[gstreamer-bugs] [Bug 384996] New: Tailored or broken Real Media mux file crashes RM demuxer

GStreamer (bugzilla.gnome.org) bugzilla-daemon at bugzilla.gnome.org
Tue Dec 12 00:58:36 PST 2006 

Do not reply to this via email (we are currently unable to handle email
responses and they get discarded).  You can add comments to this bug at
http://bugzilla.gnome.org/show_bug.cgi?id=384996

  GStreamer | gst-plugins-ugly | Ver: HEAD CVS

           Summary: Tailored or broken Real Media mux file crashes RM
                    demuxer
           Product: GStreamer
           Version: HEAD CVS
          Platform: Other
        OS/Version: All
            Status: UNCONFIRMED
          Severity: critical
          Priority: Normal
         Component: gst-plugins-ugly
        AssignedTo: gstreamer-bugs at lists.sourceforge.net
        ReportedBy: roland.kay at ox.compsoc.net
         QAContact: gstreamer-bugs at lists.sourceforge.net
     GNOME version: 2.11/2.12
   GNOME milestone: Unspecified


Steps to reproduce:
1. Download the sample file (attached below)
2. Try to play in any app that uses GStreamer.
* bang *


Stack trace:
Don't pay too much attention to the stack trace; the cause is self-evident.

#0  0xffffe410 in __kernel_vsyscall ()
#1  0x40323541 in raise () from /lib/tls/libc.so.6
#2  0x40324dbb in abort () from /lib/tls/libc.so.6
#3  0x402a6120 in g_logv () from /opt/gnome/lib/libglib-2.0.so.0
#4  0x402a6165 in g_log () from /opt/gnome/lib/libglib-2.0.so.0
#5  0x402a3490 in g_malloc () from /opt/gnome/lib/libglib-2.0.so.0
#6  0x40037bf2 in gst_buffer_new_and_alloc (size=4294967295) at gstbuffer.c:289
#7  0x406a195b in gst_rmdemux_parse_mdpr (rmdemux=0x81000f8, data=0x8100590,
    length=154) at rmdemux.c:1391
#8  0x406a257e in gst_rmdemux_chain (pad=0x0, buffer=0x80bb5a0)
    at rmdemux.c:1036
#9  0x406a39d2 in gst_rmdemux_loop (pad=0x8100430) at rmdemux.c:827
#10 0x40068c7f in gst_task_func (task=0x8100900, tclass=0x81007f8)
    at gsttask.c:192
#11 0x402bca55 in g_thread_pool_free () from /opt/gnome/lib/libglib-2.0.so.0
#12 0x402bab61 in g_static_private_free () from /opt/gnome/lib/libglib-2.0.so.0
#13 0x400fe297 in start_thread () from /lib/tls/libpthread.so.0
#14 0x403ba37e in clone () from /lib/tls/libc.so.6
#15 0x408a7bb0 in ?? ()


Other information:
Please see bug #384989.

The crash happens because rmdemux blindly believes the length field in the mux
file. I've changed it from 0x00000008 to 0xffffffff. Thus, rmdemux.c tries to
allocate 4Gb of RAM for the data, which obviously fails:

rmdemux.c:1640:
         stream->extra_data_size = RMDEMUX_GUINT32_GET (data + offset + 74);
         stream->extra_data = (guint8 *) data + offset + 78;

rmdemux.c:1391:
      buffer = gst_buffer_new_and_alloc (stream->extra_data_size);
      memcpy (GST_BUFFER_DATA (buffer), stream->extra_data,
          stream->extra_data_size);

Note: The sample file contains a version 5 stream, so this should happen with
CVS HEAD (i.e. without the patch submitted to bug #384989).


-- 
Configure bugmail: http://bugzilla.gnome.org/userprefs.cgi?tab=email

More information about the Gstreamer-bugs mailing list