GNOME Bugzilla – Bug 105003
[SPIDER] Segfaullts on type finding
Last modified: 2004-12-22 21:47:04 UTC
Ok missed the first post :) Here is info : gst-player loads several .avi divx files in its playlist. The first one plays fine but pressing next the second one segfaults.. Backtracing the problem i figured out that it's always crashing gstflxdec when typefinding ... the GST_BUFFER_DATA seems out of bounds and no sanity check are made to access it... Let's see : Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16386 (LWP 24222)] flxdec_type_find (buf=0x10026350, private=0x1007bfe8) at gstflxdec.c:118 118 if ((data[4] == 0x11 || data[4] == 0x12 (gdb) print data $1 = (guchar *) 0xffffffff <Address 0xffffffff out of bounds> (gdb) print *(buf) $6 = {data_type = {type = 268535768, refcount = {counter = 1, lock = 0x0}, flags = 1026, free = 0xfe04ba0 <gst_buffer_default_free>, copy = 0xfe04c9c <gst_buffer_default_copy>}, data = 0xffffffff <Address 0xffffffff out of bounds>, size = 38564, maxsize = 0, timestamp = 18446744073709551615, offset = 0, pool = 0x0, pool_private = 0x0} (gdb) If buf->data can be out of bounds it's kind of dangerous to access data[n] in type finding functions without any sanity check How to solve that ?
Created attachment 14031 [details] gst-mask=-1
Moved to 0.6.x because we haven't seen this happen to nautilus-media. Need to determine if nautilus-media ever is in this situation, in addition to fixing it. flxdec can't really sanity check the pointer, because 0xffffffff is 'valid' in that NULL is the only truly invalid pointer.
Since all these bugs are listed as needing to be fixed in 0.6.x, they are by definition bugs in 0.6.0
Fixed in 0.6.1 and in HEAD by wtay