[gstreamer-bugs] [Bug 573649] New: Buffer overflow in gst gstffmpegaudioresample
GStreamer (bugzilla.gnome.org)
bugzilla-daemon at bugzilla.gnome.org
Sun Mar 1 08:54:02 PST 2009
If you have any questions why you received this email, please see the text at
the end of this email. Replies to this email are NOT read, please see the text
at the end of this email. You can add comments to this bug at:
http://bugzilla.gnome.org/show_bug.cgi?id=573649
GStreamer | gst-ffmpeg | Ver: 0.10.21
Summary: Buffer overflow in gst gstffmpegaudioresample
Product: GStreamer
Version: 0.10.21
Platform: Other
OS/Version: Linux
Status: UNCONFIRMED
Severity: critical
Priority: Normal
Component: gst-ffmpeg
AssignedTo: gstreamer-bugs at lists.sourceforge.net
ReportedBy: bastiaan at bjacques.org
QAContact: gstreamer-bugs at lists.sourceforge.net
GNOME version: Unspecified
GNOME milestone: Unspecified
To reproduce, run: gst-launch neonhttpsrc
location=http://www.cs.ucl.ac.uk/teaching/GZ05/samples/tone.wav ! wavparse !
audioconvert ! ffaudioresample ! audio/x-raw-int,rate=44100 ! autoaudiosink
If you run this pipeline using Valgrind, you'll see output like:
==6700== Invalid write of size 2
==6700== at 0x6D4DEED: audio_resample (in
/usr/lib/i686/cmov/libavcodec.so.51.50.0)
==6700== Address 0x77ebb9e is 2 bytes after a block of size 12,700 alloc'd
==6700== at 0x4025D2E: malloc (vg_replace_malloc.c:207)
==6700== by 0x5126B67: g_try_malloc (gmem.c:199)
==6700== by 0x4ED4DE4: gst_buffer_try_new_and_alloc (in
/usr/lib/libgstreamer-0.10.so.0.18.0)
To narrow down the problem, apply this patch, and the assertion will hit when
you run the above pipeline:
--- gstffmpegaudioresample.c 2008-11-08 16:45:25.000000000 +0100
+++ ../../../gst-ffmpeg-0.10.6.orig/ext/ffmpeg/gstffmpegaudioresample.c
2009-03-01 17:02:02.000000000 +0100
@@ -281,6 +281,9 @@ gst_ffmpegaudioresample_transform (GstBa
GST_BUFFER_DURATION (outbuf) = gst_util_uint64_scale (ret, GST_SECOND,
resample->out_rate);
+
+ g_assert(ret * 2 * resample->out_channels <= GST_BUFFER_SIZE(outbuf));
+
GST_BUFFER_SIZE (outbuf) = ret * 2 * resample->out_channels;
GST_LOG_OBJECT (resample, "Output buffer duration:%" GST_TIME_FORMAT,
--
See http://bugzilla.gnome.org/page.cgi?id=email.html for more info about why you received
this email, why you can't respond via email, how to stop receiving
emails (or reduce the number you receive), and how to contact someone
if you are having problems with the system.
You can add comments to this bug at http://bugzilla.gnome.org/show_bug.cgi?id=573649.
More information about the Gstreamer-bugs
mailing list