On Fri, May 15, 2026 at 4:32 AM Andrew Randrianasulu <randrianasulu@gmail.com> wrote:
Unfortunately after patching our ffmpeg 8.1 with
https://source.ffmpeg.org/gitweb/ffmpeg.git/commit/3b939ced79655ed084e6bebc4...
I still see this crash on x265 created hevc + alpha file:
Thread 301 "av:hevc:df1" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff82ffd700 (LWP 6407)] alloc_frame (s=s@entry=0x7fff401ae8c0, l=l@entry=0x7fff401af698) at libavcodec/hevc/refs.c:194 194 AVFrame *base = s->layers[0].cur_frame->f;
I added one more condition at line 192 in this file: && &s->layers[0].cur_frame->f != 0 so full line reads like if (l != &s->layers[0] && ff_hevc_is_alpha_video(s) && &s->layers[0].cur_frame->f != 0 ) { and this seems to eliminate crash (decoding still looks ok)
(gdb) bt full #0 alloc_frame (s=s@entry=0x7fff401ae8c0, l=l@entry=0x7fff401af698) at libavcodec/hevc/refs.c:194 alpha = 0x7fff0406bdc0 base = <optimized out> frame = <optimized out> vps = <optimized out> i = <optimized out> j = <optimized out> ret = <optimized out> #1 0x000000000100b7f3 in ff_hevc_set_new_ref (s=s@entry=0x7fff401ae8c0, l=l@entry=0x7fff401af698, poc=123) at libavcodec/hevc/refs.c:226 ref = <optimized out> i = <optimized out> no_output = <optimized out> #2 0x0000000000fd7dd6 in hevc_frame_start (nal_idx=1, l=0x7fff401af698, s=0x7fff401ae8c0) at libavcodec/hevc/hevcdec.c:3337 pps = 0x7fff402c5640 new_sequence = 0 prev_layers_active_output = 1 ret = <optimized out> sps = 0x7fff402c0640 pic_size_in_ctb = 2806 prev_layers_active_decode = 3 #3 decode_slice (gb=0x7fff82ffccc0, nal_idx=1, s=0x7fff401ae8c0) at libavcodec/hevc/hevcdec.c:3580 ---Type <return> to continue, or q <return> to quit--- layer_idx = <optimized out> l = 0x7fff401af698 ret = <optimized out> #4 decode_nal_unit (nal_idx=1, s=0x7fff401ae8c0) at libavcodec/hevc/hevcdec.c:3663 nal = <optimized out> gb = { buffer = 0x7fff74000e9e "\002\t\244\366W\346\024\210\022\003\001*$\004A\370\326\372\303\246\260\314\353\214c).z_=\351\021~\304\f\020'\247\222#gb\033/_\325H\261L\211v\037h\206\301\272\256[\"\377/\204|W\002pm\347\265\322\177e\030\220K\216!\224\b+mI\216\017\307\020\177\215#m\353\200\235W\215E\352K\031\275k\346\322\032g>'0\246C\274U\263v\236\215s\265y\312\245\t\255\203T\376\213Y\037\177`y\005\320\016\022R\036\035I\261\204w\202\271\311\311%S\313\322\370\306\250\241\065JW\224>1\247\234-_\243\317XO\361\003 \031\363\246X\363(s\252\214Pf\331\307o\352\266\201/\360c\020\fo\331\004\064/b"..., index = 136, size_in_bits = 5878, size_in_bits_plus8 = 5886} ret = <optimized out> #5 decode_nal_units (length=<optimized out>, buf=<optimized out>, s=0x7fff401ae8c0) at libavcodec/hevc/hevcdec.c:3779 nal = <optimized out> i = 1 ret = <optimized out> eos_at_start = <optimized out> flags = <optimized out> #6 hevc_receive_frame (avctx=<optimized out>, frame=<optimized out>) at libavcodec/hevc/hevcdec.c:3881 s = 0x7fff401ae8c0 avci = <optimized out> avpkt = <optimized out> ---Type <return> to continue, or q <return> to quit--- ret = <optimized out> sd = <optimized out> sd_size = 0 #7 0x0000000000f1263f in ff_decode_receive_frame_internal (avctx=avctx@entry=0x7fff402c6c00, frame=frame@entry=0x7fff880f2f40) at libavcodec/decode.c:625 avci = 0x7fff402c6fc0 ret = <optimized out> #8 0x000000000117b47a in frame_worker_thread (arg=0x7fff4006ff00) at libavcodec/pthread_frame.c:291 ret = 0 p = 0x7fff4006ff00 avctx = 0x7fff402c6c00 #9 0x00007ffff540755a in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #10 0x00007fffedd02e5f in clone () from /lib64/libc.so.6 No symbol table info available.
There was another patch moving some of those i local variables into loop, but I am not sure if or how it may help here ?
Will test more. (I wonder if disabling threaded decode will avoid this?)