GNOME Bugzilla – Bug 759910
typefind: AAC/ADTS typefinding reads over array bounds
Last modified: 2015-12-28 11:52:50 UTC
Created attachment 317937 [details] sample code and screenshots with debug info - stack and locals. In my app I need to monitor several internet aac audio streams if they are online. For this task I use GstDiscoverer. I check audio streams every 1-2 seconds. And every time my app is running, eventually it will crash with segmentation fault error during GstDiscoverer check. I tried both sync and async methods of calling GstDiscoverer ( gst_discoverer_discover_uri(), gst_discoverer_discover_uri_async() ) , both work the same way. The crash happens in aac_type_find() function from gsttypefindfunctions.c on line 1122 (second line of code below). len = ((c.data[offset + 3] & 0x03) << 11) | (c.data[offset + 4] << 3) | ((c.data[offset + 5] & 0xe0) >> 5); As I discovered from debug information about local variables, offset variable is greater than c.size, so c.data[offset] is out of range, I think that's why segmentation fault happens. This happens not regularly. The program can work several hours or ten minutes. So, there is some probability of crash calling aac_type_find(). I tried GStreamer versions 1.6.1 and latest 1.6.2, the bug exists in both. I can reproduce the bug only on Windows (tried on XP and 7), on Mac OS X everything works fine. On Linux I didn't try. May be it is some Windows-related bug.
Running valgrind with "gst-discoverer-1.0 http://193.29.200.243:8000/nashe.aac" also shows suspicious warnings in that code. It apparently reads over the array boundaries there. ==25826== Conditional jump or move depends on uninitialised value(s) ==25826== at 0x1226CFEE: aac_type_find (gsttypefindfunctions.c:1123) ==25826== by 0x5A88EED: gst_type_find_factory_call_function (gsttypefindfactory.c:215) ==25826== by 0x57C9CB0: gst_type_find_helper_for_data (gsttypefindhelper.c:535) ==25826== by 0x57C9E03: gst_type_find_helper_for_buffer (gsttypefindhelper.c:591) ==25826== by 0x1205BC26: gst_icydemux_typefind_or_forward (gsticydemux.c:468) ==25826== by 0x1205C2F6: gst_icydemux_chain (gsticydemux.c:577) ==25826== by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153) ==25826== by 0x5A532B1: gst_pad_push_data (gstpad.c:4405) ==25826== by 0x5A5B472: gst_pad_push (gstpad.c:4524) ==25826== by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153) ==25826== by 0x5A532B1: gst_pad_push_data (gstpad.c:4405) ==25826== by 0x5A5B472: gst_pad_push (gstpad.c:4524) ==25826== by 0x5A44722: gst_proxy_pad_chain_default (gstghostpad.c:126) ==25826== by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153) ==25826== by 0x5A532B1: gst_pad_push_data (gstpad.c:4405) ==25826== Uninitialised value was created by a heap allocation ==25826== at 0x4C29C4F: malloc (vg_replace_malloc.c:299) ==25826== by 0x5FAF558: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== by 0x5FC6742: g_slice_alloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== by 0x5A1EB8A: gst_buffer_new (gstbuffer.c:714) ==25826== by 0x5A1FD82: gst_buffer_new_allocate (gstbuffer.c:762) ==25826== by 0x57AE674: gst_base_src_default_alloc (gstbasesrc.c:1435) ==25826== by 0x9E0C6CD: gst_soup_http_src_chunk_allocator (gstsouphttpsrc.c:1432) ==25826== by 0xA07DB86: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07DFEF: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07EC34: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07EE8A: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0x5FA9E89: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== ==25826== Conditional jump or move depends on uninitialised value(s) ==25826== at 0x12260291: data_scan_ctx_ensure_data (gsttypefindfunctions.c:81) ==25826== by 0x1226D002: aac_type_find (gsttypefindfunctions.c:1123) ==25826== by 0x5A88EED: gst_type_find_factory_call_function (gsttypefindfactory.c:215) ==25826== by 0x57C9CB0: gst_type_find_helper_for_data (gsttypefindhelper.c:535) ==25826== by 0x57C9E03: gst_type_find_helper_for_buffer (gsttypefindhelper.c:591) ==25826== by 0x1205BC26: gst_icydemux_typefind_or_forward (gsticydemux.c:468) ==25826== by 0x1205C2F6: gst_icydemux_chain (gsticydemux.c:577) ==25826== by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153) ==25826== by 0x5A532B1: gst_pad_push_data (gstpad.c:4405) ==25826== by 0x5A5B472: gst_pad_push (gstpad.c:4524) ==25826== by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153) ==25826== by 0x5A532B1: gst_pad_push_data (gstpad.c:4405) ==25826== by 0x5A5B472: gst_pad_push (gstpad.c:4524) ==25826== by 0x5A44722: gst_proxy_pad_chain_default (gstghostpad.c:126) ==25826== Uninitialised value was created by a heap allocation ==25826== at 0x4C29C4F: malloc (vg_replace_malloc.c:299) ==25826== by 0x5FAF558: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== by 0x5FC6742: g_slice_alloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== by 0x5A1EB8A: gst_buffer_new (gstbuffer.c:714) ==25826== by 0x5A1FD82: gst_buffer_new_allocate (gstbuffer.c:762) ==25826== by 0x57AE674: gst_base_src_default_alloc (gstbasesrc.c:1435) ==25826== by 0x9E0C6CD: gst_soup_http_src_chunk_allocator (gstsouphttpsrc.c:1432) ==25826== by 0xA07DB86: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07DFEF: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07EC34: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07EE8A: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0x5FA9E89: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== ==25826== Conditional jump or move depends on uninitialised value(s) ==25826== at 0x57C9695: buf_helper_find_peek (gsttypefindhelper.c:441) ==25826== by 0x122602B6: data_scan_ctx_ensure_data (gsttypefindfunctions.c:84) ==25826== by 0x1226D002: aac_type_find (gsttypefindfunctions.c:1123) ==25826== by 0x5A88EED: gst_type_find_factory_call_function (gsttypefindfactory.c:215) ==25826== by 0x57C9CB0: gst_type_find_helper_for_data (gsttypefindhelper.c:535) ==25826== by 0x57C9E03: gst_type_find_helper_for_buffer (gsttypefindhelper.c:591) ==25826== by 0x1205BC26: gst_icydemux_typefind_or_forward (gsticydemux.c:468) ==25826== by 0x1205C2F6: gst_icydemux_chain (gsticydemux.c:577) ==25826== by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153) ==25826== by 0x5A532B1: gst_pad_push_data (gstpad.c:4405) ==25826== by 0x5A5B472: gst_pad_push (gstpad.c:4524) ==25826== by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153) ==25826== by 0x5A532B1: gst_pad_push_data (gstpad.c:4405) ==25826== by 0x5A5B472: gst_pad_push (gstpad.c:4524) ==25826== Uninitialised value was created by a heap allocation ==25826== at 0x4C29C4F: malloc (vg_replace_malloc.c:299) ==25826== by 0x5FAF558: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== by 0x5FC6742: g_slice_alloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== by 0x5A1EB8A: gst_buffer_new (gstbuffer.c:714) ==25826== by 0x5A1FD82: gst_buffer_new_allocate (gstbuffer.c:762) ==25826== by 0x57AE674: gst_base_src_default_alloc (gstbasesrc.c:1435) ==25826== by 0x9E0C6CD: gst_soup_http_src_chunk_allocator (gstsouphttpsrc.c:1432) ==25826== by 0xA07DB86: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07DFEF: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07EC34: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07EE8A: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0x5FA9E89: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== ==25826== Conditional jump or move depends on uninitialised value(s) ==25826== at 0x57C96A4: buf_helper_find_peek (gsttypefindhelper.c:450) ==25826== by 0x122602B6: data_scan_ctx_ensure_data (gsttypefindfunctions.c:84) ==25826== by 0x1226D002: aac_type_find (gsttypefindfunctions.c:1123) ==25826== by 0x5A88EED: gst_type_find_factory_call_function (gsttypefindfactory.c:215) ==25826== by 0x57C9CB0: gst_type_find_helper_for_data (gsttypefindhelper.c:535) ==25826== by 0x57C9E03: gst_type_find_helper_for_buffer (gsttypefindhelper.c:591) ==25826== by 0x1205BC26: gst_icydemux_typefind_or_forward (gsticydemux.c:468) ==25826== by 0x1205C2F6: gst_icydemux_chain (gsticydemux.c:577) ==25826== by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153) ==25826== by 0x5A532B1: gst_pad_push_data (gstpad.c:4405) ==25826== by 0x5A5B472: gst_pad_push (gstpad.c:4524) ==25826== by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153) ==25826== by 0x5A532B1: gst_pad_push_data (gstpad.c:4405) ==25826== by 0x5A5B472: gst_pad_push (gstpad.c:4524) ==25826== Uninitialised value was created by a heap allocation ==25826== at 0x4C29C4F: malloc (vg_replace_malloc.c:299) ==25826== by 0x5FAF558: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== by 0x5FC6742: g_slice_alloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== by 0x5A1EB8A: gst_buffer_new (gstbuffer.c:714) ==25826== by 0x5A1FD82: gst_buffer_new_allocate (gstbuffer.c:762) ==25826== by 0x57AE674: gst_base_src_default_alloc (gstbasesrc.c:1435) ==25826== by 0x9E0C6CD: gst_soup_http_src_chunk_allocator (gstsouphttpsrc.c:1432) ==25826== by 0xA07DB86: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07DFEF: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07EC34: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07EE8A: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0x5FA9E89: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== ==25826== Conditional jump or move depends on uninitialised value(s) ==25826== at 0x57C9695: buf_helper_find_peek (gsttypefindhelper.c:441) ==25826== by 0x122602FC: data_scan_ctx_ensure_data (gsttypefindfunctions.c:101) ==25826== by 0x1226D002: aac_type_find (gsttypefindfunctions.c:1123) ==25826== by 0x5A88EED: gst_type_find_factory_call_function (gsttypefindfactory.c:215) ==25826== by 0x57C9CB0: gst_type_find_helper_for_data (gsttypefindhelper.c:535) ==25826== by 0x57C9E03: gst_type_find_helper_for_buffer (gsttypefindhelper.c:591) ==25826== by 0x1205BC26: gst_icydemux_typefind_or_forward (gsticydemux.c:468) ==25826== by 0x1205C2F6: gst_icydemux_chain (gsticydemux.c:577) ==25826== by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153) ==25826== by 0x5A532B1: gst_pad_push_data (gstpad.c:4405) ==25826== by 0x5A5B472: gst_pad_push (gstpad.c:4524) ==25826== by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153) ==25826== by 0x5A532B1: gst_pad_push_data (gstpad.c:4405) ==25826== by 0x5A5B472: gst_pad_push (gstpad.c:4524) ==25826== Uninitialised value was created by a heap allocation ==25826== at 0x4C29C4F: malloc (vg_replace_malloc.c:299) ==25826== by 0x5FAF558: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== by 0x5FC6742: g_slice_alloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== by 0x5A1EB8A: gst_buffer_new (gstbuffer.c:714) ==25826== by 0x5A1FD82: gst_buffer_new_allocate (gstbuffer.c:762) ==25826== by 0x57AE674: gst_base_src_default_alloc (gstbasesrc.c:1435) ==25826== by 0x9E0C6CD: gst_soup_http_src_chunk_allocator (gstsouphttpsrc.c:1432) ==25826== by 0xA07DB86: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07DFEF: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07EC34: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07EE8A: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0x5FA9E89: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== ==25826== Conditional jump or move depends on uninitialised value(s) ==25826== at 0x57C96A4: buf_helper_find_peek (gsttypefindhelper.c:450) ==25826== by 0x122602FC: data_scan_ctx_ensure_data (gsttypefindfunctions.c:101) ==25826== by 0x1226D002: aac_type_find (gsttypefindfunctions.c:1123) ==25826== by 0x5A88EED: gst_type_find_factory_call_function (gsttypefindfactory.c:215) ==25826== by 0x57C9CB0: gst_type_find_helper_for_data (gsttypefindhelper.c:535) ==25826== by 0x57C9E03: gst_type_find_helper_for_buffer (gsttypefindhelper.c:591) ==25826== by 0x1205BC26: gst_icydemux_typefind_or_forward (gsticydemux.c:468) ==25826== by 0x1205C2F6: gst_icydemux_chain (gsticydemux.c:577) ==25826== by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153) ==25826== by 0x5A532B1: gst_pad_push_data (gstpad.c:4405) ==25826== by 0x5A5B472: gst_pad_push (gstpad.c:4524) ==25826== by 0x5A532B1: gst_pad_chain_data_unchecked (gstpad.c:4153) ==25826== by 0x5A532B1: gst_pad_push_data (gstpad.c:4405) ==25826== by 0x5A5B472: gst_pad_push (gstpad.c:4524) ==25826== Uninitialised value was created by a heap allocation ==25826== at 0x4C29C4F: malloc (vg_replace_malloc.c:299) ==25826== by 0x5FAF558: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== by 0x5FC6742: g_slice_alloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2) ==25826== by 0x5A1EB8A: gst_buffer_new (gstbuffer.c:714) ==25826== by 0x5A1FD82: gst_buffer_new_allocate (gstbuffer.c:762) ==25826== by 0x57AE674: gst_base_src_default_alloc (gstbasesrc.c:1435) ==25826== by 0x9E0C6CD: gst_soup_http_src_chunk_allocator (gstsouphttpsrc.c:1432) ==25826== by 0xA07DB86: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07DFEF: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07EC34: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0xA07EE8A: ??? (in /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1.7.0) ==25826== by 0x5FA9E89: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.2)
Created attachment 317962 [details] [review] typefindfunctions: Make sure that enough data is available in AAC/ADTS typefinder We would otherwise read beyond the array bounds and crash every now and then. This was introduced with 5640ba17c8db80976b7718904e4024dcfe9ee1a0.
The regression was introduced by the fix to bug #691462
Comment on attachment 317962 [details] [review] typefindfunctions: Make sure that enough data is available in AAC/ADTS typefinder Looks good to me. Should go into 1.6 as well.
Attachment 317962 [details] pushed as 0416f12 - typefindfunctions: Make sure that enough data is available in AAC/ADTS typefinder
Also merged into 1.6, will be in 1.7.2 and 1.6.3.