[Bug 775450] New: aac invalid memory read in gst_aac_parse_sink_setcaps

GStreamer (GNOME Bugzilla) bugzilla at gnome.org
Thu Dec 1 10:32:35 UTC 2016 

https://bugzilla.gnome.org/show_bug.cgi?id=775450

            Bug ID: 775450
           Summary: aac invalid memory read in gst_aac_parse_sink_setcaps
    Classification: Platform
           Product: GStreamer
           Version: git master
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: gst-plugins-good
          Assignee: gstreamer-bugs at lists.freedesktop.org
          Reporter: hanno at hboeck.de
        QA Contact: gstreamer-bugs at lists.freedesktop.org
     GNOME version: ---

Created attachment 341134
  --> https://bugzilla.gnome.org/attachment.cgi?id=341134&action=edit
poc file

The attached file causes an invalid memory read. Found with afl, current git.

asan error:
==14926==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7fc5b05fd9ff bp 0x7fc5b1060270 sp 0x7fc5b10600c0 T2)
==14926==The signal is caused by a READ memory access.
==14926==Hint: address points to the zero page.
    #0 0x7fc5b05fd9fe in gst_aac_parse_sink_setcaps
/f/gstreamer/gst-plugins-good/gst/audioparsers/gstaacparse.c:315:18
    #1 0x7fc5bf22f5fa in gst_base_parse_sink_event_default
/f/gstreamer/gstreamer/libs/gst/base/gstbaseparse.c:1186:15
    #2 0x7fc5bed0d70d in gst_pad_send_event_unchecked
/f/gstreamer/gstreamer/gst/gstpad.c:5609:14
    #3 0x7fc5beceb3cd in gst_pad_send_event
/f/gstreamer/gstreamer/gst/gstpad.c:5779:7
    #4 0x7fc5b37f3c2d in send_sticky_event
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1961:9
    #5 0x7fc5bed10409 in foreach_dispatch_function
/f/gstreamer/gstreamer/gst/gstpad.c:5878:11
    #6 0x7fc5becf4d44 in events_foreach
/f/gstreamer/gstreamer/gst/gstpad.c:603:11
    #7 0x7fc5bed10215 in gst_pad_sticky_events_foreach
/f/gstreamer/gstreamer/gst/gstpad.c:5909:3
    #8 0x7fc5b37df9ee in send_sticky_events
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1976:3
    #9 0x7fc5b37df9ee in connect_pad
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:2496
    #10 0x7fc5b37df9ee in analyze_new_pad
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1791
    #11 0x7fc5b37f1b80 in pad_added_cb
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:2929:7
    #12 0x7fc5bd28301f in ffi_call_unix64 (/usr/lib64/libffi.so.6+0x601f)
    #13 0x7fc5bd282a87 in ffi_call (/usr/lib64/libffi.so.6+0x5a87)
    #14 0x7fc5be2737e3 in g_cclosure_marshal_generic
(/usr/lib64/libgobject-2.0.so.0+0x107e3)
    #15 0x7fc5be272fd4 in g_closure_invoke
(/usr/lib64/libgobject-2.0.so.0+0xffd4)
    #16 0x7fc5be285320  (/usr/lib64/libgobject-2.0.so.0+0x22320)
    #17 0x7fc5be28ddd4 in g_signal_emit_valist
(/usr/lib64/libgobject-2.0.so.0+0x2add4)
    #18 0x7fc5be28e036 in g_signal_emit
(/usr/lib64/libgobject-2.0.so.0+0x2b036)
    #19 0x7fc5bec7e7bb in gst_element_add_pad
/f/gstreamer/gstreamer/gst/gstelement.c:713:3
    #20 0x7fc5b157af6f in gst_qtdemux_add_stream
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:7798:5
    #21 0x7fc5b157af6f in qtdemux_expose_streams
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:11472
    #22 0x7fc5b1568b6f in gst_qtdemux_loop_state_header
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:4297:11
    #23 0x7fc5b1568b6f in gst_qtdemux_loop
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:5753
    #24 0x7fc5bedc45d3 in gst_task_func
/f/gstreamer/gstreamer/gst/gsttask.c:334:5
    #25 0x7fc5bdfc1627  (/usr/lib64/libglib-2.0.so.0+0x72627)
    #26 0x7fc5bdfc0c94  (/usr/lib64/libglib-2.0.so.0+0x71c94)
    #27 0x7fc5bda3d453 in start_thread (/lib64/libpthread.so.0+0x7453)
    #28 0x7fc5bd56d5dc in clone (/lib64/libc.so.6+0xe75dc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/f/gstreamer/gst-plugins-good/gst/audioparsers/gstaacparse.c:315:18 in
gst_aac_parse_sink_setcaps
Thread T2 (qtdemux0:sink) created by T1 (task2) here:
    #0 0x42e26d in __interceptor_pthread_create
(/usr/bin/gst-discoverer-1.0+0x42e26d)
    #1 0x7fc5bdfde95f  (/usr/lib64/libglib-2.0.so.0+0x8f95f)

Thread T1 (task2) created by T0 here:
    #0 0x42e26d in __interceptor_pthread_create
(/usr/bin/gst-discoverer-1.0+0x42e26d)
    #1 0x7fc5bdfde95f  (/usr/lib64/libglib-2.0.so.0+0x8f95f)

==14926==ABORTING

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.

More information about the gstreamer-bugs mailing list