Bug#702581: vlc: VLC crashes in libeml on some video files (mkv, h.264)

[Reinhard Tartler]

On Sat, Mar 9, 2013 at 4:09 PM, Reinhard Tartler  wrote:
> tags 702581 upstream
> stop
>
> On Sat, Mar 9, 2013 at 1:50 PM, Lorenz H.-S.  wrote:
>> Alright, some new insights. libebml is trying to allocate 3219169814460
>> bytes (src/EbmlBinary.cpp:97), but it gets this number from libmatroska
>> (src/KaxBlock.cpp:458). My guess is that the KaxSimpleBlock's size is
>> incorrect in the file.
>>
>
> I did talk to two vlc upstream developers, and they told me that
> libebml is kind of a mess that got recently pretty much overworked in
> current vlc.git. There is a good chance that vlc 2.1 will have a fix
> for that.
>
>> That last line seems a bit strange to me, but then I'm not familiar with
>> vlc's codebase at all. I'd be happy to try out any suggestions you may have.
>>
>
> My suggestion at this point would be to get in touch with the vlc
> developers about this. In fact, I've already done so and provided the
> link to the sample; here is his answer:
>
> 16:03  I will download, fix and backport for 2.0.6
>
> So if we are lucky, a fix might soon turn up in debian/unstable.
> Unfortunately because of the freeze, it is unlikely to land in wheezy.

j-b tells me that 2.0.6 will have a fix. From looking at the gitweb, I
suspect that this commit might be the fix:

http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commitdiff;h=2eada7f9901648e05ce6ed432fcc988d40e7da6f

-- 
regards,
Reinhard


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#702581: vlc: VLC crashes in libeml on some video files (mkv, h.264)

[Reinhard Tartler]

tags 702581 upstream
stop

On Sat, Mar 9, 2013 at 1:50 PM, Lorenz H.-S.  wrote:
> Alright, some new insights. libebml is trying to allocate 3219169814460
> bytes (src/EbmlBinary.cpp:97), but it gets this number from libmatroska
> (src/KaxBlock.cpp:458). My guess is that the KaxSimpleBlock's size is
> incorrect in the file.
>

I did talk to two vlc upstream developers, and they told me that
libebml is kind of a mess that got recently pretty much overworked in
current vlc.git. There is a good chance that vlc 2.1 will have a fix
for that.

> That last line seems a bit strange to me, but then I'm not familiar with
> vlc's codebase at all. I'd be happy to try out any suggestions you may have.
>

My suggestion at this point would be to get in touch with the vlc
developers about this. In fact, I've already done so and provided the
link to the sample; here is his answer:

16:03  I will download, fix and backport for 2.0.6

So if we are lucky, a fix might soon turn up in debian/unstable.
Unfortunately because of the freeze, it is unlikely to land in wheezy.


-- 
regards,
Reinhard


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#702581: vlc: VLC crashes in libeml on some video files (mkv, h.264)

[Lorenz H.-S.]

Alright, some new insights. libebml is trying to allocate 3219169814460
bytes (src/EbmlBinary.cpp:97), but it gets this number from libmatroska
(src/KaxBlock.cpp:458). My guess is that the KaxSimpleBlock's size is
incorrect in the file.

In modules/demux/mkv/matroska_segment.cpp:1558
(matroska_segment_c::BlockGet):
(gdb) ins *el
$11 = {_vptr.EbmlElement = 0x7fffe2461510, Size = 3219169814460,
DefaultSize = 0, SizeLength = 6, bSizeIsFinite = true, ElementPosition =
135411848, SizePosition = 135411849, bValueIsSet = false, DefaultIsSet =
false, bLocked = false}

One further up, in modules/demux/mkv/mkv.cpp:692 (Demux):

(gdb) ins *simpleblock
$14 = { = { =
{ = {_vptr.EbmlElement = 0x7fffe2461510, Size =
3219169814460, DefaultSize = 0, SizeLength = 6, bSizeIsFinite = true,
ElementPosition = 135411848,
SizePosition = 135411849, bValueIsSet = false, DefaultIsSet =
false, bLocked = false}, Data = 0x0}, myBuffers =
{ >> = {
_M_impl = {> =
{<__gnu_cxx::new_allocator> = {},
}, _M_start = 0x0, _M_finish = 0x0,
  _M_end_of_storage = 0x0}}, }, SizeList =
{ >> = {_M_impl =
{> = {<__gnu_cxx::new_allocator> = {}, },
  _M_start = 0x0, _M_finish = 0x0, _M_end_of_storage = 0x0}}, }, Timecode = 4, LocalTimecode = 0, bLocalTimecodeUsed = false,
TrackNumber = 13057, mLacing = libmatroska::LACING_AUTO, mInvisible =
false,
FirstFrameLocation = 135411855, ParentCluster = 0x0, bIsSimple = true,
bIsKeyframe = true, bIsDiscardable = false}, static ClassInfos = {Create =
0x7fffe221e831 , GlobalId =
@0x7fffe2470b50,
DebugName = 0x7fffe2243ec7 "SimpleBlock", Context = @0x7fffe2470b60}}


Up again, to input/demux.h:44

(gdb) ins *p_demux
$17 = {psz_object_type = 0x7799a1d9 "demux", psz_header = 0x0, i_flags
= 0, b_die = false, b_force = false, p_libvlc = 0x605108, p_parent =
0x6387b8, p_module = 0x751860, psz_access = 0x67fc80 "file", psz_demux =
0x67f390 "",
  psz_location = 0x67f040 "/media/STORE/foo.mkv", psz_file = 0x67eee0
"/media/STORE/foo.mkv", s = 0x68d028, out = 0x68c810, pf_demux =
0x7fffe2480c50 ,
  pf_control = 0x7fffe247f6e0 , info = {i_update = 0, i_title = 0,
i_seekpoint = 0}, p_sys = 0x68d1f0, p_input = 0x6387b8}
(gdb) ins *p_demux->p_sys
$18 = {player = 0x7fffe26b7690, config = {clockDefault = 6869336,
clockForced = false, clockSpeed = 7257000, environment = sid2_envPS,
forceDualSids = 112, emulateStereo = 232, frequency = 0, optimisation = 0
'\000',
playback = sid2_left, precision = 0, sidDefault = SID2_MODEL_CORRECT,
sidEmulation = 0x69d330, sidModel = 6777344, sidSamples = false, leftVolume
= 6777352, rightVolume = 0, sampleFormat = 6777352, powerOnDelay = 0,
sid2crcCount = 0}, info = {credits = 0x686850, channels = 6842456,
driverAddr = 0, driverLength = 0, name = 0x686858 "", tuneInfo = 0x0,
version = 0x0, eventContext = 0x0, maxsids = 6798144, environment =
sid2_envPS,
powerOnDelay = 47944, sid2crc = 0, sid2crcCount = 6798152}, tune =
0x6828f0, tuneInfo = {formatString = 0x6828f8 "", statusString = 0x6828f8
"", speedString = 0x69d1b0 "P*h", loadAddr = 0, initAddr = 0, playAddr = 0,
songs = 0,
startSong = 0, sidChipBase1 = 0, sidChipBase2 = 0, currentSong = 0,
songSpeed = 0 '\000', clockSpeed = 0 '\000', relocStartPage = 0 '\000',
relocPages = 0 '\000', musPlayer = false, sidModel = 0, compatibility = 0,
fixLoad = false,
songLength = 0, numberOfInfoStrings = 0 '\000', infoString = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, numberOfCommentStrings = 0,
commentString = 0x0, dataFileLen = 0, c64dataLen = 0, path = 0x0,
dataFileName = 0x0,
infoFileName = 0x0}, bytes_per_frame = 0, block_size = 0, es = 0x0, pts
= {date = 0, i_divider_num = 0, i_divider_den = 0, i_remainder = 0}}
(gdb) ins *p_demux->p_sys->p_current_segment
There is no member named p_current_segment.

That last line seems a bit strange to me, but then I'm not familiar with
vlc's codebase at all. I'd be happy to try out any suggestions you may have.

Kind regards,
Lorenz

Bug#702581: vlc: VLC crashes in libeml on some video files (mkv, h.264)

[Lorenz H.-S.]

Thank you for your response. First, a proper bug report following the
guidelines:

I am trying to play a video file. It's an h264, 720p video stream in a
matroska container. The file is 1744119808 Bytes (1.7GB) large.
When I try to play it in vlc (vlc foo.mkv), it crashes at the same point
some 5 to 7 seconds into the file every time. A gdb session with
disassembly and a register dump for vlc as suggested for avplay (which does
not crash, output below) is further below.
vlc --verbose 2 foo.mkv: http://bpaste.net/show/82438/
valgrind foo.mkv: http://bpaste.net/show/82436/
valgrind -v foo.mkv: http://bpaste.net/show/AWprB2k03dpY2ilhU3cA/

When I try to reproduce the problem in vlc with a non-huge sample of the
file, no crash occurs.
The crash in vlc does not occur with a 264062 kiB sample.
It does occur with a 264843 kiB sample.

I hope this helps.

Kind regards,
Lorenz

** The avplay output:

avplay version 0.8.5-6:0.8.5-1, Copyright (c) 2003-2012 the Libav developers
  built on Jan 13 2013 12:05:48 with gcc 4.7.2
[matroska,webm @ 0x955360] Estimating duration from bitrate, this may be
inaccurate
Input #0, matroska,webm, from 'foo.mkv':
  Duration: 00:43:47.33, start: 0.00, bitrate: 384 kb/s
Stream #0.0(eng): Video: h264 (High), yuv420p, 1280x720, PAR 1:1 DAR
16:9, 23.98 fps, 23.98 tbr, 1k tbn, 47.95 tbc
Stream #0.1: Audio: ac3, 48000 Hz, stereo, s16, 384 kb/s (default)
[matroska,webm @ 0x955360] Unknown entry 0xBDKB sq=0B f=0/0   f=0/0
[matroska,webm @ 0x955360] Unknown entry 0x89KB sq=0B f=0/0
[matroska,webm @ 0x955360] Unknown entry 0xB1
[matroska,webm @ 0x955360] Invalid EBML number size tag 0x06 at pos
53004489 (0x328c8c9)
[h264 @ 0x1247ec0] Reference 2 >= 2B vq=  200KB sq=0B f=0/0
[h264 @ 0x1247ec0] error while decoding MB 40 23, bytestream (64205)
[h264 @ 0x1247ec0] concealing 1769 DC, 1769 AC, 1769 MV errors
^C 7.43 A-V: -4.511 s:0.0 aq=0KB vq=0KB sq=0B f=0/0


At that point, it hangs.


** vlc gdb session with disassembly and register dump:

GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /usr/bin/vlc...Reading symbols from
/usr/lib/debug/usr/bin/vlc...done.
done.
(gdb) run
Starting program: /usr/bin/vlc foo.mkv
warning: no loadable sections found in added symbol-file system-supplied
DSO at 0x77ffa000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffee855700 (LWP 11938)]
[New Thread 0x7fffec8f4700 (LWP 11939)]
[0x605108] main libvlc: Running vlc with the default interface. Use 'cvlc'
to use vlc without interface.
[New Thread 0x7fffe9a48700 (LWP 11940)]
[New Thread 0x7fffe2065700 (LWP 11941)]
[Thread 0x7fffec8f4700 (LWP 11939) exited]
[Thread 0x7fffe2065700 (LWP 11941) exited]
[New Thread 0x7fffe2065700 (LWP 11942)]
[New Thread 0x7fffec8f4700 (LWP 11943)]
[New Thread 0x7fffd4195700 (LWP 11944)]
[New Thread 0x7fffcc8bd700 (LWP 11945)]
[New Thread 0x7fffc462c700 (LWP 11946)]
[New Thread 0x7fffd56dd700 (LWP 11947)]
terminate called after throwing an instance of 'libebml::CRTError'
  what():  Error allocating data: Cannot allocate memory

Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffe2065700 (LWP 11942)]
0x769c2475 in *__GI_raise (sig=) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x769c2475 in *__GI_raise (sig=) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x769c56f0 in *__GI_abort () at abort.c:92
#2  0x7721789d in __gnu_cxx::__verbose_terminate_handler() () from
/usr/lib/x86_64-linux-gnu/libstdc++.so.6
#3  0x77215996 in ?? () from
/usr/lib/x86_64-linux-gnu/libstdc++.so.6
#4  0x772159c3 in std::terminate() () from
/usr/lib/x86_64-linux-gnu/libstdc++.so.6
#5  0x77215bee in __cxa_throw () from
/usr/lib/x86_64-linux-gnu/libstdc++.so.6
#6  0x7fffe80313c6 in
libebml::EbmlBinary::ReadData(libebml::IOCallback&, libebml::ScopeMode) ()
from /usr/lib/x86_64-linux-gnu/libebml.so.3
#7  0x7fffe3b7a500 in
libmatroska::KaxInternalBlock::ReadData(libebml::IOCallback&,
libebml::ScopeMode) () from /usr/lib/x86_64-linux-gnu/libmatroska.so.5
#8  0x7fffe3dcf592 in matroska_segment_c::BlockGet (this=0xa8d9b0,
pp_block=, pp_simpleblock=,
pb_key_picture=, pb_discardable_picture=0x7fffe2064d67,
pi_duration=0x7fffe2064d78)
at matroska_segment.cpp:1558
#9  0x7fffe3dc6d1e in Demux (p_demux=0x7fffdcb8) at mkv.cpp:692
#10 0x7792f40b in demux_Demux (p_demux=0x7fffdcb8) at

Bug#702581: vlc: VLC crashes in libeml on some video files (mkv, h.264)

[Reinhard Tartler]

tags -1 moreinfo
severity -1 normal
stop


On Fri, Mar 8, 2013 at 6:44 PM, Lorenz H-S  wrote:
> vlc reproducibly crashes each time at exactly the same position a few seconds
> into a broken matroska file. A full backtrace from a gdb session is attached.
> Unfortunately, I cannot share the file publicly for copyright reasons.
>
> mplayer2 cannot play the file either, but plays an additional second or so. A
> log of that is attached as well. I do not dispute the fact that the file is
> broken, but VLC's error handling should catch that and exit gracefully.
>
> Should you need more information, I am happy to help you in any way possible.

Without the sample in question, there is very little that we can do
about this problem. Nevertheless, please try to reproduce this issue
with the /usr/bin/avplay utility as found in the libav-tools pacakge.
Please also make sure that you have the 'libav-dbg' package installed.
Then please follow the bug submission guidelines outlined on
http://libav.org/bugreports.html. The guidelines also contain
instructions how to generate a minimal sample that allows to reproduce
the issue.


Kind regards,
Reinhard



-- 
regards,
Reinhard


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#702581: vlc: VLC crashes in libeml on some video files (mkv, h.264)

[Lorenz H-S]

Package: vlc
Version: 2.0.5-1
Severity: important
Tags: upstream

Dear Maintainer,

vlc reproducibly crashes each time at exactly the same position a few seconds
into a broken matroska file. A full backtrace from a gdb session is attached.
Unfortunately, I cannot share the file publicly for copyright reasons.

mplayer2 cannot play the file either, but plays an additional second or so. A
log of that is attached as well. I do not dispute the fact that the file is
broken, but VLC's error handling should catch that and exit gracefully.

Should you need more information, I am happy to help you in any way possible.

Thank you!

Lorenz

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.8.2-cust (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages vlc depends on:
ii  dpkg  1.16.9
ii  fonts-freefont-ttf20120503-1
ii  libaa11.4p5-40
ii  libavcodec53  7:0.10.3-dmo1
ii  libavutil51   8:1.0.5-dmo1
ii  libc6 2.13-38
ii  libcaca0  0.99.beta18-1
ii  libfreetype6  2.4.9-1.1
ii  libfribidi0   0.19.2-3
ii  libgcc1   1:4.7.2-5
ii  libgl1-mesa-glx [libgl1]  8.0.5-3
ii  libice6   2:1.0.8-2
ii  libqtcore44:4.8.2+dfsg-11
ii  libqtgui4 4:4.8.2+dfsg-11
ii  libsdl-image1.2   1.2.12-2
ii  libsdl1.2debian   1.2.15-5
ii  libsm62:1.2.1-2
ii  libstdc++64.7.2-5
ii  libtar0   1.2.16-1
ii  libva-x11-1   1.0.15-4
ii  libva11.0.15-4
ii  libvlccore5   2.0.5-1
ii  libx11-6  2:1.5.0-1
ii  libxcb-composite0 1.8.1-2
ii  libxcb-keysyms1   0.3.9-1
ii  libxcb-randr0 1.8.1-2
ii  libxcb-render01.8.1-2
ii  libxcb-shape0 1.8.1-2
ii  libxcb-shm0   1.8.1-2
ii  libxcb-xfixes01.8.1-2
ii  libxcb-xv01.8.1-2
ii  libxcb1   1.8.1-2
ii  libxext6  2:1.3.1-2
ii  libxinerama1  2:1.1.2-1
ii  libxpm4   1:3.5.10-1
ii  vlc-nox   2.0.5-1
ii  zlib1g1:1.2.7.dfsg-13

Versions of packages vlc recommends:
ii  vlc-plugin-notify  2.0.5-1
ii  vlc-plugin-pulse   2.0.5-1
ii  xdg-utils  1.1.0~rc1+git20111210-7

Versions of packages vlc suggests:
pn  videolan-doc  




*** /tmp/vlc
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /usr/bin/vlc...Reading symbols from
/usr/lib/debug/usr/bin/vlc...done.
done.
(gdb) run
Starting program: /usr/bin/vlc foo.mkv
warning: no loadable sections found in added symbol-file system-supplied DSO at
0x77ffa000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
VLC media player 2.0.5 Twoflower (revision 2.0.5-0-g1661b7d)
[New Thread 0x7fffeddd1700 (LWP 8680)]
[New Thread 0x7fffec92e700 (LWP 8681)]
[0x605108] main libvlc: Running vlc with the default interface. Use 'cvlc' to
use vlc without interface.
[New Thread 0x7fffe9c85700 (LWP 8682)]
[New Thread 0x7fffe8118700 (LWP 8683)]
[Thread 0x7fffec92e700 (LWP 8681) exited]
[Thread 0x7fffe8118700 (LWP 8683) exited]
[New Thread 0x7fffe8118700 (LWP 8685)]
[NULL @ 0x6ad2a0] Value 4686111960511545344.00 for parameter 'b' out of
range
[NULL @ 0x6ad2a0] Value 4683532506232782848.00 for parameter 'ab' out of
range
[NULL @ 0x6ad2a0] Value 4705844345939427328.00 for parameter 'bt' out of
range
[NULL @ 0x6ad2a0] Value 4617315517961601024.00 for parameter 'me_method'
out of range
[NULL @ 0x6ad2a0] Value 4622945017495814144.00 for parameter 'g' out of
range
[NULL @ 0x6ad2a0] Value 4611686018427387904.00 for parameter 'qmin' out of
range
[NULL @ 0x6ad2a0] Value 4629418941960159232.00 for parameter 'qmax' out of
range
[NULL @ 0x6ad2a0] Value 4613937818241073152.00 for parameter 'qdiff' out of
range
[NULL @ 0x6ad2a0] Value -4616189618054758400.00 for parameter 'wpredp' out
of range
[NULL @ 0x6ad2a0] Value 4607182418800017408.00 for parameter 'bug' out of
range
[NULL @ 0x6ad2a0] Value 4607182418800017408.00 for parameter 'er' out of
range
[NULL @ 0x6ad2a0] Value 4607182418800017408.00 for parameter 'err_detect'
out of range
[NULL @ 0x6ad2a0]