After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 397229 - demuxer/decoder bugs exposed by file fuzzing
demuxer/decoder bugs exposed by file fuzzing
Status: RESOLVED DUPLICATE of bug 399340
Product: GStreamer
Classification: Platform
Component: gst-plugins
git master
Other Linux
: Normal normal
: NONE
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2007-01-16 12:22 UTC by Stefan Sauer (gstreamer, gtkdoc dev)
Modified: 2007-01-22 16:41 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Stefan Sauer (gstreamer, gtkdoc dev) 2007-01-16 12:22:07 UTC 
http://sam.zoy.org/blog/2007-01-16-exposing-file-parsing-vulnerabilities
Comment 1 Stefan Sauer (gstreamer, gtkdoc dev) 2007-01-16 12:32:06 UTC 
for the ogg:
0:00:09.364459000 20465 0x815df70 LOG        GST_REFCOUNTING gstobject.c:325:gst_object_ref:<filesrc0:src> 0x814e060 ref 1->2
0:00:09.364512000 20465 0x815df70 LOG         GST_SCHEDULING gstpad.c:3737:gst_pad_get_range:<filesrc0:src> calling getrangefunc gst_base_src_pad_get_range, offset 16969, size 8500
0:00:09.364566000 20465 0x815df70 LOG        GST_REFCOUNTING gstobject.c:325:gst_object_ref:<filesrc0> 0x814d018 ref 1->2
0:00:09.364616000 20465 0x815df70 DEBUG              basesrc gstbasesrc.c:1293:gst_base_src_update_length:<filesrc0> reading offset 16969, length 8500, size 15772, segment.stop -1, maxsize 15772
0:00:09.364671000 20465 0x815df70 DEBUG              basesrc gstbasesrc.c:1424:gst_base_src_get_range:<filesrc0> unexpected length 8500 (offset=16969, size=15772)
0:00:09.364722000 20465 0x815df70 LOG        GST_REFCOUNTING gstobject.c:352:gst_object_unref:<filesrc0> 0x814d018 unref 2->1
0:00:09.364771000 20465 0x815df70 LOG        GST_REFCOUNTING gstobject.c:352:gst_object_unref:<filesrc0:src> 0x814e060 unref 2->1
0:00:09.364820000 20465 0x815df70 WARN              oggdemux gstoggdemux.c:1582:gst_ogg_demux_get_data:<oggdemux0> got -3 (unexpected) from pull range
0:00:09.364868000 20465 0x815df70 LOG               oggdemux gstoggdemux.c:2295:gst_ogg_demux_read_chain:<oggdemux0> read bos pages, init decoder now
Caught SIGSEGV accessing address 0x8195000
*** glibc detected *** /usr/bin/gst-launch-0.10: malloc(): memory corruption: 0x0818c800 ***
Spinning.  Please run 'gdb gst-launch 20465' to continue debugging, Ctrl-C to quit, or Ctrl-\ to dump core.
*** glibc detected *** /usr/bin/gst-launch-0.10: malloc(): memory corruption: 0x0818c800 ***
Segmentation fault (core dumped)
Comment 2 Stefan Sauer (gstreamer, gtkdoc dev) 2007-01-16 13:00:55 UTC 
better trace:
0:00:06.371188000 24437 0x815dc28 LOG               oggdemux gstoggdemux.c:2300:gst_ogg_demux_read_chain:<oggdemux0> read bos pages, init decoder now
0:00:06.371236000 24437 0x815dc28 LOG               oggdemux gstoggdemux.c:2321:gst_ogg_demux_read_chain:<oggdemux0> serial = 745681227, streams = 1
0:00:06.371284000 24437 0x815dc28 LOG               oggdemux gstoggdemux.c:2336:gst_ogg_demux_read_chain:<oggdemux0> submitting page for stream 0
0:00:04.850123000 25505 0x815dad0 LOG               oggdemux gstoggdemux.c:1184:gst_ogg_pad_submit_page:<oggdemux0> pagein(0x816e128,0xb7824274)
Caught SIGSEGV accessing address 0x8195000
*** glibc detected *** /usr/bin/gst-launch-0.10: malloc(): memory corruption: 0x0818a5b8 ***

this call then segfaults
  if (ogg_stream_pagein (&pad->stream, page) != 0)
    goto choked;

Filed upstream as https://trac.xiph.org/ticket/1118
Comment 3 Tim-Philipp Müller 2007-01-22 16:41:26 UTC 
Probably better to have separate bugs for the different issues. Marking this one as duplicate of bug #399340 even though this one is older, since the other one has more info and a tentative patch.

For the mpeg2 issue, see bug #399342

For the avidemux issue, see bug #399338



*** This bug has been marked as a duplicate of 399340 ***