Bug 617885 – invalid write in modplug

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 617885 - invalid write in modplug


Summary:	invalid write in modplug


Status:	RESOLVED DUPLICATE of bug 614361

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-bad
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	git master
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2010-05-06 11:44 UTC by Benjamin Otte (Company)
Modified:	2010-05-06 12:14 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
crashing file (243.24 KB, audio/x-mod) 2010-05-06 11:48 UTC, Benjamin Otte (Company)	Details

Description Benjamin Otte (Company) 2010-05-06 11:44:35 UTC

The attached file causes an invalid write in modplug and that causes program crashes later on.

gst-launch playbin uri=file:///path/to/c.mod is enough to see it happen.

(Side note: This file doesn't crash in Jaunty (0.10.22 core and 0.10.11 plugins-bad)

Comment 1 Benjamin Otte (Company) 2010-05-06 11:47:27 UTC

valgrind output:

==24133== Memcheck, a memory error detector
==24133== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==24133== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==24133== Command: gst-launch-0.10 playbin uri=file:///home/lvs/c.mod
==24133== 
Setting pipeline to PAUSED ...
Pipeline is PREROLLING ...
==24133== Thread 4:
==24133== Invalid write of size 8
==24133==    at 0xD167E6A: X86_Convert32To32(void*, int*, unsigned int, int*, int*) (in /usr/lib64/libmodplug.so.0.0.0)
==24133==    by 0xD158A04: CSoundFile::Read(void*, unsigned int) (in /usr/lib64/libmodplug.so.0.0.0)
==24133==    by 0xCF4A41A: ??? (in /usr/lib64/gstreamer-0.10/libgstmodplug.so)
==24133==    by 0x4CC8261: gst_task_func (gsttask.c:271)
==24133==    by 0x4CC94DD: default_func (gsttaskpool.c:68)
==24133==    by 0x5601B54: g_thread_pool_thread_proxy (gthreadpool.c:315)
==24133==    by 0x56003D4: g_thread_create_proxy (gthread.c:1893)
==24133==    by 0x3CD7C07760: start_thread (in /lib64/libpthread-2.12.so)
==24133==    by 0x1429370F: ???
==24133==  Address 0xddf4c40 is 0 bytes after a block of size 4,608 alloc'd
==24133==    at 0x4A04360: memalign (vg_replace_malloc.c:532)
==24133==    by 0x4A043B9: posix_memalign (vg_replace_malloc.c:660)
==24133==    by 0x4C5CCE5: aligned_malloc (gstbuffer.c:155)
==24133==    by 0x4C5D3F3: gst_buffer_try_new_and_alloc (gstbuffer.c:413)
==24133==    by 0x4C94B52: gst_pad_buffer_alloc_unchecked (gstpad.c:2936)
==24133==    by 0x4C94E43: gst_pad_alloc_buffer_full (gstpad.c:2977)
==24133==    by 0x4C952AA: gst_pad_alloc_buffer (gstpad.c:3088)
==24133==    by 0x4C7BB95: gst_proxy_pad_do_bufferalloc (gstghostpad.c:149)
==24133==    by 0x4C94970: gst_pad_buffer_alloc_unchecked (gstpad.c:2900)
==24133==    by 0x4C94E43: gst_pad_alloc_buffer_full (gstpad.c:2977)
==24133==    by 0x4C952AA: gst_pad_alloc_buffer (gstpad.c:3088)
==24133==    by 0xC3BABC8: gst_base_transform_buffer_alloc (gstbasetransform.c:1673)
==24133==

Comment 2 Benjamin Otte (Company) 2010-05-06 11:48:05 UTC

Created attachment 160424 [details]
crashing file

Comment 3 Benjamin Otte (Company) 2010-05-06 11:48:46 UTC

And I forgot to say that this is filed downstream as https://bugzilla.redhat.com/show_bug.cgi?id=589463

Comment 4 Sebastian Dröge (slomo) 2010-05-06 12:14:11 UTC


*** This bug has been marked as a duplicate of bug 614361 ***