[Bug 733695] New: ximagesrc: Use after free

GStreamer (bugzilla.gnome.org) bugzilla at gnome.org
Thu Jul 24 12:04:35 PDT 2014 

https://bugzilla.gnome.org/show_bug.cgi?id=733695
  GStreamer | gst-plugins-good | 1.4.0

           Summary: ximagesrc: Use after free
    Classification: Platform
           Product: GStreamer
           Version: 1.4.0
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: gst-plugins-good
        AssignedTo: gstreamer-bugs at lists.freedesktop.org
        ReportedBy: nicolas.dufresne at collabora.co.uk
         QAContact: gstreamer-bugs at lists.freedesktop.org
     GNOME version: ---


Just came across this use after free error. I've tracked down this to be that
ximagesrc does not have a return value to it's GstBuffer dispose function. So
depending on your build, it may never free the buffer, or always free it and
eventually crash. Patch is coming soon.

==31556== Thread 8 ximagesrc0:src:
==31556== Invalid read of size 8
==31556==    at 0x4C4D2C5: gst_buffer_get_meta (gstbuffer.c:1950)
==31556==    by 0xC4D17E1: gst_ximage_src_ximage_get (gstximagesrc.c:461)
==31556==    by 0xC4D38E4: gst_ximage_src_create (gstximagesrc.c:862)
==31556==    by 0xC98D7CD: gst_push_src_create (gstpushsrc.c:130)
==31556==    by 0xC971B74: gst_base_src_get_range (gstbasesrc.c:2445)
==31556==    by 0xC972AEF: gst_base_src_loop (gstbasesrc.c:2721)
==31556==    by 0x4CC4A0D: gst_task_func (gsttask.c:317)
==31556==    by 0x4CC5AF5: default_func (gsttaskpool.c:68)
==31556==    by 0x541F98E: g_thread_pool_thread_proxy (gthreadpool.c:307)
==31556==    by 0x541F0FA: g_thread_proxy (gthread.c:764)
==31556==    by 0x3B46607F32: start_thread (pthread_create.c:309)
==31556==    by 0x3B45EF4DEC: clone (clone.S:111)
==31556==  Address 0x1996b178 is 264 bytes inside a block of size 272 free'd
==31556==    at 0x4A07577: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31556==    by 0x5401C81: g_free (gmem.c:190)
==31556==    by 0x54164EA: g_slice_free1 (gslice.c:1112)
==31556==    by 0x4C4AB4B: _gst_buffer_free (gstbuffer.c:587)
==31556==    by 0x4C84DB6: gst_mini_object_unref (gstminiobject.c:465)
==31556==    by 0xC4D0159: gst_buffer_unref (gstbuffer.h:360)
==31556==    by 0xC4D32AD: gst_ximage_src_ximage_get (gstximagesrc.c:769)
==31556==    by 0xC4D38E4: gst_ximage_src_create (gstximagesrc.c:862)
==31556==    by 0xC98D7CD: gst_push_src_create (gstpushsrc.c:130)
==31556==    by 0xC971B74: gst_base_src_get_range (gstbasesrc.c:2445)
==31556==    by 0xC972AEF: gst_base_src_loop (gstbasesrc.c:2721)
==31556==    by 0x4CC4A0D: gst_task_func (gsttask.c:317)

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

More information about the gstreamer-bugs mailing list