[Bug 774897] New: decodebin2: invalid memory read in gst_decode_chain_free_internal / g_type_check_instance_is_fundamentally_a
GStreamer (GNOME Bugzilla)
bugzilla at gnome.org
Wed Nov 23 08:57:02 UTC 2016
https://bugzilla.gnome.org/show_bug.cgi?id=774897
Bug ID: 774897
Summary: decodebin2: invalid memory read in
gst_decode_chain_free_internal /
g_type_check_instance_is_fundamentally_a
Classification: Platform
Product: GStreamer
Version: git master
OS: Linux
Status: NEW
Severity: normal
Priority: Normal
Component: gst-plugins-base
Assignee: gstreamer-bugs at lists.freedesktop.org
Reporter: hanno at hboeck.de
QA Contact: gstreamer-bugs at lists.freedesktop.org
GNOME version: ---
Created attachment 340583
--> https://bugzilla.gnome.org/attachment.cgi?id=340583&action=edit
poc file causing invalid memory read in decodebin2
The attached file will cause an invalid memory read in the glib function
g_type_check_instance_is_fundamentally_a. The last function in the call stack
belonging to gstreamer is gst_decode_chain_free_internal().
This only happens when G_SLICE=always-malloc is set, so test with:
G_SLICE=always-malloc gst-discoverer-1.0 [file]
You need some memory safety tool (asan/valgrind) to see this bug. Current git
code, found with afl.
ASAN stack trace:
==12328==ERROR: AddressSanitizer: SEGV on unknown address 0x000066000002 (pc
0x7f9c3d59db1d bp 0x7f9c3e4ca120 sp 0x7fffd26543b8 T0)
==12328==The signal is caused by a READ memory access.
#0 0x7f9c3d59db1c in g_type_check_instance_is_fundamentally_a
(/usr/lib64/libgobject-2.0.so.0+0x33b1c)
#1 0x7f9c3d57eb8d in g_object_ref (/usr/lib64/libgobject-2.0.so.0+0x14b8d)
#2 0x7f9c3ded8966 in gst_object_ref
/f/gstreamer/gstreamer/gst/gstobject.c:251:3
#3 0x7f9c32ad3a65 in gst_decode_chain_free_internal
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:3398:49
#4 0x7f9c32acc5ce in gst_decode_chain_free
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:3480:3
#5 0x7f9c32acc5ce in gst_decode_bin_dispose
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1118
#6 0x7f9c3d57ef04 in g_object_unref
(/usr/lib64/libgobject-2.0.so.0+0x14f04)
#7 0x7f9c3ded8bb3 in gst_object_unref
/f/gstreamer/gstreamer/gst/gstobject.c:277:3
#8 0x7f9c3def6e88 in gst_bin_remove_func
/f/gstreamer/gstreamer/gst/gstbin.c:1827:3
#9 0x7f9c3deea1d8 in gst_bin_remove
/f/gstreamer/gstreamer/gst/gstbin.c:1889:12
#10 0x7f9c32b21eb2 in remove_decoders
/f/gstreamer/gst-plugins-base/gst/playback/gsturidecodebin.c:1652:7
#11 0x7f9c32b1a8ab in gst_uri_decode_bin_change_state
/f/gstreamer/gst-plugins-base/gst/playback/gsturidecodebin.c:2786:7
#12 0x7f9c3df90864 in gst_element_change_state
/f/gstreamer/gstreamer/gst/gstelement.c:2737:11
#13 0x7f9c3df9692f in gst_element_set_state_func
/f/gstreamer/gstreamer/gst/gstelement.c:2691:9
#14 0x7f9c3df8f0c1 in gst_element_set_state
/f/gstreamer/gstreamer/gst/gstelement.c:2592:14
#15 0x7f9c3deeeb3c in gst_bin_element_set_state
/f/gstreamer/gstreamer/gst/gstbin.c:2613:9
#16 0x7f9c3deeeb3c in gst_bin_change_state_func
/f/gstreamer/gstreamer/gst/gstbin.c:2955
#17 0x7f9c3e025466 in gst_pipeline_change_state
/f/gstreamer/gstreamer/gst/gstpipeline.c:499:12
#18 0x7f9c3df90864 in gst_element_change_state
/f/gstreamer/gstreamer/gst/gstelement.c:2737:11
#19 0x7f9c3df9692f in gst_element_set_state_func
/f/gstreamer/gstreamer/gst/gstelement.c:2691:9
#20 0x7f9c3df8f0c1 in gst_element_set_state
/f/gstreamer/gstreamer/gst/gstelement.c:2592:14
#21 0x7f9c3f56fdee in discoverer_cleanup
/f/gstreamer/gst-plugins-base/gst-libs/gst/pbutils/gstdiscoverer.c:1531:5
#22 0x7f9c3f56e0fe in gst_discoverer_discover_uri
/f/gstreamer/gst-plugins-base/gst-libs/gst/pbutils/gstdiscoverer.c:2148:3
#23 0x50cd84 in process_file
/f/gstreamer/gst-plugins-base/tools/gst-discoverer.c:499:12
#24 0x50c61e in main
/f/gstreamer/gst-plugins-base/tools/gst-discoverer.c:587:7
#25 0x7f9c3c7af78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
#26 0x41ba28 in _start (/usr/bin/gst-discoverer-1.0+0x41ba28)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib64/libgobject-2.0.so.0+0x33b1c) in
g_type_check_instance_is_fundamentally_a
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
More information about the gstreamer-bugs
mailing list