After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 755167 - [vorbisenc] Stack overflow with large input METADATA_BLOCK_PICTURE
[vorbisenc] Stack overflow with large input METADATA_BLOCK_PICTURE
Status: RESOLVED OBSOLETE
Product: GStreamer
Classification: Platform
Component: gst-plugins-base
1.x
Other Mac OS
: Normal normal
: git master
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2015-09-17 16:38 UTC by Andrew Aldridge
Modified: 2018-11-03 11:41 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Andrew Aldridge 2015-09-17 16:38:13 UTC 
> gst-launch-1.0 filesrc location=Burn\ The\ Sky.mp3 ! decodebin ! audioconvert ! vorbisenc ! fakesink
> Setting pipeline to PAUSED ...
> Pipeline is PREROLLING ...
> Redistribute latency...
> Bus error: 10

Crash occurs because gst_vorbis_enc_metadata_set1() calls vorbis_comment_add_tag() with arbitrarily large data taken from the input file (in this case, the tag METADATA_BLOCK_PICTURE has size 1,063,488). vorbis_comment_add_tag() will allocate a new buffer with alloca(), causing a stack overflow.

I have a bug open for libvorbis (https://trac.xiph.org/ticket/2221) since replacing alloca() with _ogg_alloc() resolves the issue, but it may be worth working around this on the gstreamer side.
Comment 1 GStreamer system administrator 2018-11-03 11:41:30 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/issues/223.