After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 553295 - [riff] fuzzed AVI file causes segfault
[riff] fuzzed AVI file causes segfault
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-base
0.10.19
Other All
: Normal critical
: 0.10.23
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2008-09-22 18:35 UTC by Craig
Modified: 2009-02-11 17:36 UTC
See Also:
GNOME target: ---
GNOME version: 2.23/2.24


Description Craig 2008-09-22 18:35:21 UTC 
Steps to reproduce:
1. Open totem
2. Play attached mpeg
3. Look at crash


Stack trace:

+ Trace 207080

Thread 4 (Thread 0x41840950 (LWP 24943))

  • #0 memcpy
    from /lib/libc.so.6
  • #1 g_memdup
    from /usr/lib/libglib-2.0.so.0
  • #2 ??
    from /usr/lib/gstreamer-0.10/libgstavi.so
  • #3 ??
    from /usr/lib/gstreamer-0.10/libgstavi.so
  • #4 ??
    from /usr/lib/gstreamer-0.10/libgstavi.so
  • #5 ??
    from /usr/lib/libgstreamer-0.10.so.0
  • #6 ??
    from /usr/lib/libglib-2.0.so.0
  • #7 ??
    from /usr/lib/libglib-2.0.so.0
  • #8 start_thread
    from /lib/libpthread.so.0
  • #9 clone
    from /lib/libc.so.6
  • #10 ?? 

Other information:
https://bugs.launchpad.net/ubuntu/+source/gstreamer0.10/+bug/164940
Comment 1 Tim-Philipp Müller 2009-02-11 17:00:46 UTC 
Thanks for the bug report. This is fixed in -base git master now:

commit 1fedfec22018267efe34a2f42890543631ef2a24
Author: Tim-Philipp Müller <tim.muller@collabora.co.uk>
Date:   Wed Feb 11 16:39:55 2009 +0000

    riff: error out on nonsensical chunk sizes instead of aborting
    
    When encountering a nonsensical chunk size such as (guint)-1, error out cleanly instead of
    continuing and trying to g_memdup() 4GB of data that doesn't exist, which will either abort
    in g_malloc() or crash.
    
    Fixes #553295, crash with fuzzed AVI file.