[gstreamer-bugs] [Bug 640028] New: [qtdemux] crash on malformed mov stream

GStreamer (bugzilla.gnome.org) bugzilla at gnome.org
Wed Jan 19 20:28:54 PST 2011 

https://bugzilla.gnome.org/show_bug.cgi?id=640028
  GStreamer | gst-plugins-good | 0.10.24

           Summary: [qtdemux] crash on malformed mov stream
    Classification: Desktop
           Product: GStreamer
           Version: 0.10.24
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: gst-plugins-good
        AssignedTo: gstreamer-bugs at lists.sourceforge.net
        ReportedBy: alex.converse at gmail.com
         QAContact: gstreamer-bugs at lists.sourceforge.net
      GNOME target: ---
     GNOME version: ---


qtdemux seems to crash on certain malformed mov movies. This particular sort of
deformity may be more prevalent in the wild because they are created by recent
versions of ffmpeg attempting to mux adpcm_ms.

Logs:

$ gdb --args gst-launch-0.10 filesrc location=ff_adpcm_ms.mov ! decodebin
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/gst-launch-0.10...(no debugging symbols
found)...done.
(gdb) r
Starting program: /usr/bin/gst-launch-0.10 filesrc location=ff_adpcm_ms.mov \!
decodebin
[Thread debugging using libthread_db enabled]
Setting pipeline to PAUSED ...
[New Thread 0x7ffff37d8710 (LWP 14984)]
Pipeline is PREROLLING ...

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff37d8710 (LWP 14984)]
qtdemux_parse_trak (qtdemux=0x826060, trak=<value optimized out>) at
qtdemux.c:5882
5882    qtdemux.c: No such file or directory.
    in qtdemux.c
(gdb) bt
#0  qtdemux_parse_trak (qtdemux=0x826060, trak=<value optimized out>) at
qtdemux.c:5882
#1  0x00007ffff4264c7b in qtdemux_parse_tree (qtdemux=0x826060) at
qtdemux.c:7237
#2  0x00007ffff426a998 in gst_qtdemux_loop_state_header (pad=<value optimized
out>) at qtdemux.c:1867
#3  gst_qtdemux_loop (pad=<value optimized out>) at qtdemux.c:2877
#4  0x00007ffff7b86abb in ?? () from /usr/lib/libgstreamer-0.10.so.0
#5  0x00007ffff74415cf in ?? () from /lib/libglib-2.0.so.0
#6  0x00007ffff743f784 in ?? () from /lib/libglib-2.0.so.0
#7  0x00007ffff71c28ba in start_thread (arg=<value optimized out>) at
pthread_create.c:300
#8  0x00007ffff6f2a02d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#9  0x0000000000000000 in ?? ()
(gdb) quit
A debugging session is active.

    Inferior 1 [process 14981] will be killed.

Quit anyway? (y or n) y

$ valgrind gst-launch-0.10 filesrc location=ff_adpcm_ms.mov ! decodebin
==14986== Memcheck, a memory error detector
==14986== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==14986== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for
copyright info
==14986== Command: gst-launch-0.10 filesrc location=ff_adpcm_ms.mov ! decodebin
==14986== 
Setting pipeline to PAUSED ...
Pipeline is PREROLLING ...
==14986== Thread 2:
==14986== Invalid read of size 8
==14986==    at 0x8FA702F: qtdemux_parse_trak (qtdemux.c:5882)
==14986==    by 0x8FA7C7A: qtdemux_parse_tree (qtdemux.c:7237)
==14986==    by 0x8FAD997: gst_qtdemux_loop (qtdemux.c:1867)
==14986==    by 0x4EB0ABA: ??? (in /usr/lib/libgstreamer-0.10.so.0.26.0)
==14986==    by 0x55BD5CE: ??? (in /lib/libglib-2.0.so.0.2400.2)
==14986==    by 0x55BB783: ??? (in /lib/libglib-2.0.so.0.2400.2)
==14986==    by 0x58368B9: start_thread (pthread_create.c:300)
==14986==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==14986== 
Caught SIGSEGV accessing address (nil)
#0  vgModuleLocal_do_syscall_for_client_WRK ()
#1  0x0000000000000008 in ?? ()
#2  0x000000040327bde0 in ?? ()
#3  0x000000040327be50 in ?? ()
#4  0x0000000038e113f0 in vgPlain_threads ()
#5  0x0000000000000007 in ?? ()
#6  0x0000000000000007 in ?? ()
#7  0x00000000391d1800 in syscallInfo ()
#8  0x000000040327be50 in ?? ()
#9  0x0000000000000001 in ?? ()
#10 0x0000000038e113e0 in vgPlain_threads ()
#11 0x00000000391d1770 in syscallInfo ()
#12 0x0000000038067fe1 in do_syscall_for_client (tid=1, 
#13 vgPlain_client_syscall (tid=1, trc=<value optimized out>)
#14 0x0000000038064a4e in handle_syscall (tid=<value optimized out>, 
#15 0x00000000380658ba in vgPlain_scheduler (tid=1)
#16 0x000000003808f195 in thread_wrapper (tidW=1)
#17 run_a_thread_NORETURN (tidW=1) at m_syswrap/syswrap-linux.c:127
#18 0x0000000000000000 in ?? ()
==14991== 
==14991== HEAP SUMMARY:
==14991==     in use at exit: 3,039,410 bytes in 17,545 blocks
==14991==   total heap usage: 28,420 allocs, 10,875 frees, 3,679,380 bytes
allocated
==14991== 
==14991== LEAK SUMMARY:
==14991==    definitely lost: 145 bytes in 5 blocks
==14991==    indirectly lost: 240 bytes in 10 blocks
==14991==      possibly lost: 2,841,962 bytes in 15,515 blocks
==14991==    still reachable: 197,063 bytes in 2,015 blocks
==14991==         suppressed: 0 bytes in 0 blocks
==14991== Rerun with --leak-check=full to see details of leaked memory
==14991== 
==14991== For counts of detected and suppressed errors, rerun with: -v
==14991== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 46 from 7)
Spinning.  Please run 'gdb gst-launch 14986' to continue debugging, Ctrl-C to
quit, or Ctrl-\ to dump core.
^CCaught interrupt -- handling interrupt.
Interrupt: Stopping pipeline ...
ERROR: pipeline doesn't want to preroll.
Setting pipeline to NULL ...

^C==14986== 
==14986== HEAP SUMMARY:
==14986==     in use at exit: 3,039,325 bytes in 17,538 blocks
==14986==   total heap usage: 28,464 allocs, 10,926 frees, 3,682,389 bytes
allocated
==14986== 
==14986== LEAK SUMMARY:
==14986==    definitely lost: 145 bytes in 5 blocks
==14986==    indirectly lost: 240 bytes in 10 blocks
==14986==      possibly lost: 2,842,050 bytes in 15,506 blocks
==14986==    still reachable: 196,890 bytes in 2,017 blocks
==14986==         suppressed: 0 bytes in 0 blocks
==14986== Rerun with --leak-check=full to see details of leaked memory
==14986== 
==14986== For counts of detected and suppressed errors, rerun with: -v
==14986== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 46 from 7)
Killed

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

More information about the Gstreamer-bugs mailing list