p;
curr_edge_list != NULL;
curr_edge_list = curr_edge_list->next_edge_p)
{
printf("ID: %d ,", curr_edge_list->adjac_vertex_p->identifier);
/*do more stuff...*/
Currently I'm getting a segmentation fault on the line with the printf which I checked using gdb. I also checked the values of curr_edge_list , curr_edge_list->adjac_vertex_p and curr_edge_list->adjac_vertex_p->identifier :
Program received signal SIGSEGV, Segmentation fault.
0x0000555555554c9f in start_visit_graph_bf (start=0x7fffffffdee0,
starting_identifier=1) at explore_graph.c:170
170 printf("ID: %d ,", curr_edge_list->adjac_vertex_p->identifier);
(gdb) print curr_edge_list
$1 = (graph_edge_t *) 0x5555557574a0
(gdb) print curr_edge_list->adjac_vertex_p
$2 = (struct graph_vertex *) 0xfbad2488
(gdb) print curr_edge_list->adjac_vertex_p->identifier
Cannot access memory at address 0xfbad2488
(gdb)
My first instinct was that the value 0xfbad2488 was a code used to describe NULL, so I checked that curr_edge_list->adjac_vertex_p wasn't equal to NULL before the printf statement. This was not the case. Therefor my question is: What is the value 0xfbad2488 and what does it mean if a variable has that value? Also which operations cause this kind of behavior?
My first instinct was that the value 0xfbad2488 was a code used to describe NULL
No, NULL will look like this in GDB:
(gdb) print curr_edge_list->adjac_vertex_p
$2 = (struct graph_vertex *) 0x0
What you want to do is figure out which location is being overwritten (print &curr_edge_list->adjac_vertex_p), and set a watchpoint on it:
(gdb) watch -l curr_edge_list->adjac_vertex_p
Then run your program again. If your program is deterministic (doesn't use threads), you should see the location acquire initial value (should look similar to your other pointers, e.g. 0x55555575..., and then you should see it being overwritten with 0xfbad2488. That is exactly the point where the bug is (where your data is getting corrupted).
i need the address of a particular array, i obtained other array's addresses with success but in this one i got stuck.. here is the main code:
int main(int argc, char** argv) {
string[0] = 0;
char polpetta[]="secret-file";
char buf[50] ;
printf("me Can I read the secret file?! \n\n");
if (argc > 2) {
vuln(argv[1]);
strcpy(buf, argv[2]) ;
} else {
printf("You forgot to read me!!!\n");
}
return 0;
}
ok i put the breakpoint after the first printf:
(gdb) b* 0x080485f3
Breakpoint 1 at 0x80485f3
(gdb) r 12 12
Starting program: /home/andrew/Desktop/Software-Security-Lab/rop/rop-vuln
me Can I read the secret file?!
Breakpoint 1, 0x080485f3 in main ()
(gdb) p &buf
$1 = (char **) 0xb7fb9ef0 <buf>
(gdb) p &polpetta
No symbol "polpetta" in current context.
ok i obtained with success the address of buf... but not the address of polpetta! so i tried with different methods:
(gdb) p $polpetta
$2 = void
(gdb) p &$polpetta
Attempt to take address of value not located in memory.
(gdb) p polpetta
No symbol "polpetta" in current context.
(gdb) info locals
No symbol table info available.
(gdb) p *polpetta
No symbol "polpetta" in current context.
what the hell?? i also tried to repeat this routine at different breakpoints inside the main function...
thanks for your kindness!
I'm trying to migrate a small c program from hpux to linux. The project compiles fine but crashes at runtime showing me a segmentation fault. I've already tried to see behind the mirror using strace and gdb but still don't understand. The relevant (truncated) parts:
tts_send_2.c
Contains a method
int sequenznummernabgleich(int sockfd, char *snd_id, char *rec_id, int timeout_quit) {
TS_TEL_TAB tel_tab_S01;
int n;
# truncated
}
which is called from within that file like this:
. . .
. . .
switch(sequenznummernabgleich(sockfd,c_snd_id,c_rec_id,c_timeout_quit)) {
/* kritischer Fehler */
case -1:
. . .
. . .
when calling that method I'm presented a segmentation fault (gdb output):
Program received signal SIGSEGV, Segmentation fault.
0x0000000000403226 in sequenznummernabgleich (sockfd=<error reading variable: Cannot access memory at address 0x7fffff62f94c>,
snd_id=<error reading variable: Cannot access memory at address 0x7fffff62f940>, rec_id=<error reading variable: Cannot access memory at address 0x7fffff62f938>,
timeout_quit=<error reading variable: Cannot access memory at address 0x7fffff62f934>) at tts_snd_2.c:498
498 int sequenznummernabgleich(int sockfd, char *snd_id, char *rec_id, int timeout_quit) {
which I just don't understand. When I'm stepping to the line where the method is called using gdb, all the variables are looking fine:
1008 switch(sequenznummernabgleich(sockfd,c_snd_id,c_rec_id,c_timeout_quit)) {
(gdb) p sockfd
$9 = 8
(gdb) p &sockfd
$10 = (int *) 0x611024 <sockfd>
(gdb) p c_snd_id
$11 = "KR", '\000' <repeats 253 times>
(gdb) p &c_snd_id
$12 = (char (*)[256]) 0xfde220 <c_snd_id>
(gdb) p c_rec_id
$13 = "CO", '\000' <repeats 253 times>
(gdb) p &c_rec_id
$14 = (char (*)[256]) 0xfde560 <c_rec_id>
(gdb) p c_timeout_quit
$15 = 20
(gdb) p &c_timeout_quit
$16 = (int *) 0xfde660 <c_timeout_quit>
I've also created an strace output. Here's the last part concerning the code shown above:
strace output
Any ideas ? I've searched the web and of course stackoverflow for hours without finding a really similar case.
Thanks
Kriz
I haven't used an HP/UX in eons but do hazily remember enough for the following suggestions:
Make sure you're initializing variables / struts correctly. Use calloc instead of malloc.
Also don't assume a specific bit pattern order: eg low byte then high byte. Ska endian-ness of the machine. There are usually macros in the compiler that will handle the appropriate ordering for you.
Update 15.10.16
After debugging for even more hours I found the real Problem. On the first line of the Method "sequenznummernabgleich" is a declaration of a struct
TS_TEL_TAB tel_tab_S01;
This is defined as following:
typedef struct {
TS_BOF_REC bof;
TS_REM_REC rem;
TS_EOF_REC eof;
int bof_len;
int rem_len;
int eof_len;
int cnt;
char teltyp[LEN_TELTYP+1];
TS_TEL_ENTRY entries[MAX_TEL];
} TS_TEL_TAB;
and it's embedded struct TS_TEL_ENTRY
typedef struct {
int len;
char tel[MAX_TEL_LEN];
} TS_TEL_ENTRY;
The problem is that the value for MAX_TEL_LEN had been changed from 512 to 1024 and thus the struct almost doubled in size what lead to that the STACK SIZE was not big enough anymore.
SOLUTION
Simply set the stack size from 8Mb to 64Mb. This can be achieved using ulimit command (under linux).
List current stack size: ulimit -s
Set stack size to 64Mb: ulimit -s 65535
Note: Values for stack size are in kB.
For a good short ref on ulimit command have a look # ss64
I have an issue with my pointer to a structure variable. I just started using GDB to debug the issue. The application stops when it hits on the line of code below due to segmentation fault. ptr_var is a pointer to a structure
ptr_var->page = 0;
I discovered that ptr_var is set to an invalid memory 0x0 after a series of function calls which caused the segmentation fault when assigning the value "0" to struct member "page". The series of function calls does not have a reference to ptr_var. The old address that used to be assigned to ptr_var is still in memory. I can still still print the values of members from the struct ptr_var using the old address. GDB session below shows that I am printing a string member of the struct ptr_var using its address
(gdb) x /s *0x7e11c0
0x7e0810: "Sample String"
I couldn't tell when the variable ptr_var gets assigned an invalid address 0x0. I'm a newbie to GDB and an average C programmer. Your assistance in this matter is greatly appreciated. Thank you.
What you want to do is set a watchpoint, GDB will then stop execution every time a member of a struct is modified.
With the following example code
typedef struct {
int val;
} Foo;
int main(void) {
Foo foo;
foo.val = 5;
foo.val = 10;
}
Drop a breakpoint at the creation of the struct and execute watch -l foo.val Then every time that member is changed you will get a break. The following is my GDB session, with my input
(gdb) break test.c:8
Breakpoint 3 at 0x4006f9: file test.c, line 8.
(gdb) run
Starting program: /usr/home/sean/a.out
Breakpoint 3, main () at test.c:9
9 foo.val = 5;
(gdb) watch -l foo.val
Hardware watchpoint 4: -location foo.val
(gdb) cont
Continuing.
Hardware watchpoint 4: -location foo.val
Old value = 0
New value = 5
main () at test.c:10
(gdb) cont
Continuing.
Hardware watchpoint 4: -location foo.val
Old value = 5
New value = 10
main () at test.c:11
(gdb) cont
If you can rerun, then break at a point where ptr_var is correct you can set a watch point on ptr_var like this: (gdb) watch ptr_var. Now when you continue every time ptr_var is modified gdb should stop.
Here's an example. This does contain undefined behaviour, as I'm trying to reproduce a bug, but hopefully it should be good enough to show you what I'm suggesting:
#include <stdio.h>
#include <stdint.h>
int target1;
int target2;
void
bad_func (int **bar)
{
/* Set contents of bar. */
uintptr_t ptr = (uintptr_t) bar;
printf ("Should clear %p\n", (void *) ptr);
ptr += sizeof (int *);
printf ("Will clear %p\n", (void *) ptr);
/* Bad! We just corrupted foo (maybe). */
*((int **) ptr) = NULL;
}
int
main ()
{
int *foo = &target1;
int *bar = &target2;
printf ("&foo = %p\n", (void *) &foo);
printf ("&boo = %p\n", (void *) &bar);
bad_func (&bar);
return *foo;
}
And here's a gdb session:
(gdb) break bad_func
Breakpoint 1 at 0x400542: file watch.c, line 11.
(gdb) r
&foo = 0x7fffffffdb88
&boo = 0x7fffffffdb80
Breakpoint 1, bad_func (bar=0x7fffffffdb80) at watch.c:11
11 uintptr_t ptr = (uintptr_t) bar;
(gdb) up
#1 0x00000000004005d9 in main () at watch.c:27
27 bad_func (&bar);
(gdb) watch foo
Hardware watchpoint 2: foo
(gdb) c
Continuing.
Should clear 0x7fffffffdb80
Will clear 0x7fffffffdb88
Hardware watchpoint 2: foo
Old value = (int *) 0x60103c <target1>
New value = (int *) 0x0
bad_func (bar=0x7fffffffdb80) at watch.c:18
18 }
(gdb)
For some reason the watchpoint appears to trigger on the line after the change was made, even though I compiled this with -O0, which is a bit of a shame. Still, it's usually close enough to help identify the problem.
For such kind of problems I often use the old electric fence library, it can be used to find bug in "software that overruns the boundaries of a malloc() memory allocation". You will find all the instructions and basic usage at this page:
http://elinux.org/Electric_Fence
(At the very end of the page linked above you will find the download link)
When trying the following in C :
g_string_printf(qbuf,"INSERT INTO inbox (number, smsdate, text) VALUES ('%s','%04d-%02d-%02d %02d:%02d:%02d', '%s')",
xmx.remote.number,
xmx.smsc_time.year,
xmx.smsc_time.month,
xmx.smsc_time.day,
xmx.smsc_time.hour,
xmx.smsc_time.minute,
xmx.smsc_time.second,
xmx.user_data[0].u.text);
I see the following crash:
Program received signal SIGSEGV, Segmentation fault.
0x00984809 in g_string_truncate () from /lib/libglib-2.0.so.0
(gdb)
Why would this happen? Is there any initiation before calling g_string_printf() ?
From frame 2:
(gdb) frame 2
#2 0x08049ba8 in fetching_phone (unit=0x807cd80) at main.c:152
152 g_string_printf(qbuf,"INSERT INTO inbox (number, smsdate, text) VALUES ('%s','%04d-%02d-%02d %02d:%02d:%02d', '%s')",
(gdb) ptype xmx.remote.number
type = char [40]
(gdb) ptype xmx.smsc_time.year
type = int
(gdb) ptype xmx.smsc_time.month
type = int
(gdb) ptype xmx.smsc_time.day
type = int
(gdb) ptype xmx.smsc_time.hour
type = int
(gdb) ptype xmx.smsc_time.minute
type = int
(gdb) ptype xmx.smsc_time.second
type = int
(gdb) ptype xmx.user_data[0].u.text
type = unsigned char [1601]
(gdb)
But, I still can't find where the problem is.
You probably have a bad pointer for the '%s' fields.
As you are running gdb, here is what you can do:
(gdb) bt
...trace...
# see the frame # of your call to g_string_printf()
(gdb) frame 5 # considering it was 5
(gdb) print xmx.remote.number
(gdb) print xmx.user_data[0].u.text
(gdb) print *xmx.remote.number
(gdb) print *xmx.user_data[0].u.text
or you can also check types (is xmx.remote.number a pointer ?)
(gdb) ptype xmx.remote.number
Did you initialize qbuf?
GString *qbuf = g_string_new("");