After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 593391 - [rtpsession] : rtp_session_on_timeout : Invalid read of size 4
[rtpsession] : rtp_session_on_timeout : Invalid read of size 4
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-good
git master
Other Linux
: Normal normal
: 0.10.17
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2009-08-28 14:29 UTC by Aurelien Grimaud
Modified: 2009-08-30 19:59 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
valgrind log file (5.66 KB, text/plain)
2009-08-28 14:30 UTC, Aurelien Grimaud 		Details

Description Aurelien Grimaud 2009-08-28 14:29:11 UTC 
valgrind reports an Invalid read in rtp_session_on_timeout.

==00:00:17:44.684 17554== Invalid read of size 4
==00:00:17:44.684 17554==    at 0x4385196: gst_caps_ref (gstcaps.c:382)
==00:00:17:44.684 17554==    by 0x43880F0: gst_caps_replace (gstcaps.c:1927)
==00:00:17:44.684 17554==    by 0x43800CF: gst_buffer_set_caps (gstbuffer.c:408)
==00:00:17:44.684 17554==    by 0x73558FD: gst_rtp_session_send_rtcp (gstrtpsession.c:1019)
==00:00:17:44.684 17554==    by 0x734DB3F: rtp_session_on_timeout (rtpsession.c:2512)
==00:00:17:44.684 17554==    by 0x7354FC5: rtcp_thread (gstrtpsession.c:801)
==00:00:17:44.684 17554==    by 0x4636A2E: g_thread_create_proxy (gthread.c:635)
==00:00:17:44.684 17554==    by 0x484132E: start_thread (in /lib/libpthread-2.8.so)
==00:00:17:44.684 17554==    by 0x493220D: clone (in /lib/libc-2.8.so)
==00:00:17:44.684 17554==  Address 0x4effa94 is 4 bytes inside a block of size 32 free'd
==00:00:17:44.684 17554==    at 0x402390A: free (vg_replace_malloc.c:323)
==00:00:17:44.684 17554==    by 0x4614D35: g_free (gmem.c:190)
==00:00:17:44.684 17554==    by 0x4385000: _gst_caps_free (gstcaps.c:318)
==00:00:17:44.684 17554==    by 0x43852F2: gst_caps_unref (gstcaps.c:410)
==00:00:17:44.684 17554==    by 0x73558EB: gst_rtp_session_send_rtcp (gstrtpsession.c:1017)
==00:00:17:44.684 17554==    by 0x734DB3F: rtp_session_on_timeout (rtpsession.c:2512)
==00:00:17:44.684 17554==    by 0x7354FC5: rtcp_thread (gstrtpsession.c:801)
==00:00:17:44.684 17554==    by 0x4636A2E: g_thread_create_proxy (gthread.c:635)
==00:00:17:44.684 17554==    by 0x484132E: start_thread (in /lib/libpthread-2.8.so)
==00:00:17:44.684 17554==    by 0x493220D: clone (in /lib/libc-2.8.so)

It seems that the newly created and affected caps in gst_rtp_session_send_rtcp are freed when unreffing.
IMHO there is a window for send_rtcp_src pad to be released (and caps with it) between the gst_pad_set_caps and the gst_caps_unref of gst_rtp_session_send_rtcp
Comment 1 Aurelien Grimaud 2009-08-28 14:30:31 UTC 
Created attachment 141933 [details]
valgrind log file
Comment 2 Sebastian Dröge (slomo) 2009-08-30 19:59:22 UTC 
commit ef32dced4be52362fc60bd2d699ecd27899924fa
Author: Sebastian Dröge <sebastian.droege@collabora.co.uk>
Date:   Sun Aug 30 21:57:57 2009 +0200

    rtpsession: Make sure that used caps are not freed already
    
    Fixes bug #593391.