[gstreamer-bugs] [Bug 399340] New: Crash in the oggdemux plugin when trying to play a specially crafted OGG file

Mon Jan 22 03:21:54 PST 2007

Do not reply to this via email (we are currently unable to handle email
responses and they get discarded).  You can add comments to this bug at
http://bugzilla.gnome.org/show_bug.cgi?id=399340

  GStreamer | gst-plugins-base | Ver: 0.10.11

           Summary: Crash in the oggdemux plugin when trying to play a
                    specially crafted OGG file
           Product: GStreamer
           Version: 0.10.11
          Platform: Other
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: major
          Priority: Normal
         Component: gst-plugins-base
        AssignedTo: gstreamer-bugs at lists.sourceforge.net
        ReportedBy: lool+gnome at via.ecp.fr
         QAContact: gstreamer-bugs at lists.sourceforge.net
     GNOME version: Unspecified
   GNOME milestone: Unspecified

Hi,

Sam Hocevar reported three different issues with GStreamer 0.10 modules in
Debian bug http://bugs.debian.org/407004.  The bugs were discovered with the
help of a new media file fuzzer, "zzuf", which is available from
http://sam.zoy.org/zzuf/.

This particular bug is about the hang that happens when trying to play
http://sam.zoy.org/zzuf/lol-gstreamer.ogg.

This results in a segfault in gst_ogg_pad_submit_page():
Thread 2 (Thread -1215755344 (LWP 1034)):
#0  0xb7cac6dc in memcpy () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#1  0xb790f4cf in ogg_stream_pagein () from /usr/lib/libogg.so.0
No symbol table info available.
#2  0xb78d8398 in gst_ogg_pad_submit_page (pad=0x813e000, page=0xb7890264) at
gstoggdemux.c:1303
        npackets = 135520256
        result = <value optimized out>
        ogg = (GstOggDemux *) 0x8134018
        continued = 0
        __PRETTY_FUNCTION__ = "gst_ogg_pad_submit_page"
#3  0xb78d8ee2 in gst_ogg_demux_read_chain (ogg=0x8134018) at
gstoggdemux.c:2442
        pad = (GstOggPad *) 0x813e000
        known_serial = 0
        chain = (GstOggChain *) 0x80cd180
        offset = 16969
        op = {header = 0x8139538 "OggS", header_len = 28, 
  body = 0x8139554
"UIAED>ieclSYXPPSUUXXX_ZVX]YZTHGdmdUUKTUWjkVR\\OL\026E�׳���V�\016�\r����7�\035UqS���\203fc�aV\235B\035d�)]\223#E�#n�\214d\n\206�030��]h\023j�\002\230]�021'��016\036�001\036;Cߢ\233�\bs\227Ϲ\220\017<\034PZTQͱO,翽\235�\230�>��]D�S\\W\225/�\002�227&��e",
body_len = 30}
        done = 1
        i = 0
        __PRETTY_FUNCTION__ = "gst_ogg_demux_read_chain"
#4  0xb78d9d59 in gst_ogg_demux_loop (pad=0x810c400) at gstoggdemux.c:2689
        got_chains = <value optimized out>
        res = <value optimized out>
        ogg = (GstOggDemux *) 0x8134018
        ret = <value optimized out>
        event = <value optimized out>
        __PRETTY_FUNCTION__ = "gst_ogg_demux_loop"
#5  0xb7eba9cf in gst_task_func (task=0x811e158, tclass=0x8133d10) at
gsttask.c:192
        t = -1209292485
        lock = (GStaticRecMutex *) 0x8133bc0
        tself = (GThread *) 0x8133a20
        __PRETTY_FUNCTION__ = "gst_task_func"
#6  0xb7dd1087 in g_thread_pool_thread_proxy (data=0x8133da0) at
gthreadpool.c:265
        task = (gpointer) 0x811e158
        pool = (GRealThreadPool *) 0x8133da0
#7  0xb7dcf6cf in g_thread_create_proxy (data=0x8133a20) at gthread.c:591
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#8  0xb7d78267 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#9  0xb7d0c50e in clone () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.

The other threads are not interesting.

This is with plugins-base 0.10.11, and GStreamer 0.10.11.

Bye,

-- 
Configure bugmail: http://bugzilla.gnome.org/userprefs.cgi?tab=email