GNOME Bugzilla – Bug 397229
demuxer/decoder bugs exposed by file fuzzing
Last modified: 2007-01-22 16:41:26 UTC
http://sam.zoy.org/blog/2007-01-16-exposing-file-parsing-vulnerabilities
for the ogg: 0:00:09.364459000 20465 0x815df70 LOG GST_REFCOUNTING gstobject.c:325:gst_object_ref:<filesrc0:src> 0x814e060 ref 1->2 0:00:09.364512000 20465 0x815df70 LOG GST_SCHEDULING gstpad.c:3737:gst_pad_get_range:<filesrc0:src> calling getrangefunc gst_base_src_pad_get_range, offset 16969, size 8500 0:00:09.364566000 20465 0x815df70 LOG GST_REFCOUNTING gstobject.c:325:gst_object_ref:<filesrc0> 0x814d018 ref 1->2 0:00:09.364616000 20465 0x815df70 DEBUG basesrc gstbasesrc.c:1293:gst_base_src_update_length:<filesrc0> reading offset 16969, length 8500, size 15772, segment.stop -1, maxsize 15772 0:00:09.364671000 20465 0x815df70 DEBUG basesrc gstbasesrc.c:1424:gst_base_src_get_range:<filesrc0> unexpected length 8500 (offset=16969, size=15772) 0:00:09.364722000 20465 0x815df70 LOG GST_REFCOUNTING gstobject.c:352:gst_object_unref:<filesrc0> 0x814d018 unref 2->1 0:00:09.364771000 20465 0x815df70 LOG GST_REFCOUNTING gstobject.c:352:gst_object_unref:<filesrc0:src> 0x814e060 unref 2->1 0:00:09.364820000 20465 0x815df70 WARN oggdemux gstoggdemux.c:1582:gst_ogg_demux_get_data:<oggdemux0> got -3 (unexpected) from pull range 0:00:09.364868000 20465 0x815df70 LOG oggdemux gstoggdemux.c:2295:gst_ogg_demux_read_chain:<oggdemux0> read bos pages, init decoder now Caught SIGSEGV accessing address 0x8195000 *** glibc detected *** /usr/bin/gst-launch-0.10: malloc(): memory corruption: 0x0818c800 *** Spinning. Please run 'gdb gst-launch 20465' to continue debugging, Ctrl-C to quit, or Ctrl-\ to dump core. *** glibc detected *** /usr/bin/gst-launch-0.10: malloc(): memory corruption: 0x0818c800 *** Segmentation fault (core dumped)
better trace: 0:00:06.371188000 24437 0x815dc28 LOG oggdemux gstoggdemux.c:2300:gst_ogg_demux_read_chain:<oggdemux0> read bos pages, init decoder now 0:00:06.371236000 24437 0x815dc28 LOG oggdemux gstoggdemux.c:2321:gst_ogg_demux_read_chain:<oggdemux0> serial = 745681227, streams = 1 0:00:06.371284000 24437 0x815dc28 LOG oggdemux gstoggdemux.c:2336:gst_ogg_demux_read_chain:<oggdemux0> submitting page for stream 0 0:00:04.850123000 25505 0x815dad0 LOG oggdemux gstoggdemux.c:1184:gst_ogg_pad_submit_page:<oggdemux0> pagein(0x816e128,0xb7824274) Caught SIGSEGV accessing address 0x8195000 *** glibc detected *** /usr/bin/gst-launch-0.10: malloc(): memory corruption: 0x0818a5b8 *** this call then segfaults if (ogg_stream_pagein (&pad->stream, page) != 0) goto choked; Filed upstream as https://trac.xiph.org/ticket/1118
Probably better to have separate bugs for the different issues. Marking this one as duplicate of bug #399340 even though this one is older, since the other one has more info and a tentative patch. For the mpeg2 issue, see bug #399342 For the avidemux issue, see bug #399338 *** This bug has been marked as a duplicate of 399340 ***