Bug 697720 – [audioconvert] valgrind invalid read during transcoding in sound-juicer

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 697720 - [audioconvert] valgrind invalid read during transcoding in sound-juicer


Summary:	[audioconvert] valgrind invalid read during transcoding in sound-juicer


Status:	RESOLVED OBSOLETE

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-base
Version:	1.0.6
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	git master
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-04-10 14:20 UTC by Christophe Fergeau
Modified:	2015-01-30 10:33 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Christophe Fergeau 2013-04-10 14:20:02 UTC

Caught this in valgrind. I can hit it everytime when trying to rip a CD to ogg vorbis with sound-juicer 3.5.0 compiled with gstreamer 1.0 support. Not sure whether to report this against gstreamer or liborc, but I couldn't find a bug tracker for liborc, so here you are... ;)

gstreamer1-1.0.6-1.fc18.x86_64
gstreamer1-plugins-bad-free-1.0.6-1.fc18.x86_64
gstreamer1-plugins-base-1.0.6-1.fc18.x86_64
gstreamer1-plugins-good-1.0.6-1.fc18.x86_64
orc-0.4.16-7.fc18.x86_64


==13242== Thread 5:
==13242== Invalid read of size 4
==13242==    at 0x32F0610970: orc_code_region_allocate_codemem_dual_map (orccodemem.c:219)
==13242==    by 0x32F0610BE1: orc_code_region_allocate_codemem (orccodemem.c:293)
==13242==    by 0x32F0610C84: orc_code_region_new (orccodemem.c:64)
==13242==    by 0x32F0610D3F: orc_code_region_get_free_chunk (orccodemem.c:136)
==13242==    by 0x32F0610DFF: orc_code_allocate_codemem (orccodemem.c:160)
==13242==    by 0x32F06148CA: orc_program_compile_full (orccompiler.c:341)
==13242==    by 0x15BB4D41: audio_convert_orc_unpack_s16 (tmp-orc.c:599)
==13242==    by 0x15BADA8A: audio_convert_convert (audioconvert.c:778)
==13242==    by 0x15BAB6D0: gst_audio_convert_transform (gstaudioconvert.c:801)
==13242==    by 0x3F9E632246: gst_base_transform_handle_buffer (gstbasetransform.c:2069)
==13242==    by 0x3F9E632B04: gst_base_transform_chain (gstbasetransform.c:2176)
==13242==    by 0x3F9E25E169: gst_pad_push_data (gstpad.c:3655)
==13242==    by 0x159A492A: gst_audio_rate_chain (gstaudiorate.c:642)
==13242==    by 0x3F9E25E169: gst_pad_push_data (gstpad.c:3655)
==13242==    by 0x179B0D8A: gst_stream_splitter_chain (gststreamsplitter.c:136)
==13242==    by 0x3F9E25E169: gst_pad_push_data (gstpad.c:3655)
==13242==    by 0x18251F4B: gst_queue_loop (gstqueue.c:1054)
==13242==    by 0x3F9E28BB60: gst_task_func (gsttask.c:316)
==13242==    by 0x32D526BE21: g_thread_pool_thread_proxy (gthreadpool.c:309)
==13242==    by 0x32D526B604: g_thread_proxy (gthread.c:797)
==13242==    by 0x32D2E07D14: start_thread (pthread_create.c:308)
==13242==    by 0x32D2AF248C: clone (clone.S:114)
==13242==  Address 0x19d6dbb0 is 16 bytes inside a block of size 19 alloc'd
==13242==    at 0x4A0887C: malloc (vg_replace_malloc.c:270)
==13242==    by 0x32F06108F8: orc_code_region_allocate_codemem_dual_map (orccodemem.c:204)
==13242==    by 0x32F0610BE1: orc_code_region_allocate_codemem (orccodemem.c:293)
==13242==    by 0x32F0610C84: orc_code_region_new (orccodemem.c:64)
==13242==    by 0x32F0610D3F: orc_code_region_get_free_chunk (orccodemem.c:136)
==13242==    by 0x32F0610DFF: orc_code_allocate_codemem (orccodemem.c:160)
==13242==    by 0x32F06148CA: orc_program_compile_full (orccompiler.c:341)
==13242==    by 0x15BB4D41: audio_convert_orc_unpack_s16 (tmp-orc.c:599)
==13242==    by 0x15BADA8A: audio_convert_convert (audioconvert.c:778)
==13242==    by 0x15BAB6D0: gst_audio_convert_transform (gstaudioconvert.c:801)
==13242==    by 0x3F9E632246: gst_base_transform_handle_buffer (gstbasetransform.c:2069)
==13242==    by 0x3F9E632B04: gst_base_transform_chain (gstbasetransform.c:2176)
==13242==    by 0x3F9E25E169: gst_pad_push_data (gstpad.c:3655)
==13242==    by 0x159A492A: gst_audio_rate_chain (gstaudiorate.c:642)
==13242==    by 0x3F9E25E169: gst_pad_push_data (gstpad.c:3655)
==13242==    by 0x179B0D8A: gst_stream_splitter_chain (gststreamsplitter.c:136)
==13242==    by 0x3F9E25E169: gst_pad_push_data (gstpad.c:3655)
==13242==    by 0x18251F4B: gst_queue_loop (gstqueue.c:1054)
==13242==    by 0x3F9E28BB60: gst_task_func (gsttask.c:316)
==13242==    by 0x32D526BE21: g_thread_pool_thread_proxy (gthreadpool.c:309)
==13242==    by 0x32D526B604: g_thread_proxy (gthread.c:797)
==13242==    by 0x32D2E07D14: start_thread (pthread_create.c:308)
==13242==    by 0x32D2AF248C: clone (clone.S:114)
==13242==-

Comment 1 Vincent Penquerc'h 2015-01-30 10:22:54 UTC

Does it still happen with a recent liborc ?
The line numbers don't quite match the 0.4.16 source, so maybe the Fedora packagers modified it, but the most likely source is a filename, and the code seems fine.
There was, however, a memory corruption fix (https://bugzilla.gnome.org/show_bug.cgi?id=731227) that could well cause the code you reported to use a corrupt arena.

Comment 2 Christophe Fergeau 2015-01-30 10:33:07 UTC

Ripped one track to ogg/vorbis with no complaint from valgrind, so this seems to have been fixed.