Bug 532864 – gstreamer-properties crashed with SIGSEGV in strcmp()

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 532864 - gstreamer-properties crashed with SIGSEGV in strcmp()


Summary:	gstreamer-properties crashed with SIGSEGV in strcmp()


Status:	RESOLVED INCOMPLETE

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-base
Version:	0.10.18
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	git master
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2008-05-13 01:11 UTC by Pedro Villavicencio
Modified:	2009-04-14 18:38 UTC

See Also:
GNOME target:	---
GNOME version:	2.21/2.22

Description Pedro Villavicencio 2008-05-13 01:11:22 UTC

This report has been filed here:

https://bugs.edge.launchpad.net/ubuntu/+source/gnome-media/+bug/217965

"crashed while testing video in from webcam. My webcam is a Genius WebCamMesenger with a Microdia chip on it

lsusb:
Bus 003 Device 002: ID 0c45:602e Microdia"

".

+ Trace 197579

Thread 1 (process 6586)

#0 strcmp
from /lib/libc.so.6
#1 gst_property_probe_get_property
at propertyprobe.c line 121
#2 update_from_option
at gstreamer-properties.c line 225
#3 IA__g_closure_invoke
at /build/buildd/glib2.0-2.16.3/gobject/gclosure.c line 490
#4 signal_emit_unlocked_R
at /build/buildd/glib2.0-2.16.3/gobject/gsignal.c line 2440
#5 IA__g_signal_emit_valist
at /build/buildd/glib2.0-2.16.3/gobject/gsignal.c line 2199
#6 IA__g_signal_emit
at /build/buildd/glib2.0-2.16.3/gobject/gsignal.c line 2243
#7 gtk_option_menu_update_contents
at /build/buildd/gtk+2.0-2.12.9/gtk/gtkoptionmenu.c line 705
#8 IA__g_closure_invoke
at /build/buildd/glib2.0-2.16.3/gobject/gclosure.c line 490
#9 signal_emit_unlocked_R
at /build/buildd/glib2.0-2.16.3/gobject/gsignal.c line 2510
#10 IA__g_signal_emit_valist
at /build/buildd/glib2.0-2.16.3/gobject/gsignal.c line 2199
#11 IA__g_signal_emit
at /build/buildd/glib2.0-2.16.3/gobject/gsignal.c line 2243
#12 IA__gtk_menu_shell_activate_item
at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmenushell.c line 1154
#13 gtk_menu_shell_button_release
at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmenushell.c line 674
#14 _gtk_marshal_BOOLEAN__BOXED
at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmarshalers.c line 84
#15 IA__g_closure_invoke
at /build/buildd/glib2.0-2.16.3/gobject/gclosure.c line 490
#16 signal_emit_unlocked_R
at /build/buildd/glib2.0-2.16.3/gobject/gsignal.c line 2478
#17 IA__g_signal_emit_valist
at /build/buildd/glib2.0-2.16.3/gobject/gsignal.c line 2209
#18 IA__g_signal_emit
at /build/buildd/glib2.0-2.16.3/gobject/gsignal.c line 2243
#19 gtk_widget_event_internal
at /build/buildd/gtk+2.0-2.12.9/gtk/gtkwidget.c line 4678
#20 IA__gtk_propagate_event
at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c line 2336
#21 IA__gtk_main_do_event
at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c line 1556
#22 gdk_event_dispatch
at /build/buildd/gtk+2.0-2.12.9/gdk/x11/gdkevents-x11.c line 2351
#23 IA__g_main_context_dispatch
at /build/buildd/glib2.0-2.16.3/glib/gmain.c line 2009
#24 g_main_context_iterate
at /build/buildd/glib2.0-2.16.3/glib/gmain.c line 2642
#25 IA__g_main_loop_run
at /build/buildd/glib2.0-2.16.3/glib/gmain.c line 2850
#26 IA__gtk_main
at /build/buildd/gtk+2.0-2.12.9/gtk/gtkmain.c line 1163
#27 main
at gstreamer-properties.c line 664

Comment 1 Marc-Andre Lureau 2008-06-02 17:41:19 UTC

I am not sure if it's a gstreamer issue.

Comment 2 Marc-Andre Lureau 2008-09-01 17:40:08 UTC

let's reassign to gstreamer. It's hard to tell which element is causing the crash. Any idea? v4lsrc?

Comment 3 Stefan Sauer (gstreamer, gtkdoc dev) 2008-09-05 13:16:08 UTC

strcmp crashes if either argument is NULL. As this is the code, the only explanation would be pspecs->data==NULL. This would mean that the v4lsrc or v4l2src have no "device" property. For now I added a check for pspec!=NULL. Not sure what to do with the bug though.

const GParamSpec *
gst_property_probe_get_property (GstPropertyProbe * probe, const gchar * name)
{
  const GList *pspecs = gst_property_probe_get_properties (probe);

  g_return_val_if_fail (probe != NULL, NULL);
  g_return_val_if_fail (name != NULL, NULL);

  while (pspecs) {
    const GParamSpec *pspec = pspecs->data;

    if (!strcmp (pspec->name, name))
      return pspec;

    pspecs = pspecs->next;
  }

  return NULL;
}

Comment 4 Tim-Philipp Müller 2008-09-13 11:20:56 UTC

If pspec was NULL, it wouldn't be crashing in strcmp(), but in gst_property_probe_get_property(), would it? So I don't really see how your fix makes sense.

> strcmp crashes if either argument is NULL.

It might also crash if either argument is a bogus pointer or a pointer to freed memory, or memory corruption occured that makes strcmp read beyond the allocated memory etc.

Comment 5 Stefan Sauer (gstreamer, gtkdoc dev) 2008-09-13 17:41:41 UTC

When gst_property_probe_get_property() iterates over pspecs and pspecs->data (=pspec) is NULL, then it would pass random data to strcmp when dereferencing pspec->name. That would also match with the backtrace. I can't reproduce it here, but don't see how checking that pspec!=NULL is a bad thing anyway.

The only thing incorrect in my comment was what you quoted. The crash is more likely because of a dereferenced NULL pointer.

Comment 6 Stefan Sauer (gstreamer, gtkdoc dev) 2009-03-14 20:27:02 UTC

Pedro, does that still happen?

Comment 7 Pedro Villavicencio 2009-03-16 13:07:04 UTC

I'm asking in the downstream report, will comment back as soon as i get a response there, thanks.

Comment 8 Stefan Sauer (gstreamer, gtkdoc dev) 2009-04-14 07:58:05 UTC

Pedro, any reply?

Comment 9 Pedro Villavicencio 2009-04-14 18:38:42 UTC

Nope, didn't get any reply on the downstream report, Let's close this report if i got any comment there regarding if it's still an issue with latest packages will reopen this report, thanks Stefan.