Bug 573369 – [gstfaad] Memory corruption and segfault

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 573369 - (faad-setcaps) [gstfaad] Memory corruption and segfault

(faad-setcaps)
Summary:	[gstfaad] Memory corruption and segfault


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-bad
Version:	git master
Hardware:	Other Linux

Importance:	Normal blocker
Target Milestone:	0.10.11
Assigned To:	Edward Hervey
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Duplicates:	574407 574877 575400 575840 577230 (view as bug list)
Depends on:
Blocks:

Reported:	2009-02-27 10:13 UTC by Edward Hervey
Modified:	2009-03-29 22:08 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Avoid stack screwup (796 bytes, patch) 2009-03-01 15:12 UTC, Edward Hervey	none	Details \| Review
A more extensive fixup. (2.22 KB, patch) 2009-03-01 16:41 UTC, Edward Hervey	none	Details \| Review
Proper patch with detection in configure (2.71 KB, patch) 2009-03-04 16:14 UTC, Edward Hervey	none	Details \| Review
gstfaad.c only patch using latest commits (1.99 KB, patch) 2009-03-05 08:28 UTC, Edward Hervey	committed	Details \| Review

Description Edward Hervey 2009-02-27 10:13:34 UTC

When using the latest faad2 release, using the gstfaad plugin segfaults.

It seems to be some kind of memory corruption, since it happens just after the return from gst_faad_setcaps.

Platform: amd64
Distribution: gentoo ~amd64 (up to date)
GStreamer: git of everything

+ Trace 212951

#0 gst_pad_set_caps
at gstpad.c line 2480
#0 gst_pad_set_caps
at gstpad.c line 2480
#1 gst_pad_chain_unchecked
at gstpad.c line 3927
#2 gst_pad_push
at gstpad.c line 4109
#3 gst_queue_loop
at gstqueue.c line 1042
#4 gst_task_func
at gsttask.c line 192
#5 g_thread_pool_thread_proxy
at gthreadpool.c line 265
#6 g_thread_create_proxy
at gthread.c line 635
#7 start_thread
at pthread_create.c line 297
#8 clone
at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 112
#9 ??

Comment 1 Priit Laes (IRC: plaes) 2009-02-28 15:21:55 UTC

This breaks swfdec (just try playing any youtube video :) )

Comment 2 Edward Hervey 2009-03-01 09:45:13 UTC

I've been digging a bit deeper at this (both faad2-2.7 and gstfaad compiled with -O0):

The corruption seems to happen during the call to faacDecInit2, since the stack is corrupted when you return from that function call (all local variables are busted).

I'll try to dig in deeper.

P.S. It would be awesome if I could figure out faad's bugtracker... or mailing list :(

Comment 3 Edward Hervey 2009-03-01 15:12:22 UTC

Created attachment 129783 [details] [review]
Avoid stack screwup

The problem is that in faad2-2.7, somebody changed the *INTERNAL* prototype of the DecInit2 method without changing the public '/usr/include' header.

previously:
int8_t NEAACDECAPI NeAACDecInit2(NeAACDecHandle hDecoder, uint8_t *pBuffer,
                                 uint32_t SizeOfDecoderSpecificInfo,
                                 uint32_t *samplerate, uint8_t *channels)

faad-2.7:
char NEAACDECAPI NeAACDecInit2(NeAACDecHandle hpDecoder,
                               unsigned char *pBuffer,
                               unsigned long SizeOfDecoderSpecificInfo,
                               unsigned long *samplerate,
                               unsigned char *channels)

While this looks very innocent, the problem is that we *WERE* passing it previously a pointer to a guint32 value, which was coherent with the previous (internal) prototype.

But on 64bit ... unsigned long is 64bit wide. So we're passing it a pointer to a guint32 value, and it's assuming it's a 64bit value, ergo writing 8 bytes instead of 4 at *samplerate... and writing over the stack.

Comment 4 Edward Hervey 2009-03-01 16:17:11 UTC

and it gets worse...

This was all due to our 'redefinition' of the init prototypes at the top of gstfaad.c

extern long faacDecInit (faacDecHandle, guint8 *, guint32, guint32 *, guint8 *);
extern int8_t faacDecInit2 (faacDecHandle, guint8 *, guint32,
    guint32 *, guint8 *);


We force the samplerate argument to be a (guint32 *), whereas they've now fixed their issues, and the public headers are now in sync with the internal ones.

What do we do ? pushing this up to blocker.

Comment 5 Edward Hervey 2009-03-01 16:41:37 UTC

Created attachment 129790 [details] [review]
A more extensive fixup.

Comment 6 Michael Smith 2009-03-01 18:21:28 UTC

Ugh, so they changed the ABI (on 64 bit systems at least). Great.

We need to detect which version we're using, and then put some #ifdef HAVE_FAAD_2_7 around our override-prototypes, etc.

Comment 7 Edward Hervey 2009-03-04 16:14:57 UTC

Created attachment 130031 [details] [review]
Proper patch with detection in configure

This updated patch fixes the issue the proper way.

I added a detection of faad2-2.7 in configure.ac which will define HAVE_FAAD_27 in config.gh if present.

Then all the "let's redefine the headers" cruft in gstfaad.c is dropped if HAVE_FAAD_27 is defined.

Comment 8 Tim-Philipp Müller 2009-03-04 16:50:01 UTC

No other way to detect the version (e.g. newly-added exported symbol or so)? AC_TRY_RUN() is always a bit problematic because it fails when cross-compiling.

Comment 9 Edward Hervey 2009-03-04 17:28:34 UTC

I welcome a better fix. My autocrack skills are not as good as one might expect.

But since the freeze is in 2 days... that better fix had better arrive quickly.

Otherwise, as MikeS suggested, since they fixed their headers, I'll replace 'gulong' by 'unsigned long'.

Comment 10 Tim-Philipp Müller 2009-03-04 21:04:33 UTC

Maybe this helps (and works for you as well):

commit 60080ee20bb900221ff2cfb8ca44db8cb3010542
Author: Tim-Philipp Müller <tim.muller@collabora.co.uk>
Date:   Wed Mar 4 20:37:51 2009 +0000

    configure: detect faad's minor version and define FAAD2_MINOR_VERSION in config.h

Comment 11 Edward Hervey 2009-03-05 08:12:20 UTC

neat, I'll adjust my patch and commit it!

Comment 12 Edward Hervey 2009-03-05 08:28:52 UTC

Created attachment 130099 [details] [review]
gstfaad.c only patch using latest commits

This new patch uses the latest additions to config.h by Tim, and uses 'unsigned long' for the samplerate argument if we're using a 'fixed' faad (let's just hope they don't break it again in future versions...)

Comment 13 Edward Hervey 2009-03-06 11:45:45 UTC

commit bdc9c5618a6d8f49c1efa3c05319d84087c0f455
Author: Edward Hervey <bilboed@bilboed.com>
Date:   Fri Mar 6 12:42:50 2009 +0100

    faad: Use the public headers if faad2 >= 2.7. Fixes #573369
    
    Since faad2-2.7, the public function prototypes are in sync with the
    actual function prototypes used internally in libfaad.

Comment 14 Tim-Philipp Müller 2009-03-06 19:20:59 UTC

*** Bug 574407 has been marked as a duplicate of this bug. ***

Comment 15 Tim-Philipp Müller 2009-03-11 09:37:08 UTC

*** Bug 574877 has been marked as a duplicate of this bug. ***

Comment 16 Philip Withnall 2009-03-15 09:20:34 UTC

*** Bug 575400 has been marked as a duplicate of this bug. ***

Comment 17 Tim-Philipp Müller 2009-03-18 16:54:16 UTC

*** Bug 575840 has been marked as a duplicate of this bug. ***

Comment 18 Philip Withnall 2009-03-29 22:08:27 UTC

*** Bug 577230 has been marked as a duplicate of this bug. ***