After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 733695 - ximagesrc: Use after free
ximagesrc: Use after free
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-good
1.4.0
Other Linux
: Normal normal
: 1.4.1
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2014-07-24 19:04 UTC by Nicolas Dufresne (ndufresne)
Modified: 2014-07-31 13:19 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
[PATCH] ximagesrc: Add missing return value to Buffer dispose function (2.93 KB, patch)
2014-07-24 19:30 UTC, Nicolas Dufresne (ndufresne)
committed Details | Review

Description Nicolas Dufresne (ndufresne) 2014-07-24 19:04:32 UTC
Just came across this use after free error. I've tracked down this to be that ximagesrc does not have a return value to it's GstBuffer dispose function. So depending on your build, it may never free the buffer, or always free it and eventually crash. Patch is coming soon.

==31556== Thread 8 ximagesrc0:src:
==31556== Invalid read of size 8
==31556==    at 0x4C4D2C5: gst_buffer_get_meta (gstbuffer.c:1950)
==31556==    by 0xC4D17E1: gst_ximage_src_ximage_get (gstximagesrc.c:461)
==31556==    by 0xC4D38E4: gst_ximage_src_create (gstximagesrc.c:862)
==31556==    by 0xC98D7CD: gst_push_src_create (gstpushsrc.c:130)
==31556==    by 0xC971B74: gst_base_src_get_range (gstbasesrc.c:2445)
==31556==    by 0xC972AEF: gst_base_src_loop (gstbasesrc.c:2721)
==31556==    by 0x4CC4A0D: gst_task_func (gsttask.c:317)
==31556==    by 0x4CC5AF5: default_func (gsttaskpool.c:68)
==31556==    by 0x541F98E: g_thread_pool_thread_proxy (gthreadpool.c:307)
==31556==    by 0x541F0FA: g_thread_proxy (gthread.c:764)
==31556==    by 0x3B46607F32: start_thread (pthread_create.c:309)
==31556==    by 0x3B45EF4DEC: clone (clone.S:111)
==31556==  Address 0x1996b178 is 264 bytes inside a block of size 272 free'd
==31556==    at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==31556==    by 0x5401C81: g_free (gmem.c:190)
==31556==    by 0x54164EA: g_slice_free1 (gslice.c:1112)
==31556==    by 0x4C4AB4B: _gst_buffer_free (gstbuffer.c:587)
==31556==    by 0x4C84DB6: gst_mini_object_unref (gstminiobject.c:465)
==31556==    by 0xC4D0159: gst_buffer_unref (gstbuffer.h:360)
==31556==    by 0xC4D32AD: gst_ximage_src_ximage_get (gstximagesrc.c:769)
==31556==    by 0xC4D38E4: gst_ximage_src_create (gstximagesrc.c:862)
==31556==    by 0xC98D7CD: gst_push_src_create (gstpushsrc.c:130)
==31556==    by 0xC971B74: gst_base_src_get_range (gstbasesrc.c:2445)
==31556==    by 0xC972AEF: gst_base_src_loop (gstbasesrc.c:2721)
==31556==    by 0x4CC4A0D: gst_task_func (gsttask.c:317)
Comment 1 Nicolas Dufresne (ndufresne) 2014-07-24 19:30:28 UTC
Created attachment 281633 [details] [review]
[PATCH] ximagesrc: Add missing return value to Buffer dispose function


Depending ont he build, the method could return FALSE, hence never
free the buffers, or already TRUE and lead to a crash:

Fixes: https://bugzilla.gnome.org/show_bug.cgi?id=73369
---
 sys/ximage/gstximagesrc.c | 6 +++++-
 sys/ximage/ximageutil.c   | 7 ++++---
 sys/ximage/ximageutil.h   | 2 +-
 3 files changed, 10 insertions(+), 5 deletions(-)
Comment 2 Thiago Sousa Santos 2014-07-30 20:28:02 UTC
Review of attachment 281633 [details] [review]:

I didn't know about this miniobject revival thing on its dispose. Nice catch :)

It would be nice to have a small comment about the returns, though.
Comment 3 Nicolas Dufresne (ndufresne) 2014-07-30 21:14:19 UTC
(In reply to comment #2)
> Review of attachment 281633 [details] [review]:
> 
> I didn't know about this miniobject revival thing on its dispose. Nice catch :)
> 
> It would be nice to have a small comment about the returns, though.

Ok I'll do. For your interest, this is what we use in buffer pool to revive a buffer. It's possible that this have changed in API since 0.10, hence the reason we have this bug.
Comment 4 Nicolas Dufresne (ndufresne) 2014-07-31 13:19:02 UTC
Marter
c82052e ximagesrc: Add missing return value to Buffer dispose function
1.4
c2dbd18 ximagesrc: Add missing return value to Buffer dispose function