After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 774897 - flxdec: Unreferences itself one time too many on invalid files
flxdec: Unreferences itself one time too many on invalid files
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-good
git master
Other Linux
: Normal normal
: 1.10.2
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2016-11-23 08:57 UTC by Hanno Böck
Modified: 2016-11-23 10:45 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
poc file causing invalid memory read in decodebin2 (128 bytes, application/octet-stream)
2016-11-23 08:57 UTC, Hanno Böck 		  Details
flxdec: Don't unref() parent in the chain function (868 bytes, patch)
2016-11-23 09:22 UTC, Sebastian Dröge (slomo) 		committed Details | Review

Description Hanno Böck 2016-11-23 08:57:02 UTC 
Created attachment 340583 [details]
poc file causing invalid memory read in decodebin2

The attached file will cause an invalid memory read in the glib function g_type_check_instance_is_fundamentally_a. The last function in the call stack belonging to gstreamer is gst_decode_chain_free_internal().

This only happens when G_SLICE=always-malloc is set, so test with:
G_SLICE=always-malloc gst-discoverer-1.0 [file]
You need some memory safety tool (asan/valgrind) to see this bug. Current git code, found with afl.

ASAN stack trace:
==12328==ERROR: AddressSanitizer: SEGV on unknown address 0x000066000002 (pc 0x7f9c3d59db1d bp 0x7f9c3e4ca120 sp 0x7fffd26543b8 T0)
==12328==The signal is caused by a READ memory access.
    #0 0x7f9c3d59db1c in g_type_check_instance_is_fundamentally_a (/usr/lib64/libgobject-2.0.so.0+0x33b1c)
    #1 0x7f9c3d57eb8d in g_object_ref (/usr/lib64/libgobject-2.0.so.0+0x14b8d)
    #2 0x7f9c3ded8966 in gst_object_ref /f/gstreamer/gstreamer/gst/gstobject.c:251:3
    #3 0x7f9c32ad3a65 in gst_decode_chain_free_internal /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:3398:49
    #4 0x7f9c32acc5ce in gst_decode_chain_free /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:3480:3
    #5 0x7f9c32acc5ce in gst_decode_bin_dispose /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1118
    #6 0x7f9c3d57ef04 in g_object_unref (/usr/lib64/libgobject-2.0.so.0+0x14f04)
    #7 0x7f9c3ded8bb3 in gst_object_unref /f/gstreamer/gstreamer/gst/gstobject.c:277:3
    #8 0x7f9c3def6e88 in gst_bin_remove_func /f/gstreamer/gstreamer/gst/gstbin.c:1827:3
    #9 0x7f9c3deea1d8 in gst_bin_remove /f/gstreamer/gstreamer/gst/gstbin.c:1889:12
    #10 0x7f9c32b21eb2 in remove_decoders /f/gstreamer/gst-plugins-base/gst/playback/gsturidecodebin.c:1652:7
    #11 0x7f9c32b1a8ab in gst_uri_decode_bin_change_state /f/gstreamer/gst-plugins-base/gst/playback/gsturidecodebin.c:2786:7
    #12 0x7f9c3df90864 in gst_element_change_state /f/gstreamer/gstreamer/gst/gstelement.c:2737:11
    #13 0x7f9c3df9692f in gst_element_set_state_func /f/gstreamer/gstreamer/gst/gstelement.c:2691:9
    #14 0x7f9c3df8f0c1 in gst_element_set_state /f/gstreamer/gstreamer/gst/gstelement.c:2592:14
    #15 0x7f9c3deeeb3c in gst_bin_element_set_state /f/gstreamer/gstreamer/gst/gstbin.c:2613:9
    #16 0x7f9c3deeeb3c in gst_bin_change_state_func /f/gstreamer/gstreamer/gst/gstbin.c:2955
    #17 0x7f9c3e025466 in gst_pipeline_change_state /f/gstreamer/gstreamer/gst/gstpipeline.c:499:12
    #18 0x7f9c3df90864 in gst_element_change_state /f/gstreamer/gstreamer/gst/gstelement.c:2737:11
    #19 0x7f9c3df9692f in gst_element_set_state_func /f/gstreamer/gstreamer/gst/gstelement.c:2691:9
    #20 0x7f9c3df8f0c1 in gst_element_set_state /f/gstreamer/gstreamer/gst/gstelement.c:2592:14
    #21 0x7f9c3f56fdee in discoverer_cleanup /f/gstreamer/gst-plugins-base/gst-libs/gst/pbutils/gstdiscoverer.c:1531:5
    #22 0x7f9c3f56e0fe in gst_discoverer_discover_uri /f/gstreamer/gst-plugins-base/gst-libs/gst/pbutils/gstdiscoverer.c:2148:3
    #23 0x50cd84 in process_file /f/gstreamer/gst-plugins-base/tools/gst-discoverer.c:499:12
    #24 0x50c61e in main /f/gstreamer/gst-plugins-base/tools/gst-discoverer.c:587:7
    #25 0x7f9c3c7af78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #26 0x41ba28 in _start (/usr/bin/gst-discoverer-1.0+0x41ba28)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib64/libgobject-2.0.so.0+0x33b1c) in g_type_check_instance_is_fundamentally_a
Comment 1 Sebastian Dröge (slomo) 2016-11-23 09:21:49 UTC 
commit 45dcd0b9ccf33ed85cdafeb871a3781f5be57fd9
Author: Sebastian Dröge <sebastian@centricular.com>
Date:   Wed Nov 23 11:20:49 2016 +0200

    flxdec: Don't unref() parent in the chain function
    
    We don't own the reference here, it is owned by the caller and given to
    us for the scope of this function. Leftover mistake from 0.10 porting.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=774897
Comment 2 Sebastian Dröge (slomo) 2016-11-23 09:22:04 UTC 
Created attachment 340585 [details] [review]
flxdec: Don't unref() parent in the chain function

We don't own the reference here, it is owned by the caller and given to
us for the scope of this function. Leftover mistake from 0.10 porting.
Comment 3 Matthew Waters (ystreet00) 2016-11-23 10:45:54 UTC 
1.8 1b574eddf789a59aff11ee0b6eb3fe1af288ff06
1.10 b31c504645a814c59d91d49e4fe218acaf93f4ca