[Bug 784486] New: Seeking on imagefreeze causes use after free of the event.

GStreamer (GNOME Bugzilla) bugzilla at gnome.org
Mon Jul 3 18:42:09 UTC 2017 

https://bugzilla.gnome.org/show_bug.cgi?id=784486

            Bug ID: 784486
           Summary: Seeking on imagefreeze causes use after free of the
                    event.
    Classification: Platform
           Product: GStreamer
           Version: 1.10.5
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: gst-plugins-good
          Assignee: gstreamer-bugs at lists.freedesktop.org
          Reporter: jkelleyy at gmail.com
        QA Contact: gstreamer-bugs at lists.freedesktop.org
     GNOME version: ---

Created attachment 354851
  --> https://bugzilla.gnome.org/attachment.cgi?id=354851&action=edit
Code for repoducing the bug

Trying to seek on the imagefreeze element directly causes the following
assertion

(a.out:6575): GStreamer-CRITICAL **: gst_event_get_seqnum: assertion
'GST_IS_EVENT (event)' failed

To reproduce compile and run the attached file. It needs a png file called
test.png in the working directory

I'm running 1.10.5 on gentoo.

Running with G_DEBUG=fatal-warnings and gdb I get the following stack trace

#0  0x00007ffff7b02f64 in _g_log_abort () from /usr/lib64/libglib-2.0.so.0
#1  0x00007ffff7b0461d in g_logv () from /usr/lib64/libglib-2.0.so.0
#2  0x00007ffff7b0478b in g_log () from /usr/lib64/libglib-2.0.so.0
#3  0x00007ffff77ba401 in gst_event_get_seqnum () from
/usr/lib64/libgstreamer-1.0.so.0
#4  0x00007ffff3e7d49a in gst_image_freeze_src_event (pad=0x555555920de0, 
    parent=0x555555945000, event=0x55555594c0a0)
    at
/var/tmp/portage/media-libs/gst-plugins-good-1.10.5/work/gst-plugins-good-1.10.5/gst/imagefreeze/gstimagefreeze.c:608
#5  0x00007ffff77d22a7 in gst_pad_send_event_unchecked ()
   from /usr/lib64/libgstreamer-1.0.so.0
#6  0x00007ffff77ddc89 in gst_pad_send_event () from
/usr/lib64/libgstreamer-1.0.so.0
#7  0x00007ffff77b00c9 in gst_element_default_send_event ()
   from /usr/lib64/libgstreamer-1.0.so.0
#8  0x00007ffff77b46e9 in gst_element_send_event () from
/usr/lib64/libgstreamer-1.0.so.0
#9  0x0000555555555447 in main (argc=1, argv=0x7fffffffde78) at bug.c:72

Looking at the source it seems that the cause of this is that a few lines prior
to gst_event_get_seqnum getting called, gst_event_unref is called. Presumably
gst_event_get_seqnum should occur before the unref.

Seeking on a bin containing imagefreeze "fixes" the issue, presumably because
the bin keeps it's own reference to the event.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.

More information about the gstreamer-bugs mailing list