[Bug 793500] New: theora_parse_chain segfaults on zero length buffer (gsttheoraparse.c)
GStreamer (GNOME Bugzilla)
bugzilla at gnome.org
Fri Feb 16 00:18:03 UTC 2018
https://bugzilla.gnome.org/show_bug.cgi?id=793500
Bug ID: 793500
Summary: theora_parse_chain segfaults on zero length buffer
(gsttheoraparse.c)
Classification: Platform
Product: GStreamer
Version: 1.12.4
OS: Linux
Status: NEW
Severity: normal
Priority: Normal
Component: gst-plugins-base
Assignee: gstreamer-bugs at lists.freedesktop.org
Reporter: gnomebugz at verge.info.tm
QA Contact: gstreamer-bugs at lists.freedesktop.org
GNOME version: ---
I'm not sure why gst_pad_push_data is pushing an empty 0-length buffer to
theora_parse_chain, but the latter fails to deal with it properly, segfaulting
instead of ignoring it, or erroring out. theora_parse_chain calls
gst_buffer_map without checking the return value, then tries to access
map.data[0] without checking whether map.data is NULL.
gst_buffer_map itself returns FALSE when the buffer's length is zero (in
g_return_val_if_fail) and then checks again for some reason, zeroing out the
GstMapInfo structure if the buffer's length is zero, then returning TRUE. I'm
not sure if the second code branch is ever reached under any circumstances, but
it'd probably be good to check if mem.data is NULL, even if gst_buffer_map
returns TRUE.
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
More information about the gstreamer-bugs
mailing list