GNOME Bugzilla – Bug 774759
hlsdemux: strlen segfault in Epiphany
Last modified: 2017-01-15 09:34:45 UTC
The gst_m3u8_get_uri function invokes g_strdup for an invalid (uninitialized/freed) uri field of the GstHLSVariantStream returned from gst_hls_master_playlist_get_variant_for_bitrate. #0 0x00007f7701ede496 strlen (libc.so.6) #1 0x00007f76ffe16ea3 g_strdup (libglib-2.0.so.0) #2 0x00007f76581d9811 gst_m3u8_get_uri (libgsthls.so) #3 0x00007f76581de051 gst_hls_demux_change_playlist (libgsthls.so) #4 0x00007f76581df42f gst_hls_demux_select_bitrate (libgsthls.so) #5 0x00007f763fbf2eaa gst_adaptive_demux_stream_select_bitrate (libgstadaptivedemux-1.0.so.0) #6 0x00007f76581dcc7a gst_hls_demux_finish_fragment (libgsthls.so) #7 0x00007f763fbe88ff gst_adaptive_demux_eos_handling (libgstadaptivedemux-1.0.so.0) #8 0x00007f763fbe8e03 _src_event (libgstadaptivedemux-1.0.so.0) #9 0x00007f76fd4a6707 gst_pad_send_event_unchecked (libgstreamer-1.0.so.0) #10 0x00007f76fd4a6bce gst_pad_push_event_unchecked (libgstreamer-1.0.so.0) #11 0x00007f76fd4a6fe0 push_sticky (libgstreamer-1.0.so.0) #12 0x00007f76fd4a4bcf events_foreach (libgstreamer-1.0.so.0) #13 0x00007f76fd4b0f61 check_sticky (libgstreamer-1.0.so.0) #14 0x00007f76fd4b10de event_forward_func (libgstreamer-1.0.so.0) #15 0x00007f76fd4ac95e gst_pad_forward (libgstreamer-1.0.so.0) #16 0x00007f76fd4acab3 gst_pad_event_default (libgstreamer-1.0.so.0) #17 0x00007f76fd4a6707 gst_pad_send_event_unchecked (libgstreamer-1.0.so.0) #18 0x00007f76fd4a6bce gst_pad_push_event_unchecked (libgstreamer-1.0.so.0) #19 0x00007f76fd4a6fe0 push_sticky (libgstreamer-1.0.so.0) #20 0x00007f76fd4a4bcf events_foreach (libgstreamer-1.0.so.0) #21 0x00007f76fd4b0f61 check_sticky (libgstreamer-1.0.so.0) #22 0x00007f765d357260 gst_queue2_push_one (libgstcoreelements.so) #23 0x00007f76fd4db951 gst_task_func (libgstreamer-1.0.so.0) #24 0x00007f76ffe1fd3e g_thread_pool_thread_proxy (libglib-2.0.so.0) #25 0x00007f76ffe1f345 g_thread_proxy (libglib-2.0.so.0) #26 0x00007f76fe42e464 start_thread (libpthread.so.0) #27 0x00007f7701f469df __clone (libc.so.6)
Can you provide a way to reproduce this, and also a backtrace with debug symbols (so we can see line numbers)? Alternatively please provide a patch or more accurate description about how this can happen.
Hi, no, I could not find an example now… So maybe this should just be closed.
Closing this bug report as no further information has been provided. Please feel free to reopen this bug report if you can provide the information that was asked for in a previous comment. Thanks!