After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 610483 - [jpegdec] invalid memory access
[jpegdec] invalid memory access
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-good
0.10.17
Other Windows
: Normal blocker
: 0.10.19
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2010-02-19 18:48 UTC by David Hoyt
Modified: 2010-02-22 19:56 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
gstjpegdec.c patch (650 bytes, patch)
2010-02-19 18:48 UTC, David Hoyt 		committed Details | Review

Description David Hoyt 2010-02-19 18:48:46 UTC 
Created attachment 154234 [details] [review]
gstjpegdec.c patch

line 489 includes this code: d2[eseglen + 1] != 0x00

This caused a crash with jpeg frames coming off of a motion jpeg camera. It was very intermittent - only about once every 1-2 days. Presumably this was b/c of an invalid/corrupted frame. Unfortunately I haven't captured the frame in question, but this seems to have resolved it.
Comment 1 Tim-Philipp Müller 2010-02-20 23:46:42 UTC 
We should look at that before the release. The code looks extremely similar to the code I fixed in jpegparse a few days ago. Shame we don't have a sample.
Comment 2 David Hoyt 2010-02-22 17:02:30 UTC 
I've been running this patch for several days without a problem -- in fact, I'm running many instances of gst-launch using the patch and they're all still just fine. I'm running:

souphttpsrc location=http://.../ ! decodebin2 ! ffmpegcolorspace ! queue ! autovideosink
Comment 3 Sebastian Dröge (slomo) 2010-02-22 19:10:46 UTC 
This patch is definitely correct. end is data + size, i.e. the first position that must not be read. Moving this check above the memory access makes sure that it never accesses that byte.
Comment 4 Sebastian Dröge (slomo) 2010-02-22 19:56:13 UTC 
commit ad05705afb0c7f29c28916e805a681588e821c03
Author: David Hoyt <dhoyt@llnl.gov>
Date:   Mon Feb 22 20:55:29 2010 +0100

    jpegdec: Fix invalid memory access by first checking and then reading
    
    Fixes bug #610483.