GNOME Bugzilla – Bug 733695
ximagesrc: Use after free
Last modified: 2014-07-31 13:19:13 UTC
Just came across this use after free error. I've tracked down this to be that ximagesrc does not have a return value to it's GstBuffer dispose function. So depending on your build, it may never free the buffer, or always free it and eventually crash. Patch is coming soon. ==31556== Thread 8 ximagesrc0:src: ==31556== Invalid read of size 8 ==31556== at 0x4C4D2C5: gst_buffer_get_meta (gstbuffer.c:1950) ==31556== by 0xC4D17E1: gst_ximage_src_ximage_get (gstximagesrc.c:461) ==31556== by 0xC4D38E4: gst_ximage_src_create (gstximagesrc.c:862) ==31556== by 0xC98D7CD: gst_push_src_create (gstpushsrc.c:130) ==31556== by 0xC971B74: gst_base_src_get_range (gstbasesrc.c:2445) ==31556== by 0xC972AEF: gst_base_src_loop (gstbasesrc.c:2721) ==31556== by 0x4CC4A0D: gst_task_func (gsttask.c:317) ==31556== by 0x4CC5AF5: default_func (gsttaskpool.c:68) ==31556== by 0x541F98E: g_thread_pool_thread_proxy (gthreadpool.c:307) ==31556== by 0x541F0FA: g_thread_proxy (gthread.c:764) ==31556== by 0x3B46607F32: start_thread (pthread_create.c:309) ==31556== by 0x3B45EF4DEC: clone (clone.S:111) ==31556== Address 0x1996b178 is 264 bytes inside a block of size 272 free'd ==31556== at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==31556== by 0x5401C81: g_free (gmem.c:190) ==31556== by 0x54164EA: g_slice_free1 (gslice.c:1112) ==31556== by 0x4C4AB4B: _gst_buffer_free (gstbuffer.c:587) ==31556== by 0x4C84DB6: gst_mini_object_unref (gstminiobject.c:465) ==31556== by 0xC4D0159: gst_buffer_unref (gstbuffer.h:360) ==31556== by 0xC4D32AD: gst_ximage_src_ximage_get (gstximagesrc.c:769) ==31556== by 0xC4D38E4: gst_ximage_src_create (gstximagesrc.c:862) ==31556== by 0xC98D7CD: gst_push_src_create (gstpushsrc.c:130) ==31556== by 0xC971B74: gst_base_src_get_range (gstbasesrc.c:2445) ==31556== by 0xC972AEF: gst_base_src_loop (gstbasesrc.c:2721) ==31556== by 0x4CC4A0D: gst_task_func (gsttask.c:317)
Created attachment 281633 [details] [review] [PATCH] ximagesrc: Add missing return value to Buffer dispose function Depending ont he build, the method could return FALSE, hence never free the buffers, or already TRUE and lead to a crash: Fixes: https://bugzilla.gnome.org/show_bug.cgi?id=73369 --- sys/ximage/gstximagesrc.c | 6 +++++- sys/ximage/ximageutil.c | 7 ++++--- sys/ximage/ximageutil.h | 2 +- 3 files changed, 10 insertions(+), 5 deletions(-)
Review of attachment 281633 [details] [review]: I didn't know about this miniobject revival thing on its dispose. Nice catch :) It would be nice to have a small comment about the returns, though.
(In reply to comment #2) > Review of attachment 281633 [details] [review]: > > I didn't know about this miniobject revival thing on its dispose. Nice catch :) > > It would be nice to have a small comment about the returns, though. Ok I'll do. For your interest, this is what we use in buffer pool to revive a buffer. It's possible that this have changed in API since 0.10, hence the reason we have this bug.
Marter c82052e ximagesrc: Add missing return value to Buffer dispose function 1.4 c2dbd18 ximagesrc: Add missing return value to Buffer dispose function