[gstreamer-bugs] [Bug 461253] New: Crash when gst_base_transform_prepare_output_buffer is sent negative size.

GStreamer (bugzilla.gnome.org) bugzilla-daemon at bugzilla.gnome.org
Sat Jul 28 08:53:55 PDT 2007 

If you have any questions why you received this email, please see the text at
the end of this email. Replies to this email are NOT read, please see the text
at the end of this email. You can add comments to this bug at:
  http://bugzilla.gnome.org/show_bug.cgi?id=461253

  GStreamer | gstreamer (core) | Ver: HEAD CVS
           Summary: Crash when gst_base_transform_prepare_output_buffer is
                    sent negative size.
           Product: GStreamer
           Version: HEAD CVS
          Platform: Other
        OS/Version: All
            Status: UNCONFIRMED
          Severity: critical
          Priority: Normal
         Component: gstreamer (core)
        AssignedTo: gstreamer-bugs at lists.sourceforge.net
        ReportedBy: laszlok2 at gmail.com
         QAContact: gstreamer-bugs at lists.sourceforge.net
     GNOME version: 2.17/2.18
   GNOME milestone: Unspecified


Steps to reproduce:
Short version:
1. Call gst_base_transform_prepare_output_buffer() with a negative size value,
that when converted to an unsigned int will be a very large value.
2. Notice that gst_pad_alloc_buffer_full() takes in size as a gint, whereas
gst_buffer_new_and_alloc() takes in size as a guint.
3. Watch g_malloc() fail as you cannot allocate such a large block of memory.

Long version (how I invoked the crash):
1. Run Jokosher and import an MP3 file.
2. Note that when using new in gstreamer CVS is the ability for mp3parse to do
accurate seeks. Jokosher uses gnonlin, which does accurate seeking.
3. Play the audio and quickly seek from one place to another. I find it is
easiest to reproduce when seeking backwards in short intervals such as seek to
10s, then 9s, then 8s as fast as you can click.
4. Everything crashes.


Stack trace:
GLib-ERROR **: gmem.c:135: failed to allocate 4294783552 bytes
aborting...

Program received signal SIGABRT, Aborted.
[Switching to Thread -1277437040 (LWP 23557)]
0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb7d8adf0 in raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xb7d8c641 in abort () from /lib/tls/i686/cmov/libc.so.6
#3  0xb7b7b70a in g_logv () from /usr/lib/libglib-2.0.so.0
#4  0xb7b7b749 in g_log () from /usr/lib/libglib-2.0.so.0
#5  0xb7b7a309 in g_malloc () from /usr/lib/libglib-2.0.so.0
#6  0xb6b5ef1c in gst_buffer_new_and_alloc (size=4294783552) at gstbuffer.c:327
#7  0xb6b815fd in gst_pad_alloc_buffer_full (pad=0x89b9040, offset=260806,
size=-183744, caps=0x8b0cd00, buf=0xb3dbc6d8, setcaps=0) at gstpad.c:2682
#8  0xb6bee01a in gst_base_transform_prepare_output_buffer (trans=0x8952ea8,
in_buf=0x8a525e0, out_size=-183744, out_caps=0x8b0cd00, out_buf=0xb3dbc6d8)
    at gstbasetransform.c:953
#9  0xb6bee2fb in gst_base_transform_handle_buffer (trans=0x8952ea8,
inbuf=0x8a525e0, outbuf=0xb3dbc6d8) at gstbasetransform.c:1460
#10 0xb6bef682 in gst_base_transform_chain (pad=0x89b26d8, buffer=0x8a525e0) at
gstbasetransform.c:1585
#11 0xb6b81e69 in gst_pad_chain_unchecked (pad=0x89b26d8, buffer=0x8a525e0) at
gstpad.c:3453
#12 0xb6b8254b in gst_pad_push (pad=0x89aa190, buffer=0x8a525e0) at
gstpad.c:3621
#13 0xb6b735aa in gst_proxy_pad_do_chain (pad=0x899d2a0, buffer=0x8a525e0) at
gstghostpad.c:191
#14 0xb6b81e69 in gst_pad_chain_unchecked (pad=0x899d2a0, buffer=0x8a525e0) at
gstpad.c:3453
#15 0xb6b8254b in gst_pad_push (pad=0x89aa3e8, buffer=0x8a525e0) at
gstpad.c:3621
#16 0xb6b735aa in gst_proxy_pad_do_chain (pad=0x899d540, buffer=0x8a525e0) at
gstghostpad.c:191
#17 0xb6b81e69 in gst_pad_chain_unchecked (pad=0x899d540, buffer=0x8a525e0) at
gstpad.c:3453
#18 0xb6b8254b in gst_pad_push (pad=0x89b52a0, buffer=0x8a525e0) at
gstpad.c:3621
#19 0xb6b735aa in gst_proxy_pad_do_chain (pad=0x89b7328, buffer=0x8a525e0) at
gstghostpad.c:191
#20 0xb6b81e69 in gst_pad_chain_unchecked (pad=0x89b7328, buffer=0x8a525e0) at
gstpad.c:3453
#21 0xb6b8254b in gst_pad_push (pad=0x89b50e0, buffer=0x8a525e0) at
gstpad.c:3621
#22 0xb6b735aa in gst_proxy_pad_do_chain (pad=0x89aa708, buffer=0x8a525e0) at
gstghostpad.c:191
#23 0xb6b81e69 in gst_pad_chain_unchecked (pad=0x89aa708, buffer=0x8a525e0) at
gstpad.c:3453
#24 0xb6b8254b in gst_pad_push (pad=0x89cabd8, buffer=0x8a525e0) at
gstpad.c:3621
#25 0xb3dfbe55 in gst_mad_chain (pad=0x89cab18, buffer=0x8be8068) at
gstmad.c:1617
#26 0xb6b81e69 in gst_pad_chain_unchecked (pad=0x89cab18, buffer=0x8be8068) at
gstpad.c:3453
#27 0xb6b8254b in gst_pad_push (pad=0x89caa58, buffer=0x8be8068) at
gstpad.c:3621
#28 0xb3e081b4 in gst_mp3parse_emit_frame (mp3parse=0x8ba6060, size=418) at
gstmpegaudioparse.c:612
#29 0xb3e09640 in gst_mp3parse_chain (pad=0x89ca998, buf=0x8bdeed8) at
gstmpegaudioparse.c:972
#30 0xb6b81e69 in gst_pad_chain_unchecked (pad=0x89ca998, buffer=0x8bdeed8) at
gstpad.c:3453
#31 0xb6b8254b in gst_pad_push (pad=0x89b94c0, buffer=0x8bdeed8) at
gstpad.c:3621
#32 0xb4237002 in gst_type_find_element_chain (pad=0x89b9400, buffer=0x8bdeed8)
at gsttypefindelement.c:568
#33 0xb6b81e69 in gst_pad_chain_unchecked (pad=0x89b9400, buffer=0x8bdeed8) at
gstpad.c:3453
#34 0xb6b8254b in gst_pad_push (pad=0x89aa578, buffer=0x8bdeed8) at
gstpad.c:3621
#35 0xb6b735aa in gst_proxy_pad_do_chain (pad=0x899d700, buffer=0x8bdeed8) at
gstghostpad.c:191
#36 0xb6b81e69 in gst_pad_chain_unchecked (pad=0x899d700, buffer=0x8bdeed8) at
gstpad.c:3453
#37 0xb6b8254b in gst_pad_push (pad=0x89b9340, buffer=0x8bdeed8) at
gstpad.c:3621
#38 0xb6bea962 in gst_base_src_loop (pad=0x89b9340) at gstbasesrc.c:1775
#39 0xb6b9c306 in gst_task_func (task=0x8a52390, tclass=0x8bb1e30) at
gsttask.c:192
#40 0xb7b924d8 in ?? () from /usr/lib/libglib-2.0.so.0
#41 0x08a52390 in ?? ()
#42 0x08bb1e30 in ?? ()
#43 0x00000001 in ?? ()
#44 0x00000001 in ?? ()
#45 0xb7bd9d94 in ?? () from /usr/lib/libglib-2.0.so.0
#46 0x00000001 in ?? ()
#47 0x00000000 in ?? ()
(gdb)

Other information:
It seems from the backtrace that this is a bug in the new accurate seeking
implementation in mp3parse, but nonetheless there should be a check for
negative values in gst_base_transform_prepare_output_buffer() or
gst_pad_alloc_buffer_full().


-- 
See http://bugzilla.gnome.org/page.cgi?id=email.html for more info about why you received
this email, why you can't respond via email, how to stop receiving
emails (or reduce the number you receive), and how to contact someone
if you are having problems with the system.

You can add comments to this bug at http://bugzilla.gnome.org/show_bug.cgi?id=461253.

More information about the Gstreamer-bugs mailing list