After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 331543 - crash on iTunes MPEG v4 AAC-LC files
crash on iTunes MPEG v4 AAC-LC files
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-bad
0.10.0
Other All
: Normal critical
: 0.10.1
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2006-02-17 13:08 UTC by Stanislav Brabec
Modified: 2006-02-17 16:32 UTC
See Also:
GNOME target: ---
GNOME version: 2.11/2.12

Attachments
file_cut.m4a (9.77 KB, audio/mp4)
2006-02-17 15:57 UTC, Stanislav Brabec 		  Details
Check returned buffer's length (840 bytes, patch)
2006-02-17 16:22 UTC, Edward Hervey 		accepted-commit_now Details | Review

Description Stanislav Brabec 2006-02-17 13:08:35 UTC 
Steps to reproduce:
Any GStreamer based player crashes immediately while trying to play iTunes
AAC-LC file. Tested on gstreamer010-0.10.2 and gstreamer-0.8.11 on SuSE Linux
10.1 beta4 for AMD64.

sbrabec@hammer:~> file file.m4a
06 The Promise.m4a: ISO Media, MPEG v4 system, iTunes AAC-LC
sbrabec@hammer:~> gst-launch-0.10 filesrc location=file.m4a ! decodebin !
audioconvert !  audioresample ! alsasink
Setting pipeline to PAUSED ...
Pipeline is PREROLLING ...
Segmentation fault
sbrabec@hammer:~> gst-launch-0.8 filesrc location=file.m4a ! spider !
audioconvert ! audioresample ! alsasink
WARNING: erroneous pipeline: no element "audioresample"
         Trying to run anyway.
RUNNING pipeline ...
Segmentation fault

Note that after doing head -c 10000 on this file, the crash changes to SIGBUS.

Stack trace:

+ Trace 66267

  • #0 qtdemux_parse_trak
    at qtdemux.c line 2201
  • #1 gst_qtdemux_loop_header
    at qtdemux.c line 1834
  • #2 gst_task_func
    at gsttask.c line 186
  • #3 g_thread_pool_push
    from /opt/gnome/lib64/libglib-2.0.so.0
  • #4 g_thread_create_full
    from /opt/gnome/lib64/libglib-2.0.so.0
  • #5 start_thread
    at pthread_create.c line 261
  • #6 clone
    from /lib64/libc.so.6
  • #7 ?? 


Other information:
Please contact me in private mail, if you need the test file.
Comment 1 Edward Hervey 2006-02-17 13:23:07 UTC 
could you try with gst-plugins-bad CVS ?
Comment 2 Stanislav Brabec 2006-02-17 14:39:01 UTC 
No. it does not crash on my file.m4a.

But if I try to cut it, new (incorrect) file causes SIGBUS:

sbrabec@hammer:~> head -c 10000 file.m4a >file_cut.m4a
sbrabec@hammer:~> gst-launch-0.10 filesrc location=file_cut.m4a ! decodebin ! audioconvert !  audioresample ! alsasink
Setting pipeline to PAUSED ...
Pipeline is PREROLLING ...
Bus error (core dumped)

+ Trace 66273

  • #0 qtdemux_parse
    at qtdemux.c line 1446
  • #0 qtdemux_parse
    at qtdemux.c line 1446
  • #1 qtdemux_parse
    at qtdemux.c line 1458
  • #2 qtdemux_parse
    at qtdemux.c line 1458
  • #3 qtdemux_parse
    at qtdemux.c line 1458
  • #4 qtdemux_parse
    at qtdemux.c line 1458
  • #5 qtdemux_parse_moov
    at qtdemux.c line 1379
  • #6 gst_qtdemux_loop
    at qtdemux.c line 595
  • #7 gst_task_func
    at gsttask.c line 186
  • #8 g_thread_pool_push
    from /opt/gnome/lib64/libglib-2.0.so.0
  • #9 g_thread_create_full
    from /opt/gnome/lib64/libglib-2.0.so.0
  • #10 start_thread
    at pthread_create.c line 261
  • #11 clone
    from /lib64/libc.so.6
  • #12 ?? 






Comment 3


Edward Hervey





          2006-02-17 14:45:10 UTC
        



May I ask what's the point of cutting the file ? Apart from creating a completely invalid and crashable file ?






Comment 4


Stanislav Brabec





          2006-02-17 15:26:55 UTC
        



First reason was to able to attach a small file to the original bug report.

But the same crash can occur on network error when playing a stream from the web.






Comment 5


Edward Hervey





          2006-02-17 15:35:27 UTC
        



could you attach that cut file ?






Comment 6


Stanislav Brabec





          2006-02-17 15:57:59 UTC
        



Created attachment 59581 [details]
file_cut.m4a






Comment 7


Edward Hervey





          2006-02-17 16:21:55 UTC
        



The problem was that qtdemux doesn't verify that the buffer returned by gst_pad_pull_range() has the requested length.

Patch follows.






Comment 8


Edward Hervey





          2006-02-17 16:22:39 UTC
        



Created attachment 59582 [details] [review]
Check returned buffer's length






Comment 9


Jan Schmidt





          2006-02-17 16:28:46 UTC
        



Looks good, please commit.






Comment 10


Edward Hervey





          2006-02-17 16:32:01 UTC
        



2006-02-17  Edward Hervey  <edward@fluendo.com>

	* gst/qtdemux/qtdemux.c: (gst_qtdemux_loop_state_header):
	Check that the size of the returned buffer is of the correct size
	because the parser assumes that.
	Fixes #331543.