GNOME Bugzilla – Bug 461253
Crash when gst_base_transform_prepare_output_buffer is sent negative size.
Last modified: 2008-05-06 08:42:46 UTC
Steps to reproduce: Short version: 1. Call gst_base_transform_prepare_output_buffer() with a negative size value, that when converted to an unsigned int will be a very large value. 2. Notice that gst_pad_alloc_buffer_full() takes in size as a gint, whereas gst_buffer_new_and_alloc() takes in size as a guint. 3. Watch g_malloc() fail as you cannot allocate such a large block of memory. Long version (how I invoked the crash): 1. Run Jokosher and import an MP3 file. 2. Note that when using new in gstreamer CVS is the ability for mp3parse to do accurate seeks. Jokosher uses gnonlin, which does accurate seeking. 3. Play the audio and quickly seek from one place to another. I find it is easiest to reproduce when seeking backwards in short intervals such as seek to 10s, then 9s, then 8s as fast as you can click. 4. Everything crashes. Stack trace: GLib-ERROR **: gmem.c:135: failed to allocate 4294783552 bytes aborting... Program received signal SIGABRT, Aborted.
+ Trace 151190
Thread NaN (LWP 23557)
Other information: It seems from the backtrace that this is a bug in the new accurate seeking implementation in mp3parse, but nonetheless there should be a check for negative values in gst_base_transform_prepare_output_buffer() or gst_pad_alloc_buffer_full().
Created attachment 92599 [details] Last few lines of the gst debug level 5 log before the crash
Ok, basetransform and gst_pad_alloc*() will now complain about negative sizes instead of exploding :) I don't think this was caused by a mp3parse bug though, it looks like one of the elements between mp3parse and the crasher transform the size wrong. If you can still reproduce this bug could you file a new one with the complete pipeline and a complete GST_DEBUG=5 log? 2008-05-06 Sebastian Dröge <slomo@circular-chaos.org> * gst/gstpad.c: (gst_pad_alloc_buffer_full): * libs/gst/base/gstbasetransform.c: (gst_base_transform_prepare_output_buffer): Don't allow negative sizes when allocating new buffers. Fixes bug #461253.