After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 797099 - bin: use-after-free in gst_bin_add()
bin: use-after-free in gst_bin_add()
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gstreamer (core)
git master
Other Linux
: Normal normal
: 1.14.3
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2018-09-08 12:02 UTC by Philippe Normand
Modified: 2018-09-08 18:27 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
patch (1.35 KB, patch)
2018-09-08 12:08 UTC, Philippe Normand 		committed Details | Review

Description Philippe Normand 2018-09-08 12:02:38 UTC 
The context_type pointer is used after being freed (by gst_element_post_message())... Will attach a patch.

==22587==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000407440 at pc 0x7ff96d903fbd bp 0x7ff8d64ed2b0 sp 0x7ff8d64eca60
READ of size 1 at 0x603000407440 thread T25 (multiqueue1:src)
    #0 0x7ff96d903fbc  (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xb4fbc)
    #1 0x7ff94490582f in _match_context_type /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstelement.c:3499
    #2 0x7ff9439e6b40 in g_list_find_custom /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/glist.c:845
    #3 0x7ff9449058f1 in gst_element_get_context_unlocked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstelement.c:3523
    #4 0x7ff9448cf6ba in gst_bin_add_func /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstbin.c:1312
    #5 0x7ff9448d0255 in gst_bin_add /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstbin.c:1535
    #6 0x7ff8eb680aa4 in add_chain /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst/playback/gstplaysink.c:1255
    #7 0x7ff8eb6896c7 in gst_play_sink_do_reconfigure /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst/playback/gstplaysink.c:3388
    #8 0x7ff8eb68d767 in sinkpad_blocked_cb /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst/playback/gstplaysink.c:4316
    #9 0x7ff944928f0b in probe_hook_marshal /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3562
    #10 0x7ff9439db753 in g_hook_list_marshal /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/ghook.c:672
    #11 0x7ff944929570 in do_probe_callbacks /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3721
    #12 0x7ff94492f676 in gst_pad_push_event_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:5350
    #13 0x7ff944929f30 in push_sticky /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3920
    #14 0x7ff94491fcc7 in events_foreach /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:612
    #15 0x7ff94492a2e4 in check_sticky /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3979
    #16 0x7ff944930178 in gst_pad_push_event /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:5525
    #17 0x7ff944927957 in event_forward_func /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3054
    #18 0x7ff944927759 in gst_pad_forward /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3008
    #19 0x7ff944927b0b in gst_pad_event_default /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3105
    #20 0x7ff944930fa8 in gst_pad_send_event_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:5738
    #21 0x7ff94492f968 in gst_pad_push_event_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:5394
    #22 0x7ff944929f30 in push_sticky /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3920
    #23 0x7ff94491fcc7 in events_foreach /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:612
    #24 0x7ff94492a2e4 in check_sticky /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3979
    #25 0x7ff944930178 in gst_pad_push_event /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:5525
    #26 0x7ff8eb5d01e7 in gst_selector_pad_event /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/plugins/elements/gstinputselector.c:643
    #27 0x7ff944930fa8 in gst_pad_send_event_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:5738
    #28 0x7ff94492f968 in gst_pad_push_event_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:5394
    #29 0x7ff944929f30 in push_sticky /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3920
    #30 0x7ff94491fcc7 in events_foreach /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:612
    #31 0x7ff94492a2e4 in check_sticky /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3979
    #32 0x7ff944930178 in gst_pad_push_event /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:5525
    #33 0x7ff944927957 in event_forward_func /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3054
    #34 0x7ff944927759 in gst_pad_forward /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3008
    #35 0x7ff944927b0b in gst_pad_event_default /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3105
    #36 0x7ff944930fa8 in gst_pad_send_event_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:5738
    #37 0x7ff94492f968 in gst_pad_push_event_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:5394
    #38 0x7ff944929f30 in push_sticky /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3920
    #39 0x7ff94491fcc7 in events_foreach /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:612
    #40 0x7ff94492a2e4 in check_sticky /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3979
    #41 0x7ff944930178 in gst_pad_push_event /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:5525
    #42 0x7ff944927957 in event_forward_func /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3054
    #43 0x7ff944927759 in gst_pad_forward /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3008
    #44 0x7ff944927b0b in gst_pad_event_default /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3105
    #45 0x7ff944930fa8 in gst_pad_send_event_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:5738
    #46 0x7ff94492f968 in gst_pad_push_event_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:5394
    #47 0x7ff944929f30 in push_sticky /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3920
    #48 0x7ff94491fcc7 in events_foreach /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:612
    #49 0x7ff94492a2e4 in check_sticky /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:3979
    #50 0x7ff944930178 in gst_pad_push_event /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:5525
    #51 0x7ff944719e78 in gst_pad_set_caps /home/phil/WebKit/WebKitBuild/DependenciesGTK/Root/include/gstreamer-1.0/gst/gstcompat.h:59
    #52 0x7ff9447287ee in gst_video_decoder_negotiate_default /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst-libs/gst/video/gstvideodecoder.c:3848
    #53 0x7ff9447289d5 in gst_video_decoder_negotiate /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst-libs/gst/video/gstvideodecoder.c:3902
    #54 0x7ff8d489f5b1 in gst_ffmpegviddec_negotiate /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-libav-1.14.2/ext/libav/gstavviddec.c:1282
    #55 0x7ff8d489f5b1 in gst_ffmpegviddec_video_frame /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-libav-1.14.2/ext/libav/gstavviddec.c:1599
    #56 0x7ff8d489f5b1 in gst_ffmpegviddec_frame /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-libav-1.14.2/ext/libav/gstavviddec.c:1745
    #57 0x7ff8d48a0522 in gst_ffmpegviddec_handle_frame /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-libav-1.14.2/ext/libav/gstavviddec.c:1858
    #58 0x7ff944727587 in gst_video_decoder_decode_frame /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst-libs/gst/video/gstvideodecoder.c:3416
    #59 0x7ff94471fbb0 in gst_video_decoder_chain_forward /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst-libs/gst/video/gstvideodecoder.c:2142
    #60 0x7ff944721ce1 in gst_video_decoder_chain /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-base-1.14.2/gst-libs/gst/video/gstvideodecoder.c:2456
    #61 0x7ff94492bb32 in gst_pad_chain_data_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4320
    #62 0x7ff94492c78f in gst_pad_push_data /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4576
    #63 0x7ff94492cef6 in gst_pad_push /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4695
    #64 0x7ff944a57116 in gst_base_transform_chain /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/libs/gst/base/gstbasetransform.c:2321
    #65 0x7ff94492bb32 in gst_pad_chain_data_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4320
    #66 0x7ff94492c78f in gst_pad_push_data /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4576
    #67 0x7ff94492cef6 in gst_pad_push /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4695
    #68 0x7ff944a285f0 in gst_base_parse_push_frame /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/libs/gst/base/gstbaseparse.c:2535
    #69 0x7ff944a27520 in gst_base_parse_handle_and_push_frame /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/libs/gst/base/gstbaseparse.c:2352
    #70 0x7ff944a28eca in gst_base_parse_finish_frame /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/libs/gst/base/gstbaseparse.c:2693
    #71 0x7ff8d3ef4c58 in gst_h264_parse_handle_frame_packetized /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.14.2/gst/videoparsers/gsth264parse.c:1033
    #72 0x7ff8d3ef4c58 in gst_h264_parse_handle_frame /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gst-plugins-bad-1.14.2/gst/videoparsers/gsth264parse.c:1079
    #73 0x7ff944a2677a in gst_base_parse_handle_buffer /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/libs/gst/base/gstbaseparse.c:2160
    #74 0x7ff944a2b812 in gst_base_parse_chain /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/libs/gst/base/gstbaseparse.c:3242
    #75 0x7ff94492bb32 in gst_pad_chain_data_unchecked /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4320
    #76 0x7ff94492c78f in gst_pad_push_data /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4576
    #77 0x7ff94492cef6 in gst_pad_push /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gstpad.c:4695
    #78 0x7ff8eb5da0a7 in gst_single_queue_push_one /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/plugins/elements/gstmultiqueue.c:1643
    #79 0x7ff8eb5dbacd in gst_multi_queue_loop /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/plugins/elements/gstmultiqueue.c:1963
    #80 0x7ff944967f30 in gst_task_func /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gsttask.c:332
    #81 0x7ff9449690f8 in default_func /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/gstreamer-1.14.2/gst/gsttaskpool.c:69
    #82 0x7ff943a11932 in g_thread_pool_thread_proxy /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gthreadpool.c:307
    #83 0x7ff943a10fd4 in g_thread_proxy /home/phil/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gthread.c:784
    #84 0x7ff96d835f29 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7f29)
    #85 0x7ff941c4aede in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xf7ede)
Comment 1 Philippe Normand 2018-09-08 12:08:23 UTC 
Created attachment 373568 [details] [review]
patch
Comment 2 Thibault Saunier 2018-09-08 15:39:39 UTC 
Review of attachment 373568 [details] [review]:

lgtm.
Comment 3 Sebastian Dröge (slomo) 2018-09-08 15:59:55 UTC 
Comment on attachment 373568 [details] [review]
patch

Also please backport to 1.14
Comment 4 Tim-Philipp Müller 2018-09-08 18:27:15 UTC 
Pushed, so I can pick it into 1.14 for 1.14.3.

commit 616d588b52ec44ffb0c522a029ed9c99ae6f6bd0 (HEAD -> master)
Author: Philippe Normand <philn@igalia.com>
Date:   Sat Sep 8 13:05:13 2018 +0100

    bin: Fix use-after-free issue in gst_bin_add()
    
    gst_element_post_message() takes ownership of the message so we need to increase
    its refcount until we no longer require access to its data (context_type).
    
    https://bugzilla.gnome.org/show_bug.cgi?id=797099