GNOME Bugzilla – Bug 172281
Buffer overflows in gstspeed
Last modified: 2005-04-02 08:18:00 UTC
Steps to reproduce: 1. Occurs randomly with when setting the speed to a value greater than about 3.0 Stack trace: $ valgrind gst-launch-0.8 filesrc location=foo.ogg ! spider ! speed speed=4 ==10946== Memcheck, a memory error detector for x86-linux. ==10946== Copyright (C) 2002-2005, and GNU GPL'd, by Julian Seward et al. ==10946== Using valgrind-2.4.0, a program supervision framework for x86-linux. ==10946== Copyright (C) 2000-2005, and GNU GPL'd, by Julian Seward et al. ==10946== For more details, rerun with: -v ==10946== RUNNING pipeline ... ==10946== Invalid write of size 4 ==10946== at 0x1B914898: speed_chain_float32 (gstspeed.c:352) ==10946== by 0x1B9141E6: speed_chain (gstspeed.c:418) ==10946== by 0x1B95A680: gst_pad_call_chain_function (in /usr/lib/libgstreamer-0.8.so.1.4.0) ==10946== by 0x1B957604: gst_pad_push (in /usr/lib/libgstreamer-0.8.so.1.4.0) ==10946== by 0x1C3B16EA: (within /usr/lib/gstreamer-0.8/libgstspider.so) ==10946== by 0x1C3B24C7: (within /usr/lib/gstreamer-0.8/libgstspider.so) ==10946== by 0x1C3BBB33: (within /usr/lib/gstreamer-0.8/libgstoptscheduler.so) ==10946== by 0x1C3BAF92: (within /usr/lib/gstreamer-0.8/libgstoptscheduler.so) ==10946== by 0x1C3BB277: (within /usr/lib/gstreamer-0.8/libgstoptscheduler.so) ==10946== by 0x1C3BB3F6: (within /usr/lib/gstreamer-0.8/libgstoptscheduler.so) ==10946== by 0x1C3BF74E: (within /usr/lib/gstreamer-0.8/libgstoptscheduler.so) ==10946== by 0x1B965178: gst_scheduler_iterate (in /usr/lib/libgstreamer-0.8.so.1.4.0) ==10946== Address 0x1BE25F24 is 2044 bytes inside a block of size 2046 alloc'd ==10946== at 0x1B90459D: malloc (vg_replace_malloc.c:130) ==10946== by 0x1BC3FA46: g_malloc (in /usr/lib/libglib-2.0.so.0.600.3) ==10946== by 0x1B93867B: gst_buffer_new_and_alloc (in /usr/lib/libgstreamer-0.8.so.1.4.0) ==10946== by 0x1B95638A: gst_pad_alloc_buffer (in /usr/lib/libgstreamer-0.8.so.1.4.0) ==10946== by 0x1B914149: speed_chain (gstspeed.c:408) ==10946== by 0x1B95A680: gst_pad_call_chain_function (in /usr/lib/libgstreamer-0.8.so.1.4.0) ==10946== by 0x1B957604: gst_pad_push (in /usr/lib/libgstreamer-0.8.so.1.4.0) ==10946== by 0x1C3B16EA: (within /usr/lib/gstreamer-0.8/libgstspider.so) ==10946== by 0x1C3B24C7: (within /usr/lib/gstreamer-0.8/libgstspider.so) ==10946== by 0x1C3BBB33: (within /usr/lib/gstreamer-0.8/libgstoptscheduler.so) ==10946== by 0x1C3BAF92: (within /usr/lib/gstreamer-0.8/libgstoptscheduler.so) ==10946== by 0x1C3BB277: (within /usr/lib/gstreamer-0.8/libgstoptscheduler.so) Execution ended after 16629 iterations (sum 274290931000 ns, average 16494733 ns, min 877000 ns, max 1544243000 ns). Other information: On my system, gstspeed.c:352 corresponds to the line: out_data[j * filter->channels] = lower * (1 - interp) + in_data[i * filter->channels] * interp;
the output is correctly ceil()'ed (line 407), but not aligned to sample size (filter->samplesize). So you'd need to change line 407 in: out_size = ceil ((gfloat) (GST_BUFFER_SIZE (in_buf) + filter->sample_size - 1) * filter->sample_size / (filter->speed * filter->sample_size));
Of course, that should be: out_size = (filter->sample_size * (filter->sample_size + 1 + ceil ((gfloat) GST_BUFFER_SIZE (in_buf) / filter->speed))) / filter->sample_size;
(please let me know if that fixes it, so I can apply the patch and close this.)
Yes, that appears to fix it.
Applied, thanks for reporting.