Bug 336370 – [asfdemux] crashes on an assertion in gst_asf_demux_get_var_length

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 336370 - [asfdemux] crashes on an assertion in gst_asf_demux_get_var_length


Summary:	[asfdemux] crashes on an assertion in gst_asf_demux_get_var_length


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-ugly
Version:	0.10.2
Hardware:	Other Linux

Importance:	Immediate blocker
Target Milestone:	0.10.6
Assigned To:	Tim-Philipp Müller
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Duplicates:	351339 351588 355359 355408 356800 357302 358444 358580 360346 360920 361545 361700 362093 362529 362640 362654 362999 364195 364986 365069 365410 365497 365517 366108 366191 366413 366601 367518 368049 368192 368473 368541 368720 369119 370009 370437 370457 370756 371199 371311 371867 371928 372135 372688 372691 372693 379526 384567 385667 385681 388828 389338 391549 392868 393304 397654 397887 406994 408650 411132 411677 411961 416880 418706 419659 420773 421654 421706 421892 430980 436144 439488 440099 451869 454510 455134 460143 460556 467327 467808 468381 470486 477515 480585 483007 486208 490525 490689 495949 497479 497721 500840 508260 514582 521850 (view as bug list)
Depends on:
Blocks:

Reported:	2006-03-28 16:34 UTC by Sebastien Bacher
Modified:	2008-11-15 20:08 UTC

See Also:
GNOME target:	2.16.x
GNOME version:	---

Attachments
dumb patch that fixes the crash (7.53 KB, patch) 2007-01-24 00:41 UTC, xbx	none	Details \| Review
same as above, but fixed checks before calls to gst_asf_demux_get_var_length() (8.79 KB, patch) 2007-01-24 17:45 UTC, Tim-Philipp Müller	committed	Details \| Review

Description Sebastien Bacher 2006-03-28 16:34:13 UTC

With totem-gstreamer 1.4.0-0ubuntu2 gstreamer0.10-plugins-ugly 0.10.2-0ubuntu2, when moving to a .wmv:

** ERROR **: file gstasfdemux.c: line 490 (gst_asf_demux_get_var_length): assertion failed: (*p_size >= 2)
aborting...

Backtrace was generated from '/usr/bin/totem'

(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1225419072 (LWP 14389)]
[New Thread -1295107152 (LWP 14400)]
[New Thread -1276691536 (LWP 14398)]
[New Thread -1268298832 (LWP 14397)]
[New Thread -1256510544 (LWP 14396)]
[New Thread -1247851600 (LWP 14393)]
[New Thread -1239458896 (LWP 14392)]
[New Thread -1238795344 (LWP 14390)]
0xffffe410 in __kernel_vsyscall ()

+ Trace 67298

Thread 5 (Thread -1256510544 (LWP 14396))

#0 __kernel_vsyscall
#1 __waitpid_nocancel
from /lib/tls/i686/cmov/libpthread.so.0
#2 libgnomeui_segv_handle
at gnome-ui-init.c line 792
#3 <signal handler called>
#4 __kernel_vsyscall
#5 raise
from /lib/tls/i686/cmov/libc.so.6
#6 abort
from /lib/tls/i686/cmov/libc.so.6
#7 g_logv
from /usr/lib/libglib-2.0.so.0
#8 g_log
from /usr/lib/libglib-2.0.so.0
#9 g_assert_warning
from /usr/lib/libglib-2.0.so.0
#10 gst_asf_demux_get_type
from /usr/lib/gstreamer-0.10/libgstasf.so
#11 gst_asf_demux_get_type
from /usr/lib/gstreamer-0.10/libgstasf.so
#12 gst_pad_chain
at gstpad.c line 3189
#13 gst_pad_push
at gstpad.c line 3288
#14 gst_type_find_element_chain
at gsttypefindelement.c line 525
#15 gst_pad_chain
at gstpad.c line 3189
#16 gst_proxy_pad_do_chain
at gstghostpad.c line 205
#17 gst_pad_chain
at gstpad.c line 3189
#18 gst_pad_push
at gstpad.c line 3288
#19 gst_base_src_loop
at gstbasesrc.c line 1381
#20 gst_task_func
at gsttask.c line 193
#21 g_thread_pool_thread_proxy
from /usr/lib/libglib-2.0.so.0
#22 g_thread_create_proxy
from /usr/lib/libglib-2.0.so.0
#23 start_thread
from /lib/tls/i686/cmov/libpthread.so.0
#24 clone
from /lib/tls/i686/cmov/libc.so.6

Comment 1 Wim Taymans 2006-04-20 16:52:39 UTC

can you provide a sample asf file?

Comment 2 Sebastien Bacher 2006-04-20 20:39:02 UTC

example pointed on IRC, reopening it

Comment 3 Tim-Philipp Müller 2006-06-28 10:54:52 UTC

The file from bug #345879 has a similar problem (assert in same function), can be triggered with a simple

 gst-launch-0.10 filesrc location=Burning_Sands_xd720.wmv ! asfdemux ! fakesink

Comment 4 Tim-Philipp Müller 2006-08-16 08:52:16 UTC

*** Bug 351339 has been marked as a duplicate of this bug. ***

Comment 5 Tim-Philipp Müller 2006-09-04 09:28:48 UTC

*** Bug 351588 has been marked as a duplicate of this bug. ***

Comment 6 Tim-Philipp Müller 2006-09-11 10:19:15 UTC

*** Bug 355408 has been marked as a duplicate of this bug. ***

Comment 7 Karsten Bräckelmann 2006-09-13 22:42:19 UTC

*** Bug 355359 has been marked as a duplicate of this bug. ***

Comment 8 Karsten Bräckelmann 2006-09-19 21:02:20 UTC

*** Bug 356800 has been marked as a duplicate of this bug. ***

Comment 9 sedat 2006-09-21 15:12:07 UTC

(In reply to comment #1)
> can you provide a sample asf file?
> 

Yes i can, although I've already deleted this file after my testing.
The wmv file is still available for download though at: http://www.question911.com/linkout.php?filename=Bush%20Stole%20The%20Election%20BBC%20Documentary.wmv

Thanks already for looking into it.
Bye, I

Comment 10 Karsten Bräckelmann 2006-09-23 13:51:28 UTC

*** Bug 357302 has been marked as a duplicate of this bug. ***

Comment 11 Elijah Newren 2006-09-30 07:10:45 UTC

*** Bug 358444 has been marked as a duplicate of this bug. ***

Comment 12 Karsten Bräckelmann 2006-09-30 17:52:33 UTC

*** Bug 358580 has been marked as a duplicate of this bug. ***

Comment 13 Tim-Philipp Müller 2006-10-07 11:48:03 UTC

*** Bug 360346 has been marked as a duplicate of this bug. ***

Comment 14 Karsten Bräckelmann 2006-10-09 16:02:47 UTC

*** Bug 360920 has been marked as a duplicate of this bug. ***

Comment 15 Karsten Bräckelmann 2006-10-11 20:32:33 UTC

*** Bug 361545 has been marked as a duplicate of this bug. ***

Comment 16 Karsten Bräckelmann 2006-10-12 18:28:15 UTC

*** Bug 361700 has been marked as a duplicate of this bug. ***

Comment 17 Karsten Bräckelmann 2006-10-14 15:59:48 UTC

*** Bug 362093 has been marked as a duplicate of this bug. ***

Comment 18 Karsten Bräckelmann 2006-10-16 06:55:40 UTC

*** Bug 362529 has been marked as a duplicate of this bug. ***

Comment 19 Karsten Bräckelmann 2006-10-16 20:37:36 UTC

*** Bug 362640 has been marked as a duplicate of this bug. ***

Comment 20 Karsten Bräckelmann 2006-10-17 22:54:24 UTC

*** Bug 362999 has been marked as a duplicate of this bug. ***

Comment 21 Karsten Bräckelmann 2006-10-22 15:12:55 UTC

*** Bug 364195 has been marked as a duplicate of this bug. ***

Comment 22 André Klapper 2006-10-25 13:48:56 UTC

*** Bug 364986 has been marked as a duplicate of this bug. ***

Comment 23 Karsten Bräckelmann 2006-10-25 18:12:34 UTC

*** Bug 365069 has been marked as a duplicate of this bug. ***

Comment 24 Karsten Bräckelmann 2006-10-26 19:50:23 UTC

*** Bug 365410 has been marked as a duplicate of this bug. ***

Comment 25 Karsten Bräckelmann 2006-10-27 01:26:24 UTC

*** Bug 365517 has been marked as a duplicate of this bug. ***

Comment 26 Tim-Philipp Müller 2006-10-27 11:07:27 UTC

*** Bug 365497 has been marked as a duplicate of this bug. ***

Comment 27 Karsten Bräckelmann 2006-10-28 18:17:19 UTC

*** Bug 366108 has been marked as a duplicate of this bug. ***

Comment 28 Karsten Bräckelmann 2006-10-28 18:17:27 UTC

*** Bug 366191 has been marked as a duplicate of this bug. ***

Comment 29 Karsten Bräckelmann 2006-10-28 18:17:35 UTC

*** Bug 366413 has been marked as a duplicate of this bug. ***

Comment 30 Karsten Bräckelmann 2006-10-29 01:30:26 UTC

*** Bug 366601 has been marked as a duplicate of this bug. ***

Comment 31 Karsten Bräckelmann 2006-10-30 11:33:02 UTC

*** Bug 367518 has been marked as a duplicate of this bug. ***

Comment 32 Tim-Philipp Müller 2006-10-31 10:18:13 UTC

*** Bug 368192 has been marked as a duplicate of this bug. ***

Comment 33 Tim-Philipp Müller 2006-10-31 10:24:30 UTC

*** Bug 368049 has been marked as a duplicate of this bug. ***

Comment 34 Tim-Philipp Müller 2006-10-31 14:03:00 UTC

*** Bug 362654 has been marked as a duplicate of this bug. ***

Comment 35 xavier.bestel 2006-10-31 14:10:57 UTC

Ok, I have a bunch of videos received by email (please, no comment on the bad taste of these videos) which play fine under Window Media Player, but fail under Linux. Some of them even play fine under xine or mplayer IIRC.
Anyway, here they are:
ftp://awak.dyndns.org/eichhoer.wmv
ftp://awak.dyndns.org/jojolidol.wmv
ftp://awak.dyndns.org/regis-pompier785.wmv
ftp://awak.dyndns.org/regis-ski854.wmv
ftp://awak.dyndns.org/regis-soigneur883.wmv
ftp://awak.dyndns.org/regis-velo862.wmv
ftp://awak.dyndns.org/regis-voleur826.wmv

As always, please put them somewhere else if possible, this machine isn't meant for public download at all.

Thanks,
        Xav

Comment 36 Karsten Bräckelmann 2006-10-31 19:43:16 UTC

*** Bug 368473 has been marked as a duplicate of this bug. ***

Comment 37 Karsten Bräckelmann 2006-10-31 22:59:53 UTC

*** Bug 368541 has been marked as a duplicate of this bug. ***

Comment 38 Tim-Philipp Müller 2006-11-01 09:13:27 UTC

*** Bug 368720 has been marked as a duplicate of this bug. ***

Comment 39 Karsten Bräckelmann 2006-11-02 01:37:20 UTC

*** Bug 369119 has been marked as a duplicate of this bug. ***

Comment 40 Karsten Bräckelmann 2006-11-03 14:33:44 UTC

*** Bug 370009 has been marked as a duplicate of this bug. ***

Comment 41 Karsten Bräckelmann 2006-11-04 19:01:13 UTC

*** Bug 370457 has been marked as a duplicate of this bug. ***

Comment 42 Karsten Bräckelmann 2006-11-04 19:01:19 UTC

*** Bug 370437 has been marked as a duplicate of this bug. ***

Comment 43 Karsten Bräckelmann 2006-11-05 19:34:54 UTC

*** Bug 370756 has been marked as a duplicate of this bug. ***

Comment 44 Karsten Bräckelmann 2006-11-06 02:24:31 UTC

*** Bug 371311 has been marked as a duplicate of this bug. ***

Comment 45 Karsten Bräckelmann 2006-11-06 16:13:11 UTC

*** Bug 371199 has been marked as a duplicate of this bug. ***

Comment 46 André Klapper 2006-11-07 01:10:54 UTC

31 duplicate in the last 30 days - gnome 2.16.x blocker.

Comment 47 Karsten Bräckelmann 2006-11-07 17:58:20 UTC

*** Bug 371928 has been marked as a duplicate of this bug. ***

Comment 48 Jan Arne Petersen 2006-11-07 19:22:22 UTC

*** Bug 372135 has been marked as a duplicate of this bug. ***

Comment 49 Karsten Bräckelmann 2006-11-09 01:35:33 UTC

*** Bug 372693 has been marked as a duplicate of this bug. ***

Comment 50 Karsten Bräckelmann 2006-11-09 01:35:42 UTC

*** Bug 372688 has been marked as a duplicate of this bug. ***

Comment 51 Karsten Bräckelmann 2006-11-09 01:35:48 UTC

*** Bug 372691 has been marked as a duplicate of this bug. ***

Comment 52 Jan Arne Petersen 2006-11-27 12:21:29 UTC

*** Bug 371867 has been marked as a duplicate of this bug. ***

Comment 53 Jan Arne Petersen 2006-11-27 12:21:59 UTC

*** Bug 379526 has been marked as a duplicate of this bug. ***

Comment 54 Christian Kirbach 2006-12-11 22:03:04 UTC

*** Bug 384567 has been marked as a duplicate of this bug. ***

Comment 55 Bruno Boaventura 2006-12-14 03:38:12 UTC

*** Bug 385667 has been marked as a duplicate of this bug. ***

Comment 56 Bruno Boaventura 2006-12-14 03:39:53 UTC

*** Bug 385681 has been marked as a duplicate of this bug. ***

Comment 57 Tim-Philipp Müller 2007-01-05 18:59:40 UTC

*** Bug 392868 has been marked as a duplicate of this bug. ***

Comment 58 André Klapper 2007-01-06 00:58:49 UTC

183 duplicates so far (including the reject ones), is anybody working on this?

Comment 59 Jens Granseuer 2007-01-06 16:18:44 UTC

*** Bug 393304 has been marked as a duplicate of this bug. ***

Comment 60 André Klapper 2007-01-08 18:18:45 UTC

OK, so apparently the problem is that none of the folks at Fluendo can touch that bug due to having an NDA with Microsoft, so it depends on someone else taking it on.

Any volunteers ready to take this?

Comment 61 André Klapper 2007-01-12 03:20:12 UTC

*** Bug 388828 has been marked as a duplicate of this bug. ***

Comment 62 André Klapper 2007-01-12 03:22:06 UTC

*** Bug 389338 has been marked as a duplicate of this bug. ***

Comment 63 André Klapper 2007-01-12 03:22:14 UTC

bug 389338 also provides a nice stacktrace

Comment 64 Jens Granseuer 2007-01-18 20:41:51 UTC

*** Bug 397887 has been marked as a duplicate of this bug. ***

Comment 65 xbx 2007-01-24 00:41:11 UTC

Created attachment 81027 [details] [review]
dumb patch that fixes the crash

I reproduced the crash, by playing the video in totem and seeking through it.
It's because the demuxer is on a buffer boundary and needs more data to proceed.
There is a mecanism in the code to deal with this, but it wasn't applied everywhere.

So I applied some dumb "do as the rest of the code" bug fixing, plugged a memleak on the way,  

And now it no longer crashes.

(but the demuxer as a whole obviously needs way more work to be robust.)

Comment 66 Tim-Philipp Müller 2007-01-24 17:45:51 UTC

Created attachment 81095 [details] [review]
same as above, but fixed checks before calls to gst_asf_demux_get_var_length()

Tbhanks a lot for this patch!

Unfortunately it doesn't entirely fix the issue for me, I still get asserts for this file for example, played locally from file:

  http://gstreamer.freedesktop.org/media/incoming/336370-jojolidol.wmv

The required size calculation before the gst_asf_demux_get_var_length() wasn't entirely correct as far as I can see (required_size is 4 bytes when the value is 3, not 3 bytes). After fixing that up, the problem disappears for me as well.

Attached the updated patch.


> (but the demuxer as a whole obviously needs way more work to be robust.)

No doubt about it. I've started working on a bit of a rewrite, but it's probably going to be a while before that's ready.

Comment 67 Tim-Philipp Müller 2007-01-24 17:48:28 UTC

Committed to CVS, will be in the next gst-plugins-ugly release (0.10.6):

 2007-01-24  Tim-Philipp Müller  <tim at centricular dot net>

        Patch by: Xavier B. <xavierb gmail com>

        * gst/asfdemux/gstasfdemux.c: (gst_asf_demux_get_guid),
        (gst_asf_demux_add_audio_stream), (gst_asf_demux_add_video_stream),
        (gst_asf_demux_process_ext_content_desc),
        (gst_asf_demux_process_data),
        (gst_asf_demux_process_language_list),
        (gst_asf_demux_process_ext_stream_props),
        (gst_asf_demux_process_segment), (gst_asf_demux_handle_data):
          Guard places where we assume that a certain amount of data is
          available better against less data being available (should fix
          infamous assertion crasher bug #336370). Also fixes a small
          memory leak.

Comment 68 André Klapper 2007-02-15 20:06:02 UTC

*** Bug 406994 has been marked as a duplicate of this bug. ***

Comment 69 James "Doc" Livingston 2007-02-17 11:53:32 UTC

*** Bug 408650 has been marked as a duplicate of this bug. ***

Comment 70 Philip Withnall 2007-03-02 06:23:29 UTC

*** Bug 411132 has been marked as a duplicate of this bug. ***

Comment 71 Philip Withnall 2007-03-02 06:37:11 UTC

*** Bug 411677 has been marked as a duplicate of this bug. ***

Comment 72 Philip Withnall 2007-03-02 06:43:48 UTC

*** Bug 411961 has been marked as a duplicate of this bug. ***

Comment 73 André Klapper 2007-03-16 01:08:56 UTC

*** Bug 416880 has been marked as a duplicate of this bug. ***

Comment 74 André Klapper 2007-03-16 01:43:57 UTC

*** Bug 418706 has been marked as a duplicate of this bug. ***

Comment 75 Tim-Philipp Müller 2007-03-24 19:26:20 UTC

*** Bug 397654 has been marked as a duplicate of this bug. ***

Comment 76 Philip Withnall 2007-03-25 14:18:05 UTC

*** Bug 420773 has been marked as a duplicate of this bug. ***

Comment 77 Philip Withnall 2007-03-25 14:26:27 UTC

*** Bug 421654 has been marked as a duplicate of this bug. ***

Comment 78 Philip Withnall 2007-03-25 14:28:37 UTC

*** Bug 421706 has been marked as a duplicate of this bug. ***

Comment 79 Alex Lancaster 2007-03-26 03:13:14 UTC

*** Bug 421892 has been marked as a duplicate of this bug. ***

Comment 80 Tim-Philipp Müller 2007-03-27 23:14:30 UTC

*** Bug 419659 has been marked as a duplicate of this bug. ***

Comment 81 Tim-Philipp Müller 2007-03-30 17:35:42 UTC

*** Bug 391549 has been marked as a duplicate of this bug. ***

Comment 82 Philip Withnall 2007-04-22 20:24:19 UTC

*** Bug 430980 has been marked as a duplicate of this bug. ***

Comment 83 Philip Withnall 2007-05-05 17:28:58 UTC

*** Bug 436144 has been marked as a duplicate of this bug. ***

Comment 84 Tim-Philipp Müller 2007-05-18 23:02:19 UTC

*** Bug 439488 has been marked as a duplicate of this bug. ***

Comment 85 Philip Withnall 2007-05-21 17:01:38 UTC

*** Bug 440099 has been marked as a duplicate of this bug. ***

Comment 86 Christian Kirbach 2007-06-28 13:17:06 UTC

*** Bug 451869 has been marked as a duplicate of this bug. ***

Comment 87 Jonathan Matthew 2007-07-07 22:57:46 UTC

*** Bug 454510 has been marked as a duplicate of this bug. ***

Comment 88 Jonathan Matthew 2007-07-10 09:10:41 UTC

*** Bug 455134 has been marked as a duplicate of this bug. ***

Comment 89 Jonathan Matthew 2007-07-25 11:48:14 UTC

*** Bug 460143 has been marked as a duplicate of this bug. ***

Comment 90 Jonathan Matthew 2007-07-29 02:27:02 UTC

*** Bug 460556 has been marked as a duplicate of this bug. ***

Comment 91 Philip Withnall 2007-08-16 21:45:02 UTC

*** Bug 467327 has been marked as a duplicate of this bug. ***

Comment 92 Philip Withnall 2007-08-18 08:02:28 UTC

*** Bug 467808 has been marked as a duplicate of this bug. ***

Comment 93 Philip Withnall 2007-09-01 19:09:02 UTC

*** Bug 468381 has been marked as a duplicate of this bug. ***

Comment 94 Philip Withnall 2007-09-01 23:51:51 UTC

*** Bug 470486 has been marked as a duplicate of this bug. ***

Comment 95 Philip Withnall 2007-09-16 19:22:34 UTC

*** Bug 477515 has been marked as a duplicate of this bug. ***

Comment 96 Philip Withnall 2007-09-26 16:27:01 UTC

*** Bug 480585 has been marked as a duplicate of this bug. ***

Comment 97 Jonathan Matthew 2007-10-05 10:28:03 UTC

*** Bug 483007 has been marked as a duplicate of this bug. ***

Comment 98 Philip Withnall 2007-10-21 11:51:53 UTC

*** Bug 486208 has been marked as a duplicate of this bug. ***

Comment 99 Philip Withnall 2007-10-26 14:45:23 UTC

*** Bug 490525 has been marked as a duplicate of this bug. ***

Comment 100 Philip Withnall 2007-10-27 12:50:08 UTC

*** Bug 490689 has been marked as a duplicate of this bug. ***

Comment 101 Philip Withnall 2007-11-12 07:27:49 UTC

*** Bug 495949 has been marked as a duplicate of this bug. ***

Comment 102 Philip Withnall 2007-11-18 17:35:43 UTC

*** Bug 497479 has been marked as a duplicate of this bug. ***

Comment 103 Philip Withnall 2007-11-18 17:42:01 UTC

*** Bug 497721 has been marked as a duplicate of this bug. ***

Comment 104 Philip Withnall 2007-12-01 16:42:14 UTC

*** Bug 500840 has been marked as a duplicate of this bug. ***

Comment 105 Philip Withnall 2008-01-09 17:46:35 UTC

*** Bug 508260 has been marked as a duplicate of this bug. ***

Comment 106 Philip Withnall 2008-02-05 19:31:52 UTC

*** Bug 514582 has been marked as a duplicate of this bug. ***

Comment 107 Philip Withnall 2008-03-11 22:48:03 UTC

*** Bug 521850 has been marked as a duplicate of this bug. ***

Comment 108 André Klapper 2008-11-15 20:08:23 UTC

No new rejected duplicate reports for one year, hence removing from auto-stacktrace-reject list.