GNOME Bugzilla – Bug 644669
gstspeexdec causes 'Conditional jump depends on uninitialised value'
Last modified: 2011-03-14 18:33:49 UTC
When running under valgrind simple spx player (gst_play_spx.c) causes much: ==27211== Conditional jump or move depends on uninitialised value(s) ==27211== at 0x654E9AB: floor (s_floor.c:55) ==27211== by 0xAEC7347: speex_decode_int (speex.c:172) ==27211== by 0xACB7F80: ??? (in /usr/lib/gstreamer-0.10/libgstspeex.so) ==27211== by 0xACB8B68: ??? (in /usr/lib/gstreamer-0.10/libgstspeex.so) ==27211== by 0x4E8312C: ??? (in /usr/lib/libgstreamer-0.10.so.0.26.0) ==27211== by 0x4E839ED: ??? (in /usr/lib/libgstreamer-0.10.so.0.26.0) ==27211== by 0x88BBB18: ??? (in /usr/lib/gstreamer-0.10/libgstcoreelements.so) ==27211== by 0x4EACC92: ??? (in /usr/lib/libgstreamer-0.10.so.0.26.0) ==27211== by 0x5D1E73E: g_thread_pool_thread_proxy (gthreadpool.c:319) ==27211== by 0x5D1C7E3: g_thread_create_proxy (gthread.c:1897) ==27211== by 0x5F9C970: start_thread (pthread_create.c:304) ==27211== by 0xB8D970F: ??? Even short file gives: I got ERROR SUMMARY: 185834 errors. valgrind ./play_spx.bin file://`pwd`/great.spx Any spx file causes same. And "valgrind speexdec great.spx great.wav" doesn't cause, even speexdec is using same speex_decode_int-function, which is using uninitialized array and trusts user of library fills it entirely.
commit 4d7b4ca2ae5d0c93cf040107aaa0c1f7c46a66a9 Author: Sebastian Dröge <sebastian.droege@collabora.co.uk> Date: Mon Mar 14 19:28:07 2011 +0100 speexdec: Always process the number of frames per packet as specified in the header Looking at the remaining bits in the bitstream after decoding a single frame can't be used as loop condition. The remaining bits might not give a complete frame and the speex decoder will then output nothing but access uninitialized memory, which leads to valgrind warnings. Fixes bug #644669.