[Bug 680558] rtpmparobustdepay: invalid memory access with mp3 rtsp stream

GStreamer (bugzilla.gnome.org) bugzilla at gnome.org
Sat Aug 4 05:45:01 PDT 2012 

https://bugzilla.gnome.org/show_bug.cgi?id=680558
  GStreamer | gst-plugins-good | 0.11.x

--- Comment #5 from Tim-Philipp Müller <t.i.m at zen.co.uk> 2012-08-04 12:44:53 UTC ---
I've also seen GST_IS_BUFFER() criticals from gst_buffer_unmap() shortly before
it blows up, but wasn't able to get a stack trace for the critical so far.

I get stack traces from 

ca. line 750:  gst_rtp_buffer_unmap (&rtp);

and from gst_base_sink_set_last_buffer(), where it unrefs the previous buffer.

Looks like there's a buffer unref too much somewhere, or a missing ref.

============================

Tried to add poisoning to GstBuffer and GstMemory, but doesn't seem to help
much.

Another puzzle piece:

395:gst_rtp_mpa_robust_depay_dequeue_frame:<rtpmparobustdepay0> dequeueing ADU
frame
529:gst_rtp_mpa_robust_depay_push_mp3_frames:<rtpmparobustdepay0> setting up
new MP3 frame of size 418, side_info 32
544:gst_rtp_mpa_robust_depay_push_mp3_frames:<rtpmparobustdepay0> current mp3
frame remaining: 382
546:gst_rtp_mpa_robust_depay_push_mp3_frames:<rtpmparobustdepay0> accumulated
ADU frame data_size: 382
567:gst_rtp_mpa_robust_depay_push_mp3_frames:<rtpmparobustdepay0> current MP3
frame at position 36, starting new ADU frame data at offset 178
598:gst_rtp_mpa_robust_depay_push_mp3_frames:<rtpmparobustdepay0> adding to
current MP3 frame
599:gst_rtp_mpa_robust_depay_push_mp3_frames:<rtpmparobustdepay0> byte writer
set_pos 178
544:gst_rtp_mpa_robust_depay_push_mp3_frames:<rtpmparobustdepay0> current mp3
frame remaining: -110
546:gst_rtp_mpa_robust_depay_push_mp3_frames:<rtpmparobustdepay0> accumulated
ADU frame data_size: 382

ERROR:gstrtpmparobustdepay.c:551:gst_rtp_mpa_robust_depay_push_mp3_frames:
assertion failed: (map.size > rtpmpadepay->offset)

#10 0x00007ffff54284ab in gst_rtp_mpa_robust_depay_push_mp3_frames
(rtpmpadepay=0x7ad8f0) at gstrtpmparobustdepay.c:551
551          g_assert (map.size > rtpmpadepay->offset);

(gdb) print map
$2 = {memory = 0x7b7400, flags = GST_MAP_READ, data = 0x7b702c
"\377\373\222`x", size = 386, maxsize = 393, user_data = {0x7ad8f0, 0x7b7400,
0x1, 0x7b702c}}
(gdb) print rtpmpadepay->offset
$3 = -25694976

====================================================================

And another puzzle piece:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff3c4c700 (LWP 19643)]
0x00007ffff54285de in gst_rtp_mpa_robust_depay_push_mp3_frames
(rtpmpadepay=0x7ad880) at gstrtpmparobustdepay.c:565
565          tpos = rtpmpadepay->size - frame->backpointer + 4 +
head->side_info;
(gdb) bt
#0  0x00007ffff54285de in gst_rtp_mpa_robust_depay_push_mp3_frames
(rtpmpadepay=0x7ad880) at gstrtpmparobustdepay.c:565
#1  0x00007ffff5428af0 in gst_rtp_mpa_robust_depay_submit_adu
(rtpmpadepay=0x7ad880, buf=0x7fffec017550) at gstrtpmparobustdepay.c:639
#2  0x00007ffff5428f4b in gst_rtp_mpa_robust_depay_process (depayload=0x7ad880,
buf=0x7fffec017550) at gstrtpmparobustdepay.c:736
#3  0x00007ffff4b4da37 in gst_rtp_base_depayload_chain (pad=<optimized out>,
parent=<optimized out>, in=0x7fffec016660) at gstrtpbasedepayload.c:332
#4  0x00007ffff7b48a18 in gst_pad_chain_data_unchecked (data=0x7fffec016660,
type=<optimized out>, pad=0x7ae4e0) at gstpad.c:3587
#5  gst_pad_push_data (pad=0x7a0930, type=type at entry=4112, data=<optimized
out>, data at entry=0x7fffec016660) at gstpad.c:3800
#6  0x00007ffff7b4f1d6 in gst_pad_push (pad=<optimized out>,
buffer=buffer at entry=0x7fffec016660) at gstpad.c:3903
#7  0x00007ffff56922cf in gst_gdp_depay_chain (pad=<optimized out>,
parent=<optimized out>, buffer=<optimized out>) at gstgdpdepay.c:330
#8  0x00007ffff7b48a18 in gst_pad_chain_data_unchecked (data=0x7fffec016a60,
type=<optimized out>, pad=0x7a03a0) at gstpad.c:3587
#9  gst_pad_push_data (pad=pad at entry=0x79e660, type=type at entry=4112,
data=<optimized out>) at gstpad.c:3800
#10 0x00007ffff7b4f1d6 in gst_pad_push (pad=pad at entry=0x79e660,
buffer=<optimized out>) at gstpad.c:3903
#11 0x00007ffff58c0fe5 in gst_base_src_loop (pad=0x79e660) at gstbasesrc.c:2668
#12 0x00007ffff7b76701 in gst_task_func (task=0x7b52c0) at gsttask.c:316
#13 0x00007ffff72085f2 in g_thread_pool_thread_proxy (data=<optimized out>) at
/tmp/buildd/glib2.0-2.32.3/./glib/gthreadpool.c:309
#14 0x00007ffff7207df5 in g_thread_proxy (data=0x7b5520) at
/tmp/buildd/glib2.0-2.32.3/./glib/gthread.c:801
#15 0x00007ffff6b79b50 in start_thread (arg=<optimized out>) at
pthread_create.c:304
#16 0x00007ffff68c46dd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#17 0x0000000000000000 in ?? ()
(gdb) print *rtpmpadepay
$1 = {depayload = {parent = {object = {object = {g_type_instance = {g_class =
0x7ac760}, ref_count = 1, qdata = 0x0}, lock = {p = 0x7ace20, i = {8048160,
0}}, name = 0x7ad730 "rtpmparobustdepay0", parent = 0x7b26e0, flags = 0, 
        control_bindings = 0x0, control_rate = 100000000, last_sync =
18446744073709551615, _gst_reserved = 0x0}, state_lock = {p = 0x7a9510, i = {0,
0}}, state_cond = {p = 0x7ad360, i = {0, 0}}, state_cookie = 3, 
      target_state = GST_STATE_PLAYING, current_state = GST_STATE_PLAYING,
next_state = GST_STATE_VOID_PENDING, pending_state = GST_STATE_VOID_PENDING,
last_return = GST_STATE_CHANGE_SUCCESS, bus = 0x7b1b30, clock = 0x688680, 
      base_time = 113566505040051, start_time = 0, numpads = 2, pads =
0x7acf80, numsrcpads = 1, srcpads = 0x7ad000, numsinkpads = 1, sinkpads =
0x7acf60, pads_cookie = 2, _gst_reserved = {0x0, 0x0, 0x0, 0x0}}, sinkpad =
0x7ae4e0, 
    srcpad = 0x7ae890, clock_rate = 1000, segment = {flags =
GST_SEGMENT_FLAG_NONE, rate = 1, applied_rate = 1, format = GST_FORMAT_TIME,
base = 0, offset = 6446544, start = 0, stop = 18446744073709551615, time = 0,
position = 0, 
      duration = 18446744073709551615, _gst_reserved = {0x7ffff3c4ba98,
0x7ffff3c4ba98, 0x3b, 0x7ffff3c4ba98}}, need_newsegment = 0, priv = 0x7ae280,
_gst_reserved = {0x0, 0x0, 0x0, 0x0}}, adapter = 0x7ae2d0, has_descriptor = 0, 
  last_ii = -1, last_icc = -1, deinter = {0x0 <repeats 256 times>}, adu_frames
= 0x7ae870, cur_adu_frame = 0x7fffec001a70, offset = 0, size = 764, mp3_frame =
0x7fffec001990}
(gdb) print frame
$2 = (GstADUFrame *) 0x7fffec017280
(gdb) print *frame
$3 = {header = 4294677088, size = 418, side_info = 32, data_size = 382, layer =
3, backpointer = 272, buffer = 0x7fffec017550}
(gdb) print *head
Cannot access memory at address 0xa051174c5a9f90d6

=======================================================================

And (with fakesink enable-last-sample=false):

*** glibc detected ***
/home/tpm/gst/0.11/gstreamer/tools/.libs/lt-gst-launch-1.0: munmap_chunk():
invalid pointer: 0x000000000068ecd0 ***

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff3c4c700 (LWP 19656)]
0x00007ffff6861dbd in malloc_consolidate (av=0x7ffff6b6ee60) at malloc.c:5169
5169    malloc.c: No such file or directory.
(gdb) bt
#0  0x00007ffff6861dbd in malloc_consolidate (av=0x7ffff6b6ee60) at
malloc.c:5169
#1  0x00007ffff68642a4 in _int_malloc (av=0x7ffff6b6ee60, bytes=1174) at
malloc.c:4373
#2  0x00007ffff6865f42 in __libc_calloc (n=<optimized out>,
elem_size=<optimized out>) at malloc.c:4065
#3  0x00007ffff7de7abf in ?? () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7de3126 in ?? () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7de495a in ?? () from /lib64/ld-linux-x86-64.so.2
#6  0x00007ffff7def10e in ?? () from /lib64/ld-linux-x86-64.so.2
#7  0x00007ffff7deabd6 in ?? () from /lib64/ld-linux-x86-64.so.2
#8  0x00007ffff7deeb4a in ?? () from /lib64/ld-linux-x86-64.so.2
#9  0x00007ffff68fad00 in do_dlopen (ptr=0x7ffff3c4aa40) at dl-libc.c:86
#10 0x00007ffff7deabd6 in ?? () from /lib64/ld-linux-x86-64.so.2
#11 0x00007ffff68fad9f in dlerror_run (operate=0x21, args=0x7ffff6b6ee60) at
dl-libc.c:47
#12 0x00007ffff68fae97 in *__GI___libc_dlopen_mode (name=<optimized out>,
mode=<optimized out>) at dl-libc.c:160
#13 0x00007ffff68d8fc5 in init () at ../sysdeps/x86_64/../ia64/backtrace.c:41
#14 0x00007ffff6b7f830 in pthread_once () at
../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_once.S:104
#15 0x00007ffff68d90c4 in *__GI___backtrace (array=<optimized out>, size=64) at
../sysdeps/x86_64/../ia64/backtrace.c:85
#16 0x00007ffff685830f in __libc_message (do_abort=<optimized out>,
fmt=<optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:168
#17 0x00007ffff6861b46 in malloc_printerr (action=3, str=0x7ffff6938670
"munmap_chunk(): invalid pointer", ptr=<optimized out>) at malloc.c:6283
#18 0x00007ffff7b43b4d in gst_memory_unref (memory=<optimized out>) at
../gst/gstmemory.h:296
#19 _gst_memory_free (mem=0x68ea00) at gstmemory.c:90
#20 0x00007ffff7b1d4e1 in gst_memory_unref (memory=<optimized out>) at
../gst/gstmemory.h:296
#21 _gst_buffer_free (buffer=0x68e070) at gstbuffer.c:531
#22 0x00007ffff5426ad0 in gst_buffer_unref (buf=0x68e070) at
/home/tpm/gst/0.11/gstreamer/gst/gstbuffer.h:351
#23 0x00007ffff5427af0 in gst_rtp_mpa_robust_depay_free_frame (frame=0x7b78f0)
at gstrtpmparobustdepay.c:386
#24 0x00007ffff5427bdd in gst_rtp_mpa_robust_depay_dequeue_frame
(rtpmpadepay=0x7ad870) at gstrtpmparobustdepay.c:402
#25 0x00007ffff5428a77 in gst_rtp_mpa_robust_depay_push_mp3_frames
(rtpmpadepay=0x7ad870) at gstrtpmparobustdepay.c:619
#26 0x00007ffff5428af0 in gst_rtp_mpa_robust_depay_submit_adu
(rtpmpadepay=0x7ad870, buf=0x7b31e0) at gstrtpmparobustdepay.c:639
#27 0x00007ffff5428f4b in gst_rtp_mpa_robust_depay_process (depayload=0x7ad870,
buf=0x7b31e0) at gstrtpmparobustdepay.c:736

Odd that you can't reproduce this.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

More information about the gstreamer-bugs mailing list