Bug 654634 – postproc: gst-inspect-0.10 -a aborts with gstpostproc.c:360:change_mode: assertion failed: (postproc->mode)

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 654634 - postproc: gst-inspect-0.10 -a aborts with gstpostproc.c:360:change_mode: assertion failed: (postproc->mode)


Summary:	postproc: gst-inspect-0.10 -a aborts with gstpostproc.c:360:change_mode: asse...


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gst-libav
Version:	git master
Hardware:	Other Linux

Importance:	Normal blocker
Target Milestone:	0.10.13
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Duplicates:	654664 654780 (view as bug list)
Depends on:
Blocks:

Reported:	2011-07-14 17:40 UTC by Tim-Philipp Müller
Modified:	2011-09-03 11:41 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Gdb (with most of the gst-xmlinspect output excised) (4.11 KB, application/octet-stream) 2011-07-15 20:32 UTC, Chris Fahlman		Details
simple unit test for postproc (2.76 KB, patch) 2011-07-18 11:25 UTC, Tim-Philipp Müller	none	Details \| Review
postprocess.c: filter name needs to be double 0 terminated (1.23 KB, patch) 2011-08-24 14:31 UTC, Tim-Philipp Müller	committed	Details \| Review

Description Tim-Philipp Müller 2011-07-14 17:40:57 UTC

valgrind gst-inspect-0.10 -a 

0:00:03.373128733 29816      0x6a361b0 DEBUG               postproc gstpostproc.c:356:change_mode:<postproc_default@0x850c030> requesting pp de
0:00:03.390592056 29816      0x6a361b0 DEBUG               postproc :0:: pp: de
0:00:03.393197765 29816      0x6a361b0 DEBUG               postproc :0:: pp: de::de

==29816== Conditional jump or move depends on uninitialised value(s)
==29816==    at 0x4029158: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29816==    by 0xABB1E33: pp_get_mode_by_name_and_quality (postprocess.c:820)
==29816==    by 0xABAC8D8: change_mode (gstpostproc.c:357)
==29816==    by 0xABAC9D0: gst_post_proc_init (gstpostproc.c:517)
==29816==    by 0x4D43442: g_type_create_instance (gtype.c:1889)
==29816==    by 0x4D20DFB: g_object_constructor (gobject.c:1615)
==29816==    by 0x4D23B18: g_object_newv (gobject.c:1479)
==29816==    by 0x4A69040: gst_element_factory_create (gstelementfactory.c:387)
==29816==    by 0x40547F: print_element_info (gst-inspect.c:1368)
==29816==    by 0x403FBE: main (gst-inspect.c:1086)
==29816== 
0:00:03.396783627 29816      0x6a361b0 DEBUG               postproc :0:: pp: hb::hb
0:00:03.397351995 29816      0x6a361b0 DEBUG               postproc :0:: pp: option: a
0:00:03.400305510 29816      0x6a361b0 DEBUG               postproc :0:: pp: vb::vb
0:00:03.400618119 29816      0x6a361b0 DEBUG               postproc :0:: pp: option: a
0:00:03.400852367 29816      0x6a361b0 DEBUG               postproc :0:: pp: dr::dr
0:00:03.401074672 29816      0x6a361b0 DEBUG               postproc :0:: pp: option: a

==29816== Use of uninitialised value of size 8
==29816==    at 0x5CFF6EE: strtok (strtok.S:142)
==29816==    by 0xABB1CAE: pp_get_mode_by_name_and_quality (postprocess.c:782)
==29816==    by 0xABAC8D8: change_mode (gstpostproc.c:357)
==29816==    by 0xABAC9D0: gst_post_proc_init (gstpostproc.c:517)

0:00:03.415087280 29816      0x6a361b0 DEBUG               postproc :0:: pp: ��)	::��)	

==29816== Conditional jump or move depends on uninitialised value(s)
==29816==    at 0xABB1F7E: pp_get_mode_by_name_and_quality (postprocess.c:834)
==29816==    by 0xABAC8D8: change_mode (gstpostproc.c:357)
==29816==    by 0xABAC9D0: gst_post_proc_init (gstpostproc.c:517)
==29816==    by 0x4D43442: g_type_create_instance (gtype.c:1889)
==29816==    by 0x4D20DFB: g_object_constructor (gobject.c:1615)
==29816==    by 0x4D23B18: g_object_newv (gobject.c:1479)
==29816==    by 0x4A69040: gst_element_factory_create (gstelementfactory.c:387)
==29816==    by 0x40547F: print_element_info (gst-inspect.c:1368)
==29816==    by 0x403FBE: main (gst-inspect.c:1086)
==29816== 
0:00:03.420375315 29816      0x6a361b0 DEBUG               postproc :0:: pp: lumMode=7, chromMode=7

0:00:03.421343454 29816      0x6a361b0 ERROR               postproc :0:: 1 errors in postprocess string "de"

**
ERROR:gstpostproc.c:360:change_mode: assertion failed: (postproc->mode)


Doesn't happen in gdb strangely enough.

Comment 1 Tim-Philipp Müller 2011-07-15 09:31:38 UTC

*** Bug 654664 has been marked as a duplicate of this bug. ***

Comment 2 Chris Fahlman 2011-07-15 20:32:45 UTC

Created attachment 192057 [details]
Gdb (with most of the gst-xmlinspect output excised)

Comment 3 Tim-Philipp Müller 2011-07-18 11:25:13 UTC

Created attachment 192176 [details] [review]
simple unit test for postproc

Minimal unit test that reproduces the issue for me. Somehow postproc gets to process garbage strings (looks like an issue in postproc at first glance).

Comment 4 Tim-Philipp Müller 2011-07-18 11:37:42 UTC

This 'fixes' / hides the bug btw:

diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c
index dd50daf..2e88b4d 100644
--- a/libpostproc/postprocess.c
+++ b/libpostproc/postprocess.c
@@ -742,7 +742,7 @@ const char pp_help[] =
 
 pp_mode *pp_get_mode_by_name_and_quality(const char *name, int quality)
 {
-    char temp[GET_MODE_BUFFER_SIZE];
+    char temp[GET_MODE_BUFFER_SIZE] = { 0, };
     char *p= temp;
     static const char filterDelimiters[] = ",/";
     static const char optionDelimiters[] = ":";

Comment 5 Tim-Philipp Müller 2011-08-01 10:50:04 UTC

*** Bug 654780 has been marked as a duplicate of this bug. ***

Comment 6 Tim-Philipp Müller 2011-08-01 10:51:25 UTC

This bug affects any application that tries to create a postproc based element. We should really get it fixed and make another gst-ffmpeg release..

Comment 7 Vincent Penquerc'h 2011-08-05 09:32:46 UTC

This appears to have been fixed by commit 84fb4e9df737c856cca7767016110fc74bee56cb in ffmpeg.
It doesn't apply cleanly, but applying it by hand makes valgrind happy.
Part of that patch is to actually clear the temp buffer as you found.


From 84fb4e9df737c856cca7767016110fc74bee56cb Mon Sep 17 00:00:00 2001
From: Piotr Kaczuba <p.kaczuba@attika.ath.cx>
Date: Mon, 30 May 2011 13:19:35 +0200
Subject: [PATCH] postprocess.c: filter name needs to be double 0 terminated

---
 libpostproc/postprocess.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c
index b2c35f5..bfb96e1 100644
--- a/libpostproc/postprocess.c
+++ b/libpostproc/postprocess.c
@@ -86,6 +86,7 @@ try to unroll inner for(x=0 ... loop to avoid these damn if(x ... checks
 //#define DEBUG_BRIGHTNESS
 #include "postprocess.h"
 #include "postprocess_internal.h"
+#include "libavutil/avstring.h"
 
 unsigned postproc_version(void)
 {
@@ -766,8 +767,8 @@ pp_mode *pp_get_mode_by_name_and_quality(const char *name, int quality)
     ppMode->maxClippedThreshold= 0.01;
     ppMode->error=0;
 
-#undef strncpy
-    strncpy(temp, name, GET_MODE_BUFFER_SIZE);
+    memset(temp, 0, GET_MODE_BUFFER_SIZE);
+    av_strlcpy(temp, name, GET_MODE_BUFFER_SIZE - 1);
 
     av_log(NULL, AV_LOG_DEBUG, "pp: %s\n", name);
 
@@ -823,7 +824,7 @@ pp_mode *pp_get_mode_by_name_and_quality(const char *name, int quality)
 
                 plen= strlen(p);
                 spaceLeft= p - temp + plen;
-                if(spaceLeft + newlen  >= GET_MODE_BUFFER_SIZE){
+                if(spaceLeft + newlen  >= GET_MODE_BUFFER_SIZE - 1){
                     ppMode->error++;
                     break;
                 }
-- 
1.7.1

Comment 8 Felix Möller 2011-08-12 18:21:04 UTC

This issue has probably allready been seen by several Fedora users at https://bugzilla.redhat.com/show_bug.cgi?id=723498 ...

Comment 9 Tim-Philipp Müller 2011-08-24 11:34:45 UTC

I think we basically need this patch:

http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=84fb4e9df737c856cca7767016110fc74bee56cb

cherry-picked into the libav.org release/0.7/ git branch, so we can update our checkout and make a new release.

Comment 10 Edward Hervey 2011-08-24 13:58:05 UTC

Please rebase that patch against current libav master and send the patch to the libav development mailing-list.

That's the only thing blocking it from going in the 0.7 branch.

Comment 11 Tim-Philipp Müller 2011-08-24 14:31:40 UTC

Created attachment 194604 [details] [review]
postprocess.c: filter name needs to be double 0 terminated

Rebased patch.

Comment 12 Tim-Philipp Müller 2011-09-03 11:41:09 UTC

commit 7b7928082b5d869f55f5d674930a610234aa8037
Author: Tim-Philipp Müller <tim.muller@collabora.co.uk>
Date:   Mon Jul 18 12:12:38 2011 +0100

    tests: add simple test for creating postproc elements
    
    https://bugzilla.gnome.org/show_bug.cgi?id=654634

commit 9d6f797f7a79c48d23f7c31fe4b267a7a5e8e0f9
Author: Tim-Philipp Müller <tim.muller@collabora.co.uk>
Date:   Sat Sep 3 12:30:26 2011 +0100

    Update internal libav snapshot to latest releases/0.7 tip for postproc fix
    
    https://bugzilla.gnome.org/show_bug.cgi?id=654634