GNOME Bugzilla – Bug 793500
theora_parse_chain segfaults on zero length buffer (gsttheoraparse.c)
Last modified: 2018-11-03 12:03:27 UTC
I'm not sure why gst_pad_push_data is pushing an empty 0-length buffer to theora_parse_chain, but the latter fails to deal with it properly, segfaulting instead of ignoring it, or erroring out. theora_parse_chain calls gst_buffer_map without checking the return value, then tries to access map.data[0] without checking whether map.data is NULL. gst_buffer_map itself returns FALSE when the buffer's length is zero (in g_return_val_if_fail) and then checks again for some reason, zeroing out the GstMapInfo structure if the buffer's length is zero, then returning TRUE. I'm not sure if the second code branch is ever reached under any circumstances, but it'd probably be good to check if mem.data is NULL, even if gst_buffer_map returns TRUE.
IIRC Theora allows zero-sized buffers, so this should be handled properly here instead of just ignoring
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/issues/419.