[gstreamer-bugs] [Bug 573649] New: Buffer overflow in gst gstffmpegaudioresample

GStreamer (bugzilla.gnome.org) bugzilla-daemon at bugzilla.gnome.org
Sun Mar 1 08:54:02 PST 2009 

If you have any questions why you received this email, please see the text at
the end of this email. Replies to this email are NOT read, please see the text
at the end of this email. You can add comments to this bug at:
  http://bugzilla.gnome.org/show_bug.cgi?id=573649

  GStreamer | gst-ffmpeg | Ver: 0.10.21
           Summary: Buffer overflow in gst gstffmpegaudioresample
           Product: GStreamer
           Version: 0.10.21
          Platform: Other
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: critical
          Priority: Normal
         Component: gst-ffmpeg
        AssignedTo: gstreamer-bugs at lists.sourceforge.net
        ReportedBy: bastiaan at bjacques.org
         QAContact: gstreamer-bugs at lists.sourceforge.net
     GNOME version: Unspecified
   GNOME milestone: Unspecified


To reproduce, run: gst-launch neonhttpsrc
location=http://www.cs.ucl.ac.uk/teaching/GZ05/samples/tone.wav ! wavparse !
audioconvert ! ffaudioresample ! audio/x-raw-int,rate=44100 ! autoaudiosink

If you run this pipeline using Valgrind, you'll see output like:


==6700== Invalid write of size 2
==6700==    at 0x6D4DEED: audio_resample (in
/usr/lib/i686/cmov/libavcodec.so.51.50.0)
==6700==  Address 0x77ebb9e is 2 bytes after a block of size 12,700 alloc'd
==6700==    at 0x4025D2E: malloc (vg_replace_malloc.c:207)
==6700==    by 0x5126B67: g_try_malloc (gmem.c:199)
==6700==    by 0x4ED4DE4: gst_buffer_try_new_and_alloc (in
/usr/lib/libgstreamer-0.10.so.0.18.0)

To narrow down the problem, apply this patch, and the assertion will hit when
you run the above pipeline:

--- gstffmpegaudioresample.c    2008-11-08 16:45:25.000000000 +0100
+++ ../../../gst-ffmpeg-0.10.6.orig/ext/ffmpeg/gstffmpegaudioresample.c
2009-03-01 17:02:02.000000000 +0100
@@ -281,6 +281,9 @@ gst_ffmpegaudioresample_transform (GstBa

   GST_BUFFER_DURATION (outbuf) = gst_util_uint64_scale (ret, GST_SECOND,
       resample->out_rate);
+
+  g_assert(ret * 2 * resample->out_channels <= GST_BUFFER_SIZE(outbuf));
+
   GST_BUFFER_SIZE (outbuf) = ret * 2 * resample->out_channels;

   GST_LOG_OBJECT (resample, "Output buffer duration:%" GST_TIME_FORMAT,


-- 
See http://bugzilla.gnome.org/page.cgi?id=email.html for more info about why you received
this email, why you can't respond via email, how to stop receiving
emails (or reduce the number you receive), and how to contact someone
if you are having problems with the system.

You can add comments to this bug at http://bugzilla.gnome.org/show_bug.cgi?id=573649.

More information about the Gstreamer-bugs mailing list