After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 655347 - theoradec: segfault on 0-byte ogg_packet in _chain_reverse
theoradec: segfault on 0-byte ogg_packet in _chain_reverse
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-base
git master
Other Linux
: Normal normal
: 0.10.36
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2011-07-26 14:09 UTC by Philip Jägenstedt
Modified: 2011-08-03 09:06 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
quickfix (917 bytes, patch)
2011-07-26 14:11 UTC, Philip Jägenstedt 		committed Details | Review

Description Philip Jägenstedt 2011-07-26 14:09:49 UTC 
An ogg_packet can be 0 bytes and apparently this is used in Theora. The keyframe check in theora_dec_chain_reverse doesn't handle this and segfaults.

The input is svt2-44100Hz.ogv from http://bugzilla-attachments.gnome.org/attachment.cgi?id=192617 with a test case like this:

<video src="svt2-44100Hz.ogv" controls></video>
<script>
var v = document.querySelector('video');
v.onsuspend = function() {
  v.currentTime = v.duration;
  v.playbackRate = -1;
  v.play();
};
v.preload = "auto";
</script>

In other words, seek to the end and try playing backwards. There will be a zero-byte buffer on the gather queue.

It doesn't play very well even with this fix, but at least it doesn't crash.
Comment 1 Philip Jägenstedt 2011-07-26 14:11:23 UTC 
Created attachment 192669 [details] [review]
quickfix
Comment 2 Philip Jägenstedt 2011-07-26 14:27:27 UTC 
If one inspects oggdemux, one will find that the first empty packet is actually a Skeleton packet, which can be empty according to http://wiki.xiph.org/Ogg_Skeleton#Ogg_Skeleton_version_4.0_Format_Specification

I assume that later there are empty Theora packets, which is also OK according to #xiph on FreeNode.
Comment 3 David Schleef 2011-07-27 04:30:19 UTC 
Looks good.
Comment 4 Sebastian Dröge (slomo) 2011-08-03 08:03:30 UTC 
commit 7d22d91fca6b9f24ca205eef98031f1ed6a44d33
Author: Philip Jägenstedt <philipj@opera.com>
Date:   Tue Jul 26 16:10:17 2011 +0200

    theoradec: segfault on 0-byte ogg_packet in _chain_reverse