After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 784486 - imagefreeze: use after free in seek handler causes criticals
imagefreeze: use after free in seek handler causes criticals
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-good
1.10.5
Other Linux
: Normal normal
: 1.12.2
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2017-07-03 18:42 UTC by Jay Yang
Modified: 2017-07-03 19:46 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Code for repoducing the bug (2.42 KB, text/x-csrc)
2017-07-03 18:42 UTC, Jay Yang
Details

Description Jay Yang 2017-07-03 18:42:09 UTC
Created attachment 354851 [details]
Code for repoducing the bug

Trying to seek on the imagefreeze element directly causes the following assertion

(a.out:6575): GStreamer-CRITICAL **: gst_event_get_seqnum: assertion 'GST_IS_EVENT (event)' failed

To reproduce compile and run the attached file. It needs a png file called test.png in the working directory

I'm running 1.10.5 on gentoo.

Running with G_DEBUG=fatal-warnings and gdb I get the following stack trace

  • #0 _g_log_abort
    from /usr/lib64/libglib-2.0.so.0
  • #1 g_logv
    from /usr/lib64/libglib-2.0.so.0
  • #2 g_log
    from /usr/lib64/libglib-2.0.so.0
  • #3 gst_event_get_seqnum
    from /usr/lib64/libgstreamer-1.0.so.0
  • #4 gst_image_freeze_src_event
    at /var/tmp/portage/media-libs/gst-plugins-good-1.10.5/work/gst-plugins-good-1.10.5/gst/imagefreeze/gstimagefreeze.c line 608
  • #5 gst_pad_send_event_unchecked
    from /usr/lib64/libgstreamer-1.0.so.0
  • #6 gst_pad_send_event
    from /usr/lib64/libgstreamer-1.0.so.0
  • #7 gst_element_default_send_event
    from /usr/lib64/libgstreamer-1.0.so.0
  • #8 gst_element_send_event
    from /usr/lib64/libgstreamer-1.0.so.0
  • #9 main
    at bug.c line 72

Looking at the source it seems that the cause of this is that a few lines prior to gst_event_get_seqnum getting called, gst_event_unref is called. Presumably gst_event_get_seqnum should occur before the unref.

Seeking on a bin containing imagefreeze "fixes" the issue, presumably because the bin keeps it's own reference to the event.
Comment 1 Tim-Philipp Müller 2017-07-03 19:46:19 UTC
Thanks for the bug report, this should fix it:

commit d712a2f4b7e1705ac879aff30b11a807d88bdd54 (HEAD -> master)
Author: Tim-Philipp Müller <tim@centricular.com>
Date:   Mon Jul 3 20:27:29 2017 +0100

    imagefreeze: fix use-after-free on seek event
    
    Get seqnum before unreffing the seek event.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=784486