[Bug 793500] New: theora_parse_chain segfaults on zero length buffer (gsttheoraparse.c)

[GStreamer (GNOME Bugzilla)]

https://bugzilla.gnome.org/show_bug.cgi?id=793500

            Bug ID: 793500
           Summary: theora_parse_chain segfaults on zero length buffer
                    (gsttheoraparse.c)
    Classification: Platform
           Product: GStreamer
           Version: 1.12.4
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: gst-plugins-base
          Assignee: gstreamer-bugs at lists.freedesktop.org
          Reporter: gnomebugz at verge.info.tm
        QA Contact: gstreamer-bugs at lists.freedesktop.org
     GNOME version: ---

I'm not sure why gst_pad_push_data is pushing an empty 0-length buffer to
theora_parse_chain, but the latter fails to deal with it properly, segfaulting
instead of ignoring it, or erroring out. theora_parse_chain calls
gst_buffer_map without checking the return value, then tries to access
map.data[0] without checking whether map.data is NULL. 

gst_buffer_map itself returns FALSE when the buffer's length is zero (in
g_return_val_if_fail) and then checks again for some reason, zeroing out the
GstMapInfo structure if the buffer's length is zero, then returning TRUE. I'm
not sure if the second code branch is ever reached under any circumstances, but
it'd probably be good to check if mem.data is NULL, even if gst_buffer_map
returns TRUE.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.