Bug 784486 – imagefreeze: use after free in seek handler causes criticals

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 784486 - imagefreeze: use after free in seek handler causes criticals


Summary:	imagefreeze: use after free in seek handler causes criticals


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-good
Version:	1.10.5
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	1.12.2
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2017-07-03 18:42 UTC by Jay Yang
Modified:	2017-07-03 19:46 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Code for repoducing the bug (2.42 KB, text/x-csrc) 2017-07-03 18:42 UTC, Jay Yang	Details

Description Jay Yang 2017-07-03 18:42:09 UTC

Created attachment 354851 [details]
Code for repoducing the bug

Trying to seek on the imagefreeze element directly causes the following assertion

(a.out:6575): GStreamer-CRITICAL **: gst_event_get_seqnum: assertion 'GST_IS_EVENT (event)' failed

To reproduce compile and run the attached file. It needs a png file called test.png in the working directory

I'm running 1.10.5 on gentoo.

Running with G_DEBUG=fatal-warnings and gdb I get the following stack trace

+ Trace 237611

#0 _g_log_abort
from /usr/lib64/libglib-2.0.so.0
#1 g_logv
from /usr/lib64/libglib-2.0.so.0
#2 g_log
from /usr/lib64/libglib-2.0.so.0
#3 gst_event_get_seqnum
from /usr/lib64/libgstreamer-1.0.so.0
#4 gst_image_freeze_src_event
at /var/tmp/portage/media-libs/gst-plugins-good-1.10.5/work/gst-plugins-good-1.10.5/gst/imagefreeze/gstimagefreeze.c line 608
#5 gst_pad_send_event_unchecked
from /usr/lib64/libgstreamer-1.0.so.0
#6 gst_pad_send_event
from /usr/lib64/libgstreamer-1.0.so.0
#7 gst_element_default_send_event
from /usr/lib64/libgstreamer-1.0.so.0
#8 gst_element_send_event
from /usr/lib64/libgstreamer-1.0.so.0
#9 main
at bug.c line 72


Looking at the source it seems that the cause of this is that a few lines prior to gst_event_get_seqnum getting called, gst_event_unref is called. Presumably gst_event_get_seqnum should occur before the unref.

Seeking on a bin containing imagefreeze "fixes" the issue, presumably because the bin keeps it's own reference to the event.

Comment 1 Tim-Philipp Müller 2017-07-03 19:46:19 UTC

Thanks for the bug report, this should fix it:

commit d712a2f4b7e1705ac879aff30b11a807d88bdd54 (HEAD -> master)
Author: Tim-Philipp Müller <tim@centricular.com>
Date:   Mon Jul 3 20:27:29 2017 +0100

    imagefreeze: fix use-after-free on seek event
    
    Get seqnum before unreffing the seek event.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=784486