[Bug 797092] opusenc: segmentation fault

GStreamer (GNOME Bugzilla) bugzilla at gnome.org
Thu Sep 13 21:17:15 UTC 2018


https://bugzilla.gnome.org/show_bug.cgi?id=797092

--- Comment #8 from Marcos Kintschner <marcos.ktn at gmail.com> ---
I think the error is happening in the gst_structure_set_valist_internal
function of gststructure.c.

There's a while loop that reads the args from varargs until it finds "NULL".

while (fieldname) {
   ...
   type = va_arg (varargs, GType); // gets type
   ...
   G_VALUE_COLLECT_INIT (&field.value, type, varargs, 0, &err); // gets value
   ...
   fieldname = va_arg (varargs, gchar *); // gets next field from vargs
}

The varargs is:
va_list varargs = G_TYPE_INT, 2, "channel-mask", GST_TYPE_BITMASK, 0x0, NULL 


He should read:
type = G_TYPE_INT
value = 2
fieldname = "channel-mask"
type = GST_TYPE_BITMASK
value = 0
fielname = NULL //should end here, but it's not what's happening


Here is the memory dump from Visual Studio.

va_list varargs = G_TYPE_INT, 2, "channel-mask", GST_TYPE_BITMASK, 0x0, NULL 

address of varargs = 0x00EFF924

Memory:

0x00EFF924 18 00 00 00        //ok: G_TYPE_INT == 0x18
0x00EFF928 02 00 00 00        //ok: value == (int)2 
0x00EFF92C 20 d9 02 53         //ok: address of string with "channel-mask"
0x00EFF930 e0 00 00 00         //ok: GST_TYPE_BITMASK == 0xe0
0x00EFF934 00 00 00 00         //ok:     0x0 is supposed to have 4 bytes
0x00EFF938 00 00 00 00        //not ok: this should be the "NULL" field, but is
the continuation of the last value (0x0), it's being read as a gint64(8 bytes)
0x00EFF93C b0 90 1e 00        //not ok: he skipped the NULL then caused va_list
"overflow", get random string at this address, then crash at next iteration
...
0x5302D920 63 68 61 6e 6e 65 6c 2d 6d 61 73 6b 00    //"channel-mask"
0x001E90B0 ... // random stuff


So either the GST_TYPE_BITMASK value should have 8 bytes and the va_list is not
putting the NULL value at the end, or the va_list is putting the NULL value at
the end and GST_TYPE_BITMASK should have 4 bytes.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.


More information about the gstreamer-bugs mailing list