[Bug 677560] rtpjpegdepay: crash in copy_into_unchecked

GStreamer (bugzilla.gnome.org) bugzilla at gnome.org
Fri Apr 26 10:47:08 PDT 2013 

https://bugzilla.gnome.org/show_bug.cgi?id=677560
  GStreamer | gst-plugins-good | 0.10.31

Aleix Conchillo Flaqué <aleix> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |aleix at oblong.com

--- Comment #25 from Aleix Conchillo Flaqué <aleix at oblong.com> 2013-04-26 17:47:03 UTC ---
I also hit the same segmentation fault and back trace.

I initially thought to do the same fix as Álvaro, but as Tim mentions I don't
think this check is needed (if everything went fine before).

I think there's some issue with the JPEG depayloader when packets are lost or
there's latency and jitter and that the depayloader is not very resilient to
these facts.

I end up switching to TCP for JPEG streams (I send 1 image every 4 seconds).

This is the investigation that I end up with:

----------------

So here is the problematic code (see at the end). Specially:

    gst_adapter_copy (rtpjpegdepay->adapter, end, avail - 2, 2);

which will internally call:

    copy_into_unchecked (adapter, dest=end, skip=4294967294, size=2);

Note that skip is "2^32 - 2", which is the same as saying "0 - 2" for a
guint type.

My feeling is that for some reason we have an RTP packet with the marker bit
(indicating this is might be the end of the image):

  if (gst_rtp_buffer_get_marker (buf)) {

Then we get the available bytes in the adapter:

    avail = gst_adapter_available (rtpjpegdepay->adapter);

And the problem might be here, avail could be 0 which would make the following
code crash:

    gst_adapter_copy (rtpjpegdepay->adapter, end, avail - 2, 2);

So, how is it possible that the adapter doesn't contain anything if we just
did?

  gst_adapter_push (rtpjpegdepay->adapter, outbuf);

That was the only thing I could not figure out.

==============

  /* take JPEG data, push in the adapter */
  GST_DEBUG_OBJECT (rtpjpegdepay, "pushing data at offset %d", header_len);
  outbuf = gst_rtp_buffer_get_payload_subbuffer (buf, header_len, -1);
  gst_adapter_push (rtpjpegdepay->adapter, outbuf);
  outbuf = NULL;

  if (gst_rtp_buffer_get_marker (buf)) {
    guint avail;
    guint8 end[2];
    guint8 *data;

    /* last buffer take all data out of the adapter */
    avail = gst_adapter_available (rtpjpegdepay->adapter);
    GST_DEBUG_OBJECT (rtpjpegdepay, "marker set, last buffer");

    /* take the last bytes of the jpeg data to see if there is an EOI
     * marker */
    gst_adapter_copy (rtpjpegdepay->adapter, end, avail - 2, 2);

==============

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

More information about the gstreamer-bugs mailing list