Discussion:
[Bug 778432] New: Crash on state chang to NULL during mp3_type_find_at_offset
Add Reply
"GStreamer" (GNOME Bugzilla)
2017-02-10 09:11:27 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=778432

Bug ID: 778432
Summary: Crash on state chang to NULL during
mp3_type_find_at_offset
Classification: Platform
Product: GStreamer
Version: git master
OS: Linux
Status: NEW
Severity: normal
Priority: Normal
Component: gst-plugins-base
Assignee: gstreamer-***@lists.freedesktop.org
Reporter: ***@lge.com
QA Contact: gstreamer-***@lists.freedesktop.org
GNOME version: ---

When changing state to NULL during mp3_type_find, assertion occurs due to
unsigned int overflow.
Variable "found" type is guint, but "found" value is changed to 4294967295
(0xffffffff) because the code that performs -1 without checking overflow.

if (head_data == NULL &&
gst_type_find_peek (tf, offset + start_off - 1, 1) == NULL)
/* Incomplete last frame - don't count it. */
found--;

Therefore, probability value is calculated abnormally large and it occurs
assert.

guint probability = found * GST_TYPE_FIND_MAXIMUM *
(GST_MP3_TYPEFIND_TRY_SYNC - skipped) /
GST_MP3_TYPEFIND_TRY_HEADERS / GST_MP3_TYPEFIND_TRY_SYNC;
...
g_assert (probability <= GST_TYPE_FIND_MAXIMUM);
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-02-10 09:20:17 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=778432

--- Comment #1 from Heekyoung Seo <***@lge.com> ---
Created attachment 345408
--> https://bugzilla.gnome.org/attachment.cgi?id=345408&action=edit
typefindfunctions: prevent unsigned int overflow
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-02-10 11:04:23 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=778432

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #345408|none |needs-work
status| |

--- Comment #2 from Sebastian Dröge (slomo) <***@coaxion.net> ---
Review of attachment 345408:
--> (https://bugzilla.gnome.org/review?bug=778432&attachment=345408)

::: gst/typefind/gsttypefindfunctions.c
@@ +1507,3 @@
}
g_assert (found <= GST_MP3_TYPEFIND_TRY_HEADERS);
+ if (found > 0 && head_data == NULL &&

As you say, found is a guint... so checking for > 0 will always be TRUE
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-02-10 12:05:42 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=778432

--- Comment #3 from Heekyoung Seo <***@lge.com> ---
It is false when found = 0. It happen when found == 0.
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-02-13 00:02:47 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=778432

Heekyoung Seo <***@lge.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #345408|needs-work |none
status| |
Attachment #345408|0 |1
is obsolete| |
CC| |***@lge.com

--- Comment #4 from Heekyoung Seo <***@lge.com> ---
Created attachment 345593
--> https://bugzilla.gnome.org/attachment.cgi?id=345593&action=edit
typefindfunctions: prevent unsigned int overflow

Does it look more clear if the condition is changed as below?

- if (found > 0 && head_data == NULL &&
+ if (found != 0 && head_data == NULL &&

Assertion causes only when found == 0.
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-02-14 10:22:58 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=778432

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |***@coaxion.net
Resolution|--- |FIXED

--- Comment #5 from Sebastian Dröge (slomo) <***@coaxion.net> ---
Attachment 345593 pushed as 0889d89 - typefindfunctions: prevent unsigned int
overflow
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-02-14 10:23:03 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=778432

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #345593|none |committed
status| |
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-02-14 10:23:13 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=778432

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|git master |1.11.2
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-02-19 10:54:26 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=778432

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|1.11.2 |1.10.4
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
Loading...