[Bug 759910] GstDiscoverer checking aac http stream called many times eventually results in segmentation fault

GStreamer (GNOME Bugzilla) bugzilla at gnome.org
Mon Dec 28 00:49:33 PST 2015 

https://bugzilla.gnome.org/show_bug.cgi?id=759910

Sebastian Dröge (slomo) <slomo at coaxion.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |slomo at coaxion.net

--- Comment #1 from Sebastian Dröge (slomo) <slomo at coaxion.net> ---
Running valgrind with "gst-discoverer-1.0 http://193.29.200.243:8000/nashe.aac"
also shows suspicious warnings in that code. It apparently reads over the array
boundaries there.


==25826== Conditional jump or move depends on uninitialised value(s)
==25826==    at 0x1226CFEE: aac_type_find (gsttypefindfunctions.c:1123)
==25826==    by 0x5A88EED: gst_type_find_factory_call_function
(gsttypefindfactory.c:215)
==25826==    by 0x57C9CB0: gst_type_find_helper_for_data
(gsttypefindhelper.c:535)
==25826==    by 0x57C9E03: gst_type_find_helper_for_buffer
(gsttypefindhelper.c:591)
==25826==    by 0x1205BC26: gst_icydemux_typefind_or_forward
(gsticydemux.c:468)
==25826==    by 0x1205C2F6: gst_icydemux_chain (gsticydemux.c:577)
==25826==    by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153)
==25826==    by 0x5A532B1: gst_pad_push_data (gstpad.c:4405)
==25826==    by 0x5A5B472: gst_pad_push (gstpad.c:4524)
==25826==    by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153)
==25826==    by 0x5A532B1: gst_pad_push_data (gstpad.c:4405)
==25826==    by 0x5A5B472: gst_pad_push (gstpad.c:4524)
==25826==    by 0x5A44722: gst_proxy_pad_chain_default (gstghostpad.c:126)
==25826==    by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153)
==25826==    by 0x5A532B1: gst_pad_push_data (gstpad.c:4405)
==25826==  Uninitialised value was created by a heap allocation
==25826==    at 0x4C29C4F: malloc (vg_replace_malloc.c:299)
==25826==    by 0x5FAF558: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826==    by 0x5FC6742: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826==    by 0x5A1EB8A: gst_buffer_new (gstbuffer.c:714)
==25826==    by 0x5A1FD82: gst_buffer_new_allocate (gstbuffer.c:762)
==25826==    by 0x57AE674: gst_base_src_default_alloc (gstbasesrc.c:1435)
==25826==    by 0x9E0C6CD: gst_soup_http_src_chunk_allocator
(gstsouphttpsrc.c:1432)
==25826==    by 0xA07DB86: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07DFEF: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07EC34: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07EE8A: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0x5FA9E89: g_main_context_dispatch (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826== 
==25826== Conditional jump or move depends on uninitialised value(s)
==25826==    at 0x12260291: data_scan_ctx_ensure_data
(gsttypefindfunctions.c:81)
==25826==    by 0x1226D002: aac_type_find (gsttypefindfunctions.c:1123)
==25826==    by 0x5A88EED: gst_type_find_factory_call_function
(gsttypefindfactory.c:215)
==25826==    by 0x57C9CB0: gst_type_find_helper_for_data
(gsttypefindhelper.c:535)
==25826==    by 0x57C9E03: gst_type_find_helper_for_buffer
(gsttypefindhelper.c:591)
==25826==    by 0x1205BC26: gst_icydemux_typefind_or_forward
(gsticydemux.c:468)
==25826==    by 0x1205C2F6: gst_icydemux_chain (gsticydemux.c:577)
==25826==    by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153)
==25826==    by 0x5A532B1: gst_pad_push_data (gstpad.c:4405)
==25826==    by 0x5A5B472: gst_pad_push (gstpad.c:4524)
==25826==    by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153)
==25826==    by 0x5A532B1: gst_pad_push_data (gstpad.c:4405)
==25826==    by 0x5A5B472: gst_pad_push (gstpad.c:4524)
==25826==    by 0x5A44722: gst_proxy_pad_chain_default (gstghostpad.c:126)
==25826==  Uninitialised value was created by a heap allocation
==25826==    at 0x4C29C4F: malloc (vg_replace_malloc.c:299)
==25826==    by 0x5FAF558: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826==    by 0x5FC6742: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826==    by 0x5A1EB8A: gst_buffer_new (gstbuffer.c:714)
==25826==    by 0x5A1FD82: gst_buffer_new_allocate (gstbuffer.c:762)
==25826==    by 0x57AE674: gst_base_src_default_alloc (gstbasesrc.c:1435)
==25826==    by 0x9E0C6CD: gst_soup_http_src_chunk_allocator
(gstsouphttpsrc.c:1432)
==25826==    by 0xA07DB86: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07DFEF: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07EC34: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07EE8A: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0x5FA9E89: g_main_context_dispatch (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826== 
==25826== Conditional jump or move depends on uninitialised value(s)
==25826==    at 0x57C9695: buf_helper_find_peek (gsttypefindhelper.c:441)
==25826==    by 0x122602B6: data_scan_ctx_ensure_data
(gsttypefindfunctions.c:84)
==25826==    by 0x1226D002: aac_type_find (gsttypefindfunctions.c:1123)
==25826==    by 0x5A88EED: gst_type_find_factory_call_function
(gsttypefindfactory.c:215)
==25826==    by 0x57C9CB0: gst_type_find_helper_for_data
(gsttypefindhelper.c:535)
==25826==    by 0x57C9E03: gst_type_find_helper_for_buffer
(gsttypefindhelper.c:591)
==25826==    by 0x1205BC26: gst_icydemux_typefind_or_forward
(gsticydemux.c:468)
==25826==    by 0x1205C2F6: gst_icydemux_chain (gsticydemux.c:577)
==25826==    by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153)
==25826==    by 0x5A532B1: gst_pad_push_data (gstpad.c:4405)
==25826==    by 0x5A5B472: gst_pad_push (gstpad.c:4524)
==25826==    by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153)
==25826==    by 0x5A532B1: gst_pad_push_data (gstpad.c:4405)
==25826==    by 0x5A5B472: gst_pad_push (gstpad.c:4524)
==25826==  Uninitialised value was created by a heap allocation
==25826==    at 0x4C29C4F: malloc (vg_replace_malloc.c:299)
==25826==    by 0x5FAF558: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826==    by 0x5FC6742: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826==    by 0x5A1EB8A: gst_buffer_new (gstbuffer.c:714)
==25826==    by 0x5A1FD82: gst_buffer_new_allocate (gstbuffer.c:762)
==25826==    by 0x57AE674: gst_base_src_default_alloc (gstbasesrc.c:1435)
==25826==    by 0x9E0C6CD: gst_soup_http_src_chunk_allocator
(gstsouphttpsrc.c:1432)
==25826==    by 0xA07DB86: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07DFEF: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07EC34: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07EE8A: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0x5FA9E89: g_main_context_dispatch (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826== 
==25826== Conditional jump or move depends on uninitialised value(s)
==25826==    at 0x57C96A4: buf_helper_find_peek (gsttypefindhelper.c:450)
==25826==    by 0x122602B6: data_scan_ctx_ensure_data
(gsttypefindfunctions.c:84)
==25826==    by 0x1226D002: aac_type_find (gsttypefindfunctions.c:1123)
==25826==    by 0x5A88EED: gst_type_find_factory_call_function
(gsttypefindfactory.c:215)
==25826==    by 0x57C9CB0: gst_type_find_helper_for_data
(gsttypefindhelper.c:535)
==25826==    by 0x57C9E03: gst_type_find_helper_for_buffer
(gsttypefindhelper.c:591)
==25826==    by 0x1205BC26: gst_icydemux_typefind_or_forward
(gsticydemux.c:468)
==25826==    by 0x1205C2F6: gst_icydemux_chain (gsticydemux.c:577)
==25826==    by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153)
==25826==    by 0x5A532B1: gst_pad_push_data (gstpad.c:4405)
==25826==    by 0x5A5B472: gst_pad_push (gstpad.c:4524)
==25826==    by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153)
==25826==    by 0x5A532B1: gst_pad_push_data (gstpad.c:4405)
==25826==    by 0x5A5B472: gst_pad_push (gstpad.c:4524)
==25826==  Uninitialised value was created by a heap allocation
==25826==    at 0x4C29C4F: malloc (vg_replace_malloc.c:299)
==25826==    by 0x5FAF558: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826==    by 0x5FC6742: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826==    by 0x5A1EB8A: gst_buffer_new (gstbuffer.c:714)
==25826==    by 0x5A1FD82: gst_buffer_new_allocate (gstbuffer.c:762)
==25826==    by 0x57AE674: gst_base_src_default_alloc (gstbasesrc.c:1435)
==25826==    by 0x9E0C6CD: gst_soup_http_src_chunk_allocator
(gstsouphttpsrc.c:1432)
==25826==    by 0xA07DB86: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07DFEF: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07EC34: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07EE8A: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0x5FA9E89: g_main_context_dispatch (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826== 
==25826== Conditional jump or move depends on uninitialised value(s)
==25826==    at 0x57C9695: buf_helper_find_peek (gsttypefindhelper.c:441)
==25826==    by 0x122602FC: data_scan_ctx_ensure_data
(gsttypefindfunctions.c:101)
==25826==    by 0x1226D002: aac_type_find (gsttypefindfunctions.c:1123)
==25826==    by 0x5A88EED: gst_type_find_factory_call_function
(gsttypefindfactory.c:215)
==25826==    by 0x57C9CB0: gst_type_find_helper_for_data
(gsttypefindhelper.c:535)
==25826==    by 0x57C9E03: gst_type_find_helper_for_buffer
(gsttypefindhelper.c:591)
==25826==    by 0x1205BC26: gst_icydemux_typefind_or_forward
(gsticydemux.c:468)
==25826==    by 0x1205C2F6: gst_icydemux_chain (gsticydemux.c:577)
==25826==    by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153)
==25826==    by 0x5A532B1: gst_pad_push_data (gstpad.c:4405)
==25826==    by 0x5A5B472: gst_pad_push (gstpad.c:4524)
==25826==    by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153)
==25826==    by 0x5A532B1: gst_pad_push_data (gstpad.c:4405)
==25826==    by 0x5A5B472: gst_pad_push (gstpad.c:4524)
==25826==  Uninitialised value was created by a heap allocation
==25826==    at 0x4C29C4F: malloc (vg_replace_malloc.c:299)
==25826==    by 0x5FAF558: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826==    by 0x5FC6742: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826==    by 0x5A1EB8A: gst_buffer_new (gstbuffer.c:714)
==25826==    by 0x5A1FD82: gst_buffer_new_allocate (gstbuffer.c:762)
==25826==    by 0x57AE674: gst_base_src_default_alloc (gstbasesrc.c:1435)
==25826==    by 0x9E0C6CD: gst_soup_http_src_chunk_allocator
(gstsouphttpsrc.c:1432)
==25826==    by 0xA07DB86: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07DFEF: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07EC34: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07EE8A: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0x5FA9E89: g_main_context_dispatch (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826== 
==25826== Conditional jump or move depends on uninitialised value(s)
==25826==    at 0x57C96A4: buf_helper_find_peek (gsttypefindhelper.c:450)
==25826==    by 0x122602FC: data_scan_ctx_ensure_data
(gsttypefindfunctions.c:101)
==25826==    by 0x1226D002: aac_type_find (gsttypefindfunctions.c:1123)
==25826==    by 0x5A88EED: gst_type_find_factory_call_function
(gsttypefindfactory.c:215)
==25826==    by 0x57C9CB0: gst_type_find_helper_for_data
(gsttypefindhelper.c:535)
==25826==    by 0x57C9E03: gst_type_find_helper_for_buffer
(gsttypefindhelper.c:591)
==25826==    by 0x1205BC26: gst_icydemux_typefind_or_forward
(gsticydemux.c:468)
==25826==    by 0x1205C2F6: gst_icydemux_chain (gsticydemux.c:577)
==25826==    by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153)
==25826==    by 0x5A532B1: gst_pad_push_data (gstpad.c:4405)
==25826==    by 0x5A5B472: gst_pad_push (gstpad.c:4524)
==25826==    by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153)
==25826==    by 0x5A532B1: gst_pad_push_data (gstpad.c:4405)
==25826==    by 0x5A5B472: gst_pad_push (gstpad.c:4524)
==25826==  Uninitialised value was created by a heap allocation
==25826==    at 0x4C29C4F: malloc (vg_replace_malloc.c:299)
==25826==    by 0x5FAF558: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826==    by 0x5FC6742: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
==25826==    by 0x5A1EB8A: gst_buffer_new (gstbuffer.c:714)
==25826==    by 0x5A1FD82: gst_buffer_new_allocate (gstbuffer.c:762)
==25826==    by 0x57AE674: gst_base_src_default_alloc (gstbasesrc.c:1435)
==25826==    by 0x9E0C6CD: gst_soup_http_src_chunk_allocator
(gstsouphttpsrc.c:1432)
==25826==    by 0xA07DB86: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07DFEF: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07EC34: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0xA07EE8A: ??? (in
/usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0)
==25826==    by 0x5FA9E89: g_main_context_dispatch (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.

More information about the gstreamer-bugs mailing list