After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 773643 - wavparse: crashes on invalid wav file
wavparse: crashes on invalid wav file
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-good
1.8.3
Other Linux
: Normal critical
: 1.8.4
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2016-10-28 17:07 UTC by Dominique Leuenberger
Modified: 2016-11-02 21:15 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
The wav file in question (46 bytes, audio/x-wav)
2016-10-28 17:17 UTC, Dominique Leuenberger
  Details
wavparse: Don't try to add srcpad if we don't know valid caps yet (1.43 KB, patch)
2016-10-31 07:02 UTC, Sebastian Dröge (slomo)
committed Details | Review

Description Dominique Leuenberger 2016-10-28 17:07:16 UTC
Based on 2016-3941 (vlc related) I had the 'overflow.wav' still on my disk.

As a result, tracker-extract kept on crashing - backtrace turns out to be in wavparse.c from gst-plugins-good

so it seems to some degree Gstreamer is also affected by that same sec issue
Comment 1 Dominique Leuenberger 2016-10-28 17:09:06 UTC
Stack trace (of tracker-extract):

(gdb) bt
  • #0 __GI_raise
    at ../sysdeps/unix/sysv/linux/raise.c line 55
  • #1 __GI_abort
    at abort.c line 78
  • #2 g_assertion_message
  • #3 g_assertion_message_expr
    at gtestutils.c line 2452
  • #4 gst_wavparse_add_src_pad
    at gstwavparse.c line 1901
  • #5 gst_wavparse_loop
    at gstwavparse.c line 2237
  • #6 gst_task_func
    at gsttask.c line 332
  • #7 g_thread_pool_thread_proxy
    at gthreadpool.c line 307
  • #8 g_thread_proxy
    at gthread.c line 780
  • #9 start_thread
    at pthread_create.c line 334
  • #10 clone
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 109

Comment 2 Tim-Philipp Müller 2016-10-28 17:14:49 UTC
Any chance you could make that file available somewhere, or attache the first MB or so? (head --bytes=1M overflow.wav > head.wav)
Comment 3 Dominique Leuenberger 2016-10-28 17:17:14 UTC
Created attachment 338741 [details]
The wav file in question
Comment 4 Dominique Leuenberger 2016-10-28 17:33:00 UTC
The same crash can also be seen by gst-play-1.0 overflow.wav; so tracker is not even needed (Even though it's where I saw it and what causes quite some pain, as the extractor stops working completely)
Comment 5 Sebastian Dröge (slomo) 2016-10-31 07:02:27 UTC
Created attachment 338813 [details] [review]
wavparse: Don't try to add srcpad if we don't know valid caps yet

Otherwise we'll run into an assertion on specially crafted files.
Comment 6 Sebastian Dröge (slomo) 2016-10-31 07:04:21 UTC
(In reply to Dominique Leuenberger from comment #0)

> so it seems to some degree Gstreamer is also affected by that same sec issue

Fortunately not as a security issue though, we run into an assertion here instead of doing a buffer overflow or other fancy things
Comment 7 Sebastian Dröge (slomo) 2016-10-31 09:11:58 UTC
commit 9ba6fb86d8e63a83031824d25d633116e78b4c66
Author: Sebastian Dröge <sebastian@centricular.com>
Date:   Mon Oct 31 09:00:49 2016 +0200

    wavparse: Don't try to add srcpad if we don't know valid caps yet
    
    Otherwise we'll run into an assertion on specially crafted files.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=773643