[gstreamer-bugs] [Bug 582942] crash in libvorbis when parsing some ogg files

Fri May 22 09:52:50 PDT 2009

If you have any questions why you received this email, please see the text at
the end of this email. Replies to this email are NOT read, please see the text
at the end of this email. You can add comments to this bug at:
  http://bugzilla.gnome.org/show_bug.cgi?id=582942

  GStreamer | gst-plugins-base | Ver: 0.10.x




------- Comment #25 from Alex Bennee  2009-05-22 16:52 UTC -------
For what it's worth the exact bit of r14811 that trips up is:

--- a/lib/sharedbook.c
+++ b/lib/sharedbook.c
@@ -124,7 +124,14 @@ ogg_uint32_t *_make_words(long *l,long n,long
sparsecount){
     }else
       if(sparsecount==0)count++;
   }
-    
+  
+  /* sanity check the huffman tree; an underpopulated tree must be rejected.
*/
+  for(i=1;i<33;i++)
+    if(marker[i] & (0xffffffffUL>>(32-i))){
+      _ogg_free(r);
+      return(NULL);
+    }
+

If I comment it out then vorbis and gstreamer play the file fine. Looking at an
example table when "good" and "bad" it looks like a 1 bit error has crept in:

Breakpoint 1, _make_words (l=0x1ed6b30, n=64, sparsecount=36) at
sharedbook.c:138
138       fprintf(stderr,"markers are fine\n");
(gdb) x/33w marker
0x7fffc7cdcd40: 0x00000000      0x00000002      0x00000004      0x00000008
0x7fffc7cdcd50: 0x00000010      0x00000020      0x00000040      0x00000080
0x7fffc7cdcd60: 0x00000100      0x00000200      0x00000400      0x00000800
0x7fffc7cdcd70: 0x00001000      0x00002000      0x00004000      0x00008000
0x7fffc7cdcd80: 0x00010000      0x00020000      0x00040000      0x00080000
0x7fffc7cdcd90: 0x00100000      0x00200000      0x00400000      0x00800000
0x7fffc7cdcda0: 0x01000000      0x02000000      0x04000000      0x08000000
0x7fffc7cdcdb0: 0x10000000      0x20000000      0x40000000      0x80000000
0x7fffc7cdcdc0: 0x00000000

Compared with:

vorbis_book_init_decode: 0x1ee5fe0, 0x1ed7510
  n=1
    _make_words: 0x1ed7580, 128, 1

Breakpoint 2, _make_words (l=0x1ed7580, n=128, sparsecount=1) at
sharedbook.c:135
135           return(NULL);
(gdb) x/30w marker
0x7fffc7cdcd40: 0x00000000      0x00000001      0x00000002      0x00000004
0x7fffc7cdcd50: 0x00000008      0x00000010      0x00000020      0x00000040
0x7fffc7cdcd60: 0x00000080      0x00000100      0x00000200      0x00000400
0x7fffc7cdcd70: 0x00000800      0x00001000      0x00002000      0x00004000
0x7fffc7cdcd80: 0x00008000      0x00010000      0x00020000      0x00040000
0x7fffc7cdcd90: 0x00080000      0x00100000      0x00200000      0x00400000
0x7fffc7cdcda0: 0x00800000      0x01000000      0x02000000      0x04000000
0x7fffc7cdcdb0: 0x08000000      0x10000000

Of course I don't fully understand the code yet so I have no idea if this is
useful to the vorbis people.


-- 
See http://bugzilla.gnome.org/page.cgi?id=email.html for more info about why you received
this email, why you can't respond via email, how to stop receiving
emails (or reduce the number you receive), and how to contact someone
if you are having problems with the system.

You can add comments to this bug at http://bugzilla.gnome.org/show_bug.cgi?id=582942.


