[Bug 758726] New: avviddec: slice offset handling of real video leads to memory mishandling.
GStreamer (GNOME Bugzilla)
bugzilla at gnome.org
Thu Nov 26 18:40:35 PST 2015
https://bugzilla.gnome.org/show_bug.cgi?id=758726
Bug ID: 758726
Summary: avviddec: slice offset handling of real video leads to
memory mishandling.
Classification: Platform
Product: GStreamer
Version: git master
OS: Linux
Status: NEW
Severity: normal
Priority: Normal
Component: gst-libav
Assignee: gstreamer-bugs at lists.freedesktop.org
Reporter: vineeth.tm at samsung.com
QA Contact: gstreamer-bugs at lists.freedesktop.org
GNOME version: ---
In case of realvideos, slice offset is being handled in avviddec.
In case slice count is valid, then the offset from is being copied to slice
offset and the data pointer is incremented based on this.
But by doing this
when the data is being passed on to
avcodec_decode_video2 --> av_packet_split_side_data
it expects the original data/size to be passed to it.
this change results in invalid memory read
=32228== Thread 6 multiqueue0:src_:
==32228== Invalid read of size 4
==32228== at 0xDA77ACC: av_packet_split_side_data (avpacket.c:405)
==32228== by 0xDE48565: avcodec_decode_video2 (utils.c:2432)
==32228== by 0xD90B1AF: gst_ffmpegviddec_frame (gstavviddec.c:1354)
==32228== by 0xD90CE74: gst_ffmpegviddec_handle_frame (gstavviddec.c:1644)
==32228== by 0x41327BB: gst_video_decoder_decode_frame
(gstvideodecoder.c:3406)
==32228== by 0x4136BF8: gst_video_decoder_chain_forward
(gstvideodecoder.c:2190)
==32228== by 0x4138E3D: gst_video_decoder_chain (gstvideodecoder.c:2492)
==32228== by 0x41DEAC7: gst_pad_push_data (gstpad.c:4108)
==32228== by 0x41E7676: gst_pad_push (gstpad.c:4479)
==32228== by 0x671C9EA: gst_multi_queue_loop (gstmultiqueue.c:1238)
==32228== by 0x4215C88: gst_task_func (gsttask.c:331)
==32228== by 0x4216E2E: default_func (gsttaskpool.c:68)
==32228== Address 0x571fb28 is 5,008 bytes inside a block of size 5,011
alloc'd
==32228== at 0x402E324: realloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==32228== by 0x4358CB8: g_realloc (in
/lib/i386-linux-gnu/libglib-2.0.so.0.4002.0)
==32228== by 0xD90D12B: gst_ffmpegviddec_handle_frame (gstavviddec.c:1613)
==32228== by 0x41327BB: gst_video_decoder_decode_frame
(gstvideodecoder.c:3406)
==32228== by 0x4136BF8: gst_video_decoder_chain_forward
(gstvideodecoder.c:2190)
==32228== by 0x4138E3D: gst_video_decoder_chain (gstvideodecoder.c:2492)
==32228== by 0x41DEAC7: gst_pad_push_data (gstpad.c:4108)
==32228== by 0x41E7676: gst_pad_push (gstpad.c:4479)
==32228== by 0x671C9EA: gst_multi_queue_loop (gstmultiqueue.c:1238)
==32228== by 0x4215C88: gst_task_func (gsttask.c:331)
==32228== by 0x4216E2E: default_func (gsttaskpool.c:68)
==32228== by 0x437A404: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4002.0)
==32228==
==32228== Invalid read of size 1
==32228== at 0x4031053: memcpy (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==32228== by 0xDA780EF: av_packet_ref (string3.h:51)
==32228== by 0xDD88538: ff_thread_decode_frame (pthread_frame.c:360)
==32228== by 0xDE485B1: avcodec_decode_video2 (utils.c:2442)
==32228== by 0xD90B1AF: gst_ffmpegviddec_frame (gstavviddec.c:1354)
==32228== by 0xD90CE74: gst_ffmpegviddec_handle_frame (gstavviddec.c:1644)
==32228== by 0x41327BB: gst_video_decoder_decode_frame
(gstvideodecoder.c:3406)
==32228== by 0x4136BF8: gst_video_decoder_chain_forward
(gstvideodecoder.c:2190)
==32228== by 0x4138E3D: gst_video_decoder_chain (gstvideodecoder.c:2492)
==32228== by 0x41DEAC7: gst_pad_push_data (gstpad.c:4108)
==32228== by 0x41E7676: gst_pad_push (gstpad.c:4479)
==32228== by 0x671C9EA: gst_multi_queue_loop (gstmultiqueue.c:1238)
==32228== Address 0x571fb2b is 0 bytes after a block of size 5,011 alloc'd
==32228== at 0x402E324: realloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==32228== by 0x4358CB8: g_realloc (in
/lib/i386-linux-gnu/libglib-2.0.so.0.4002.0)
==32228== by 0xD90D12B: gst_ffmpegviddec_handle_frame (gstavviddec.c:1613)
==32228== by 0x41327BB: gst_video_decoder_decode_frame
(gstvideodecoder.c:3406)
==32228== by 0x4136BF8: gst_video_decoder_chain_forward
(gstvideodecoder.c:2190)
==32228== by 0x4138E3D: gst_video_decoder_chain (gstvideodecoder.c:2492)
==32228== by 0x41DEAC7: gst_pad_push_data (gstpad.c:4108)
==32228== by 0x41E7676: gst_pad_push (gstpad.c:4479)
==32228== by 0x671C9EA: gst_multi_queue_loop (gstmultiqueue.c:1238)
==32228== by 0x4215C88: gst_task_func (gsttask.c:331)
==32228== by 0x4216E2E: default_func (gsttaskpool.c:68)
==32228== by 0x437A404: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.4002.0)
Ideally this might need to be handled in ffmpeg by avpacket.c to check for
slice_offset related changes for realvideo.
But do we really need to handle slice offset in avviddec?
I could see that real decoders in ffmpeg (rv34 and rv10) are already handling
the same. So even if we don't handle it here, it will be taken care of..
I propose to remove the changes.
Please suggest if it can be removed..
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
More information about the gstreamer-bugs
mailing list