[Bug 774897] New: decodebin2: invalid memory read in gst_decode_chain_free_internal / g_type_check_instance_is_fundamentally_a

GStreamer (GNOME Bugzilla) bugzilla at gnome.org
Wed Nov 23 08:57:02 UTC 2016 

https://bugzilla.gnome.org/show_bug.cgi?id=774897

            Bug ID: 774897
           Summary: decodebin2: invalid memory read in
                    gst_decode_chain_free_internal /
                    g_type_check_instance_is_fundamentally_a
    Classification: Platform
           Product: GStreamer
           Version: git master
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: gst-plugins-base
          Assignee: gstreamer-bugs at lists.freedesktop.org
          Reporter: hanno at hboeck.de
        QA Contact: gstreamer-bugs at lists.freedesktop.org
     GNOME version: ---

Created attachment 340583
  --> https://bugzilla.gnome.org/attachment.cgi?id=340583&action=edit
poc file causing invalid memory read in decodebin2

The attached file will cause an invalid memory read in the glib function
g_type_check_instance_is_fundamentally_a. The last function in the call stack
belonging to gstreamer is gst_decode_chain_free_internal().

This only happens when G_SLICE=always-malloc is set, so test with:
G_SLICE=always-malloc gst-discoverer-1.0 [file]
You need some memory safety tool (asan/valgrind) to see this bug. Current git
code, found with afl.

ASAN stack trace:
==12328==ERROR: AddressSanitizer: SEGV on unknown address 0x000066000002 (pc
0x7f9c3d59db1d bp 0x7f9c3e4ca120 sp 0x7fffd26543b8 T0)
==12328==The signal is caused by a READ memory access.
    #0 0x7f9c3d59db1c in g_type_check_instance_is_fundamentally_a
(/usr/lib64/libgobject-2.0.so.0+0x33b1c)
    #1 0x7f9c3d57eb8d in g_object_ref (/usr/lib64/libgobject-2.0.so.0+0x14b8d)
    #2 0x7f9c3ded8966 in gst_object_ref
/f/gstreamer/gstreamer/gst/gstobject.c:251:3
    #3 0x7f9c32ad3a65 in gst_decode_chain_free_internal
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:3398:49
    #4 0x7f9c32acc5ce in gst_decode_chain_free
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:3480:3
    #5 0x7f9c32acc5ce in gst_decode_bin_dispose
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1118
    #6 0x7f9c3d57ef04 in g_object_unref
(/usr/lib64/libgobject-2.0.so.0+0x14f04)
    #7 0x7f9c3ded8bb3 in gst_object_unref
/f/gstreamer/gstreamer/gst/gstobject.c:277:3
    #8 0x7f9c3def6e88 in gst_bin_remove_func
/f/gstreamer/gstreamer/gst/gstbin.c:1827:3
    #9 0x7f9c3deea1d8 in gst_bin_remove
/f/gstreamer/gstreamer/gst/gstbin.c:1889:12
    #10 0x7f9c32b21eb2 in remove_decoders
/f/gstreamer/gst-plugins-base/gst/playback/gsturidecodebin.c:1652:7
    #11 0x7f9c32b1a8ab in gst_uri_decode_bin_change_state
/f/gstreamer/gst-plugins-base/gst/playback/gsturidecodebin.c:2786:7
    #12 0x7f9c3df90864 in gst_element_change_state
/f/gstreamer/gstreamer/gst/gstelement.c:2737:11
    #13 0x7f9c3df9692f in gst_element_set_state_func
/f/gstreamer/gstreamer/gst/gstelement.c:2691:9
    #14 0x7f9c3df8f0c1 in gst_element_set_state
/f/gstreamer/gstreamer/gst/gstelement.c:2592:14
    #15 0x7f9c3deeeb3c in gst_bin_element_set_state
/f/gstreamer/gstreamer/gst/gstbin.c:2613:9
    #16 0x7f9c3deeeb3c in gst_bin_change_state_func
/f/gstreamer/gstreamer/gst/gstbin.c:2955
    #17 0x7f9c3e025466 in gst_pipeline_change_state
/f/gstreamer/gstreamer/gst/gstpipeline.c:499:12
    #18 0x7f9c3df90864 in gst_element_change_state
/f/gstreamer/gstreamer/gst/gstelement.c:2737:11
    #19 0x7f9c3df9692f in gst_element_set_state_func
/f/gstreamer/gstreamer/gst/gstelement.c:2691:9
    #20 0x7f9c3df8f0c1 in gst_element_set_state
/f/gstreamer/gstreamer/gst/gstelement.c:2592:14
    #21 0x7f9c3f56fdee in discoverer_cleanup
/f/gstreamer/gst-plugins-base/gst-libs/gst/pbutils/gstdiscoverer.c:1531:5
    #22 0x7f9c3f56e0fe in gst_discoverer_discover_uri
/f/gstreamer/gst-plugins-base/gst-libs/gst/pbutils/gstdiscoverer.c:2148:3
    #23 0x50cd84 in process_file
/f/gstreamer/gst-plugins-base/tools/gst-discoverer.c:499:12
    #24 0x50c61e in main
/f/gstreamer/gst-plugins-base/tools/gst-discoverer.c:587:7
    #25 0x7f9c3c7af78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #26 0x41ba28 in _start (/usr/bin/gst-discoverer-1.0+0x41ba28)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib64/libgobject-2.0.so.0+0x33b1c) in
g_type_check_instance_is_fundamentally_a

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.

More information about the gstreamer-bugs mailing list