Bug 738793 – speex: encoder/decoder segfault when resetting multiple times

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 738793 - speex: encoder/decoder segfault when resetting multiple times


Summary:	speex: encoder/decoder segfault when resetting multiple times


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-good
Version:	unspecified
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	1.4.4
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2014-10-18 21:33 UTC by ananda
Modified:	2014-10-24 19:55 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Patch for protection againt multi-time SpeexBits destroy (786 bytes, patch) 2014-10-18 21:33 UTC, ananda	needs-work	Details \| Review
Patch for protection againt multi-time SpeexBits destroy (using speex_bits_set_bit_buffer) (1.17 KB, patch) 2014-10-22 11:44 UTC, ananda	committed	Details \| Review

Description ananda 2014-10-18 21:33:33 UTC

Created attachment 288827 [details] [review]
Patch for protection againt multi-time SpeexBits destroy

The speex decoder/encoder may destroy SpeexBits more multi-time (call speex_bits_destroy(&dec->bits) more than once) and produce a SIGSEV.

After destroying bits in gst_speex_dec_reset() and gst_speex_enc_stop(), we should add something like:
  speex_bits_set_bit_buffer(&dec->bits, NULL, 0);
or
  dec->bits.owner = 0;

Comment 1 Sebastian Dröge (slomo) 2014-10-20 10:49:57 UTC

Comment on attachment 288827 [details] [review]
Patch for protection againt multi-time SpeexBits destroy

Might be better to just memset() the complete bits to 0.

Also please attach the patch in "git format-patch" format with your real name and mail address :)

Comment 2 ananda 2014-10-22 11:42:55 UTC

Sorry for the patch format.
Maybe calling speex_bits_set_bit_buffer... is the best, it will let speex guys do what they want with their "opaque" SpeexBits structure.
Attached the "format-patch" patch :)

Comment 3 ananda 2014-10-22 11:44:22 UTC

Created attachment 289120 [details] [review]
Patch for protection againt multi-time SpeexBits destroy (using speex_bits_set_bit_buffer)

Comment 4 Sebastian Dröge (slomo) 2014-10-23 08:31:18 UTC

commit ec3af50cc26be86e36368f328d5ef489a3bc1dc9
Author: Ananda <ananda@latelier23.com>
Date:   Wed Oct 22 15:28:44 2014 +0200

    speex: Fix segfault when resetting the codecs multiple times
    
    https://bugzilla.gnome.org/show_bug.cgi?id=738793

Comment 5 Tim-Philipp Müller 2014-10-24 19:55:31 UTC

Cherry-picked into 1.4 branch as well.