After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 376594 - id3demux crashes when reading compressed ID3 frames
id3demux crashes when reading compressed ID3 frames
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-good
0.10.x
Other Linux
: Normal major
: 0.10.5
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2006-11-18 09:42 UTC by Lukáš Lalinský
Modified: 2006-11-19 15:48 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
ID3 tag with compressed APIC frame (25.00 KB, application/octet-stream)
2006-11-18 09:51 UTC, Lukáš Lalinský 		  Details
Properly parse compressed frames (1.88 KB, patch)
2006-11-18 21:06 UTC, René Stadler 		committed Details | Review

Description Lukáš Lalinský 2006-11-18 09:42:26 UTC 
Whenever you try to open a MP3 file with ID3 tags that contain a compresses ID3 frame (usually APIC), it crashes.

/lib/tls/i686/cmov/libc.so.6(__libc_free+0x18a)[0xb6ffab4a]
/usr/lib/libglib-2.0.so.0(g_free+0x31)[0xb71cdb51]
/usr/lib/gstreamer-0.10/libgstid3demux.so(id3demux_id3v2_parse_frame+0x67b)[0xb36f7e4b]
/usr/lib/gstreamer-0.10/libgstid3demux.so(id3demux_read_id3v2_tag+0x710)[0xb36f6770]
/usr/lib/gstreamer-0.10/libgstid3demux.so[0xb36f395b]
/usr/lib/gstreamer-0.10/libgstid3demux.so[0xb36f5422]
/usr/lib/libgstreamer-0.10.so.0(gst_pad_set_active+0xa4)[0xb7528db4]
/usr/lib/libgstreamer-0.10.so.0[0xb7511adb]
/usr/lib/libgstreamer-0.10.so.0(gst_iterator_fold+0x67)[0xb751d757]
/usr/lib/libgstreamer-0.10.so.0[0xb7511552]
/usr/lib/libgstreamer-0.10.so.0[0xb7511618]
/usr/lib/libgstreamer-0.10.so.0[0xb7511986]
/usr/lib/gstreamer-0.10/libgstid3demux.so[0xb36f5987]
/usr/lib/libgstreamer-0.10.so.0[0xb750e16a]
/usr/lib/libgstreamer-0.10.so.0[0xb7511196]
/usr/lib/libgstreamer-0.10.so.0(gst_element_set_state+0x53)[0xb750d2f3]
/usr/lib/gstreamer-0.10/libgstdecodebin.so[0xb313175a]
/usr/lib/gstreamer-0.10/libgstdecodebin.so[0xb3131d7e]
/usr/lib/libgstreamer-0.10.so.0(gst_marshal_VOID__UINT_BOXED+0x5d)[0xb755403d]
/usr/lib/libgobject-2.0.so.0(g_closure_invoke+0x12b)[0xb72fa79b]
/usr/lib/libgobject-2.0.so.0[0xb730ab93]
/usr/lib/libgobject-2.0.so.0(g_signal_emit_valist+0x8c7)[0xb730c0b7]
/usr/lib/libgobject-2.0.so.0(g_signal_emit+0x29)[0xb730c279]
/usr/lib/gstreamer-0.10/libgstcoreelements.so[0xb475298b]
/usr/lib/libgstreamer-0.10.so.0(gst_pad_set_active+0xa4)[0xb7528db4]
/usr/lib/libgstreamer-0.10.so.0[0xb7511adb]
/usr/lib/libgstreamer-0.10.so.0(gst_iterator_fold+0x67)[0xb751d757]
/usr/lib/libgstreamer-0.10.so.0[0xb7511552]
/usr/lib/libgstreamer-0.10.so.0[0xb7511618]
/usr/lib/libgstreamer-0.10.so.0[0xb7511986]
/usr/lib/gstreamer-0.10/libgstcoreelements.so[0xb4752db8]
/usr/lib/libgstreamer-0.10.so.0[0xb750e16a]
/usr/lib/libgstreamer-0.10.so.0[0xb7511196]
/usr/lib/libgstreamer-0.10.so.0(gst_element_set_state+0x53)[0xb750d2f3]
/usr/lib/libgstreamer-0.10.so.0[0xb7502a72]
/usr/lib/gstreamer-0.10/libgstdecodebin.so[0xb3133998]
/usr/lib/libgstreamer-0.10.so.0[0xb750e16a]
/usr/lib/libgstreamer-0.10.so.0[0xb750e252]
/usr/lib/libgstreamer-0.10.so.0[0xb7511196]
/usr/lib/libgstreamer-0.10.so.0(gst_element_set_state+0x53)[0xb750d2f3]
/usr/lib/libgstreamer-0.10.so.0[0xb7502a72]
/usr/lib/libgstreamer-0.10.so.0[0xb752b36a]
/usr/lib/gstreamer-0.10/libgstplaybin.so[0xb476746b]
/usr/lib/gstreamer-0.10/libgstplaybin.so[0xb4761790]
/usr/lib/libgstreamer-0.10.so.0[0xb750e16a]
/usr/lib/libgstreamer-0.10.so.0[0xb750e252]
/usr/lib/libgstreamer-0.10.so.0[0xb7511196]
/usr/lib/libgstreamer-0.10.so.0(gst_element_set_state+0x53)[0xb750d2f3]
totem(bacon_video_widget_open_with_subtitle+0x2cb)[0x808350b]
totem(totem_action_set_mrl_with_warning+0xa6)[0x8063106]
totem(totem_action_set_mrl+0x20)[0x8063740]
totem(totem_action_set_mrl_and_play+0x19)[0x8063bd9]
totem(totem_action_play_pause+0xb0)[0x8064310]
totem(main+0x2050)[0x8067380]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb6fa98cc]
totem[0x805a7a1]
Comment 1 Lukáš Lalinský 2006-11-18 09:51:31 UTC 
Created attachment 76800 [details]
ID3 tag with compressed APIC frame

Attached an ID3 tag, just in case you need something to test with and can't produce such file with a tagger.
Comment 2 René Stadler 2006-11-18 15:54:48 UTC 
Using the provided file, I found the problem.  Patch follows later (no time now).
Comment 3 René Stadler 2006-11-18 21:06:20 UTC 
Created attachment 76816 [details] [review]
Properly parse compressed frames

The problem is in id3v2frames.c, id3demux_id3v2_parse_frame: For compressed frame data, work->parse_data is set to newly allocated memory that is filled with the uncompressed data.  Then the appropriate parse_* function is called, some of which advance the work->parse_data pointer as they do the parsing.  This is followed by g_free (work->parse_data), which crashes in this case.

This fix attempt implements these changes:

        * gst/id3demux/id3v2frames.c: (id3demux_id3v2_parse_frame):
          Make sure that g_free always gets called on the same pointer that was 
          returned by g_malloc.  Fixes #376594.
          Do not leak memory if decompressed size is wrong.
          Remove unneeded check of return value of g_malloc.
Comment 4 Jan Schmidt 2006-11-19 13:23:53 UTC 
Thanks!

In my defence, this code was completely untested, because I'd never actually seen a file with a compressed frame.

Patch committed to CVS:
        * gst/id3demux/id3v2frames.c: (id3demux_id3v2_parse_frame):
        Make sure that g_free always gets called on the same pointer that was
        returned by g_malloc.  Fixes #376594.
        Do not leak memory if decompressed size is wrong.
        Remove unneeded check of return value of g_malloc.
        Patch by: René Stadler <mail@renestadler.de>