[Bug 768757] New: hlsdemux: crash with encrypted stream with OpenSSL

GStreamer (GNOME Bugzilla) bugzilla at gnome.org
Wed Jul 13 06:18:49 UTC 2016 

https://bugzilla.gnome.org/show_bug.cgi?id=768757

            Bug ID: 768757
           Summary: hlsdemux: crash with encrypted stream with OpenSSL
    Classification: Platform
           Product: GStreamer
           Version: git master
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: gst-plugins-bad
          Assignee: gstreamer-bugs at lists.freedesktop.org
          Reporter: m.olbrich at pengutronix.de
        QA Contact: gstreamer-bugs at lists.freedesktop.org
     GNOME version: ---

Created attachment 331382
  --> https://bugzilla.gnome.org/attachment.cgi?id=331382&action=edit
hlsdemux: don't call gst_hls_demux_decrypt_end() in 
gst_hls_demux_clear_pending_data()

With 8fd6eee3f68b07f7ba92a9c407fe75ae2ce00300 ("hlsdemux: Clear pending data
when needed") hlsdemux crashes for
http://filmrommet.no/film/playlist.m3u8?id=12450%20TR=1%20type=m3u8

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 18438]
0x00007fffdeac6b7d in EVP_DecryptUpdate (ctx=ctx at entry=0x7fffd8134530,
out=out at entry=0x7fffcc003890 "", outl=outl at entry=0x7fffde1cb9c0,
    in=0x7fffc0007cf0
"[*q\353\027\r\316\321\035Ň\306=\341A7*ì\324j\341\201\301\307ޡc̉\034\322\"\361@\234oXF:,\362\001*\212\016\211\211#\206w\204\ve\006\212걭QC\034\226!\306\330v\262\004\vJ\250\264rT\030\257\272`\232\323e\263*8z\205\327\031\237*\226>\225\020\275\r\001ks\377\066\204\233\r\263\225\311",
<incomplete sequence \344>, inl=976) at evp_enc.c:423
423         if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
(gdb) bt
#0  0x00007fffdeac6b7d in EVP_DecryptUpdate (ctx=ctx at entry=0x7fffd8134530,
out=out at entry=0x7fffcc003890 "", outl=outl at entry=0x7fffde1cb9c0,
    in=0x7fffc0007cf0
"[*q\353\027\r\316\321\035Ň\306=\341A7*ì\324j\341\201\301\307ޡc̉\034\322\"\361@\234oXF:,\362\001*\212\016\211\211#\206w\204\ve\006\212걭QC\034\226!\306\330v\262\004\vJ\250\264rT\030\257\272`\232\323e\263*8z\205\327\031\237*\226>\225\020\275\r\001ks\377\066\204\233\r\263\225\311",
<incomplete sequence \344>, inl=976) at evp_enc.c:423
#1  0x00007fffdf1d79d8 in decrypt_fragment (decrypted_data=0x7fffcc003890 "",
encrypted_data=<optimized out>, length=976, demux=0x7fffd81342b0) at
gsthlsdemux.c:1134
#2  gst_hls_demux_decrypt_fragment (err=0x7fffde1cb9c8,
encrypted_buffer=0x7fffc001c8f0, demux=0x7fffd81342b0) at gsthlsdemux.c:1242
#3  gst_hls_demux_data_received (demux=0x7fffd81342b0, stream=0x7fffd813b5f0,
buffer=0x7fffc001c8f0) at gsthlsdemux.c:670
#4  0x00007fffdedc35f2 in _src_chain (pad=pad at entry=0x7fffd8031480,
parent=parent at entry=0x7fffd81342b0, buffer=buffer at entry=0x7fffd8015cf0) at
gstadaptivedemux.c:2128
#5  0x00007ffff739d3b7 in gst_pad_chain_data_unchecked (data=0x7fffd8015cf0,
type=<optimized out>, pad=0x7fffd8031480) at gstpad.c:4176
#6  gst_pad_push_data (pad=pad at entry=0x8f73d0, type=type at entry=4112,
data=<optimized out>, data at entry=0x7fffd8015cf0) at gstpad.c:4428
#7  0x00007ffff73a507f in gst_pad_push (pad=pad at entry=0x8f73d0,
buffer=buffer at entry=0x7fffd8015cf0) at gstpad.c:4547
#8  0x00007ffff738e68b in gst_proxy_pad_chain_default (pad=pad at entry=0x8f9330,
parent=parent at entry=0x8f73d0, buffer=buffer at entry=0x7fffd8015cf0) at
gstghostpad.c:126
#9  0x00007ffff739d3b7 in gst_pad_chain_data_unchecked (data=0x7fffd8015cf0,
type=<optimized out>, pad=0x8f9330) at gstpad.c:4176
#10 gst_pad_push_data (pad=pad at entry=0x7fffd8031000, type=type at entry=4112,
data=<optimized out>, data at entry=0x7fffd8015cf0) at gstpad.c:4428
#11 0x00007ffff73a507f in gst_pad_push (pad=0x7fffd8031000,
buffer=buffer at entry=0x7fffd8015cf0) at gstpad.c:4547
#12 0x00007ffff51bd3a7 in gst_queue2_push_one (queue=0x7fffc800e000) at
gstqueue2.c:2824
#13 gst_queue2_loop (pad=<optimized out>) at gstqueue2.c:2946
#14 0x00007ffff73ce259 in gst_task_func (task=0xb92b90) at gsttask.c:332
#15 0x00007ffff76be664 in g_thread_pool_thread_proxy (data=<optimized out>) at
gthreadpool.c:307
#16 0x00007ffff76bdcd5 in g_thread_proxy (data=0x7fffc8002800) at gthread.c:764
#17 0x00007ffff711b052 in start_thread (arg=0x7fffde1cc700) at
pthread_create.c:309
#18 0x00007ffff6e4ec2d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

ctx->cipher is NULL here. It's deleted immediately after creating it in
gst_hls_demux_start_fragment().

Patch attached.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.

More information about the gstreamer-bugs mailing list