After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 686358 - tsdemux: fix potential crash dereferencing NULL program pointer
tsdemux: fix potential crash dereferencing NULL program pointer
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-bad
unspecified
Other All
: Normal critical
: 1.0.2
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2012-10-18 09:37 UTC by Andoni Morales
Modified: 2012-10-18 17:19 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
tsdemux: fix potential usage of NULL pointer (856 bytes, patch)
2012-10-18 09:38 UTC, Andoni Morales
none Details | Review
tsdemux: fix potential usage of NULL pointer (887 bytes, patch)
2012-10-18 15:33 UTC, Andoni Morales
committed Details | Review

Description Andoni Morales 2012-10-18 09:37:59 UTC
Under some circunstances, push_pending_data might be call
after program_stopped and demux->program is NULL

Program received signal SIGSEGV, Segmentation fault.
[Cambiando a Thread 0x7fffe8d32700 (LWP 27533)]
0x00007fffe8023e34 in gst_ts_demux_push_pending_data (demux=0x7fffed77ea80, stream=0x7fffe4055e00) at tsdemux.c:1511
1511	        mpegts_packetizer_pts_to_ts (packetizer, stream->pts,
(gdb) bt
)
Comment 1 Andoni Morales 2012-10-18 09:38:01 UTC
Created attachment 226718 [details] [review]
tsdemux: fix potential usage of NULL pointer
Comment 2 Andoni Morales 2012-10-18 10:05:58 UTC
The backtrace was not added properly

[Cambiando a Thread 0x7fffe8d32700 (LWP 26261)]
0x00007fffe8023e34 in gst_ts_demux_push_pending_data (demux=0x7fffed77ea80, stream=0x7fffe4055e00) at tsdemux.c:1511
1511	        mpegts_packetizer_pts_to_ts (packetizer, stream->pts,
(gdb) bt
  • #0 gst_ts_demux_push_pending_data
    at tsdemux.c line 1511
  • #1 gst_ts_demux_stream_removed
    at tsdemux.c line 1027
  • #2 mpegts_base_program_remove_stream
    at mpegtsbase.c line 591
  • #3 mpegts_base_deactivate_program
    at mpegtsbase.c line 696
  • #4 remove_each_program
    at mpegtsbase.c line 1302
  • #5 g_hash_table_foreach_remove_or_steal
    from /home/andoni/cerbero/dist/linux_x86_64/lib/libglib-2.0.so.0
  • #6 g_hash_table_foreach_remove
    from /home/andoni/cerbero/dist/linux_x86_64/lib/libglib-2.0.so.0
  • #7 gst_mpegts_base_handle_eos
    at mpegtsbase.c line 1313
  • #8 mpegts_base_sink_event
    at mpegtsbase.c line 1350
  • #9 gst_pad_send_event_unchecked
    at gstpad.c line 4821
  • #10 gst_pad_push_event_unchecked
    at gstpad.c line 4514
  • #11 push_sticky
    at gstpad.c line 3285
  • #12 events_foreach
    at gstpad.c line 514
  • #13 check_sticky
    at gstpad.c line 3333
  • #14 gst_pad_push_event
    at gstpad.c line 4635
  • #15 gst_type_find_element_sink_event
    at gsttypefindelement.c line 657
  • #16 gst_pad_send_event_unchecked
    at gstpad.c line 4821
  • #17 gst_pad_push_event_unchecked
    at gstpad.c line 4514
  • #18 push_sticky
    at gstpad.c line 3285
  • #19 events_foreach
    at gstpad.c line 514
  • #20 check_sticky
    at gstpad.c line 3333
  • #21 gst_pad_push_event
    at gstpad.c line 4635
  • #22 event_forward_func
    at gstpad.c line 2719
  • #23 gst_pad_forward
    at gstpad.c line 2673
  • #24 gst_pad_event_default
    at gstpad.c line 2770
  • #25 gst_pad_send_event_unchecked
    at gstpad.c line 4821
  • #26 gst_pad_push_event_unchecked
    at gstpad.c line 4514
  • #27 push_sticky
    at gstpad.c line 3285
  • #28 events_foreach
    at gstpad.c line 514
  • #29 check_sticky
    at gstpad.c line 3333
  • #30 gst_pad_push_event
    at gstpad.c line 4635
  • #31 gst_base_src_loop
    at gstbasesrc.c line 2768
  • #32 gst_task_func
    at gsttask.c line 316
  • #33 g_thread_pool_thread_proxy
    from /home/andoni/cerbero/dist/linux_x86_64/lib/libglib-2.0.so.0
  • #34 g_thread_proxy
    from /home/andoni/cerbero/dist/linux_x86_64/lib/libglib-2.0.so.0
  • #35 start_thread
    at pthread_create.c line 308
  • #36 clone
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 112
  • #37 ??

Comment 3 Tim-Philipp Müller 2012-10-18 14:11:35 UTC
I wonder if we also need to free stream->data like in the previous if block then? (which on a side note I would have expected to also reset the state to something else, but I don't know the code that well, so maybe not)
Comment 4 Andoni Morales 2012-10-18 15:33:58 UTC
Created attachment 226749 [details] [review]
tsdemux: fix potential usage of NULL pointer

Rght, this need to be free'd too.
Comment 5 Tim-Philipp Müller 2012-10-18 17:19:09 UTC
Thanks, pushed:

 commit f768dfd92592ad3714c2ee8b18893792890fcbb0
 Author: Andoni Morales Alastruey <ylatuya@gmail.com>
 Date:   Thu Oct 18 01:47:57 2012 +0200

    tsdemux: fix potential crash dereferencing NULL program pointer
    
    https://bugzilla.gnome.org/show_bug.cgi?id=686358