After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 731349 - queuearray: doesn't expand with initial size of 1, resulting in invalid memory access
queuearray: doesn't expand with initial size of 1, resulting in invalid memor...
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gstreamer (core)
unspecified
Other Linux
: Normal normal
: 1.3.3
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2014-06-06 23:50 UTC by Evan Nemerson
Modified: 2014-06-07 08:49 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
queuearray: fix expanding size of queue from 1 (872 bytes, patch)
2014-06-06 23:50 UTC, Evan Nemerson
committed Details | Review

Description Evan Nemerson 2014-06-06 23:50:16 UTC
Created attachment 278064 [details] [review]
queuearray: fix expanding size of queue from 1

If you create a GstQueueArray with a size of 1, then call push_tail when there is already one value in the array then gstreamer will not correctly expand the array.  The problem is here:

  guint newsize = (3 * array->size) / 2;

(3 * 1) / 2 == 1, which is the same size as the existing array.

Attached patch just does this instead:

  guint newsize = MAX ((3 * array->size) / 2, array->size + 1);
Comment 1 Tim-Philipp Müller 2014-06-07 08:49:12 UTC
Nice catch!

commit 9c4e1d36893e63d76347cee2099480cebbcd6589
Author: Tim-Philipp Müller <tim@centricular.com>
Date:   Sat Jun 7 09:46:42 2014 +0100

    tests: add unit test for queuearray expansion from 1
    
    https://bugzilla.gnome.org/show_bug.cgi?id=731349

commit 1cd4bd64b04c71970148ae5e1de1e13602d21875
Author: Evan Nemerson <evan@nemerson.com>
Date:   Fri Jun 6 16:36:00 2014 -0700

    queuearray: fix expanding size of queue from 1
    
    Without we would not actually expand and access
    memory beyond the allocated region for the array.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=731349