[Bug 755971] New: Queue2 may overflow unsigned integer arithmetic

[GStreamer (GNOME Bugzilla)]

https://bugzilla.gnome.org/show_bug.cgi?id=755971

            Bug ID: 755971
           Summary: Queue2 may overflow unsigned integer arithmetic
    Classification: Platform
           Product: GStreamer
           Version: 1.4.5
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: gstreamer (core)
          Assignee: gstreamer-bugs at lists.freedesktop.org
          Reporter: awabik at opera.com
        QA Contact: gstreamer-bugs at lists.freedesktop.org
     GNOME version: ---

Queue2's GET_PERCENT macro multiplies cur_level by 100:

#define GET_PERCENT(format,alt_max) ((queue->max_level.format) > 0 ?
(queue->cur_level.format) * 100 / ((alt_max) > 0 ? [...]

If this overflows, we may get negative percentage, which will be then stored as
signed integer, and later used for gst_message_new_buffering(), that will
validate if percent is between 0 and 100, and return NULL (or abort, if
G_DEBUG=fatal-warnings).

The problem was reproduced when queueing invalid data in an artificial testcase
(segment started in 0, but the buffer passed to queue2 had timestamp
18446744071709551616. Still, queue2 should not cause crashes on such data.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.