[gstreamer-bugs] [Bug 556010] New: AVI muxer segfault

GStreamer (bugzilla.gnome.org) bugzilla-daemon at bugzilla.gnome.org
Sun Oct 12 05:08:38 PDT 2008 

If you have any questions why you received this email, please see the text at
the end of this email. Replies to this email are NOT read, please see the text
at the end of this email. You can add comments to this bug at:
  http://bugzilla.gnome.org/show_bug.cgi?id=556010

  GStreamer | gst-plugins-good | Ver: HEAD CVS
           Summary: AVI muxer segfault
           Product: GStreamer
           Version: HEAD CVS
          Platform: Other
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: blocker
          Priority: Normal
         Component: gst-plugins-good
        AssignedTo: gstreamer-bugs at lists.sourceforge.net
        ReportedBy: n770galaxy at gmail.com
         QAContact: gstreamer-bugs at lists.sourceforge.net
                CC: n770galaxy at gmail.com
     GNOME version: Unspecified
   GNOME milestone: Unspecified


Running the following pipeline:

gst-launch-0.10 filesrc location=chickenpayback.mpeg ! flupsdemux !
mpegvideoparse ! avimux ! fakesink


(gst-launch-0.10:11072): GStreamer-CRITICAL **: gst_buffer_create_sub:
assertion `buffer->size >= offset + size' failed
*** glibc detected *** gst-launch-0.10: free(): invalid next size (normal):
0x09f29c00 ***

(gdb) bt
#0  0xb80b6430 in __kernel_vsyscall ()
#1  0xb7c34880 in raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xb7c36248 in abort () from /lib/tls/i686/cmov/libc.so.6
#3  0xb7c7210d in ?? () from /lib/tls/i686/cmov/libc.so.6
#4  0xb7c7b116 in ?? () from /lib/tls/i686/cmov/libc.so.6
#5  0xb7c7c865 in malloc () from /lib/tls/i686/cmov/libc.so.6
#6  0xb7d03068 in __vasprintf_chk () from /lib/tls/i686/cmov/libc.so.6
#7  0xb7dfe2ef in g_vasprintf () from /usr/lib/libglib-2.0.so.0
#8  0xb7dea126 in g_strdup_vprintf () from /usr/lib/libglib-2.0.so.0
#9  0xb7dd1596 in g_logv () from /usr/lib/libglib-2.0.so.0
#10 0xb7dd1966 in g_log () from /usr/lib/libglib-2.0.so.0
#11 0xb7dd1bcb in g_return_if_fail_warning () from /usr/lib/libglib-2.0.so.0
#12 0xb800f5f2 in gst_buffer_create_sub (buffer=0x9dd5370, offset=0, size=1126)
at gstbuffer.c:576
#13 0xb799201c in gst_avi_mux_riff_get_avi_header (avimux=0x9dd0008) at
gstavimux.c:1261
#14 0xb7992f9f in gst_avi_mux_start_file (avimux=0x9dd0008) at gstavimux.c:1560
#15 0xb7993ee9 in gst_avi_mux_collect_pads (pads=0x9d18180, avimux=0x9dd0008)
at gstavimux.c:1852
#16 0xb79ef887 in gst_collect_pads_check_collected (pads=0x9d18180) at
gstcollectpads.c:1038
#17 0xb79f0460 in gst_collect_pads_chain (pad=0x9db7490, buffer=0x9dd12c0) at
gstcollectpads.c:1247
#18 0xb8036929 in gst_pad_chain_unchecked (pad=0x9db7490, buffer=0x9dd12c0) at
gstpad.c:3890
#19 0xb8037b6a in gst_pad_push (pad=0x9db7250, buffer=0x9dd12c0) at
gstpad.c:4057
#20 0xb7fce929 in mpegvideoparse_drain_avail (mpegvideoparse=0x9dbd018) at
mpegvideoparse.c:418
#21 0xb7fcf1fe in gst_mpegvideoparse_chain (pad=0x9db7190, buf=0x9dd1268) at
mpegvideoparse.c:475
#22 0xb8036929 in gst_pad_chain_unchecked (pad=0x9db7190, buffer=0x9dd1268) at
gstpad.c:3890
#23 0xb8037b6a in gst_pad_push (pad=0x9db7610, buffer=0x9dd1268) at
gstpad.c:4057
#24 0xb79b6c0e in gst_flups_demux_data_cb (filter=0x9dbafb0, first=1,
buffer=0x9dd52d0, demux=0x9dbaf18) at gstmpegdemux.c:486
#25 0xb79b8631 in gst_pes_filter_data_push (filter=0x9dbafb0, first=1,
buffer=0x9dd52d0) at gstpesfilter.c:493
#26 0xb79b9099 in gst_pes_filter_parse (filter=0x9dbafb0) at gstpesfilter.c:415
#27 0xb79b3a43 in gst_flups_demux_chain (pad=0x9db70d0, buffer=0x9dd5280) at
gstmpegdemux.c:1742
#28 0xb8036929 in gst_pad_chain_unchecked (pad=0x9db70d0, buffer=0x9dd5280) at
gstpad.c:3890
#29 0xb8037b6a in gst_pad_push (pad=0x9db7010, buffer=0x9dd5280) at
gstpad.c:4057
#30 0xb79e1531 in gst_base_src_loop (pad=0x9db7010) at gstbasesrc.c:2187
#31 0xb8056f13 in gst_task_func (task=0x9dd1820, tclass=0x9cc9108) at
gsttask.c:192
#32 0xb7df36f6 in ?? () from /usr/lib/libglib-2.0.so.0
#33 0xb7df205f in ?? () from /usr/lib/libglib-2.0.so.0
#34 0xb7d6d50f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#35 0xb7cea7ee in clone () from /lib/tls/i686/cmov/libc.so.6

(gdb) frame 13
#13 0xb799201c in gst_avi_mux_riff_get_avi_header (avimux=0x9dd0008) at
gstavimux.c:1261
1261        GstBuffer *subbuffer = gst_buffer_create_sub (buffer, 0, highmark);
(gdb) p *buffer
$1 = {mini_object = {instance = {g_class = 0x9cc6e08}, refcount = 1, flags = 0,
_gst_reserved = 0x0}, data = 0x9dda800 "RIFF^\004", size = 1100, timestamp =
18446744073709551615, duration = 18446744073709551615, caps = 0x0, 
  offset = 18446744073709551615, offset_end = 18446744073709551615, malloc_data
= 0x9dda800 "RIFF^\004", free_func = 0xb7dcfbf0 <g_free>, _gst_reserved = {0x0,
0x0, 0x0}}
(gdb) p highmark
$2 = 1126

Seems that highmark is bigger than the allocated GstBuffer, then some data had
been memcopied outside the allocated data for GstBuffer and some corruption is
produced.


-- 
See http://bugzilla.gnome.org/page.cgi?id=email.html for more info about why you received
this email, why you can't respond via email, how to stop receiving
emails (or reduce the number you receive), and how to contact someone
if you are having problems with the system.

You can add comments to this bug at http://bugzilla.gnome.org/show_bug.cgi?id=556010.

More information about the Gstreamer-bugs mailing list