Bug#910451: Bug #910451: bs1770gain segfaults on MP3 files
Dear Maintainer, I tried to have a look at this crash. But just found out that valgrind shows reproducible the following invalid read to already freed memory: ==14641== Invalid read of size 4 ==14641==at 0x4EC1424: av_packet_copy_props (avpacket.c:578) ==14641==by 0x4EC1BB2: av_packet_ref (avpacket.c:605) ==14641==by 0x4F499F9: avcodec_send_packet (decode.c:662) ==14641==by 0x4F49EE2: compat_decode (decode.c:769) ==14641==by 0x1118B2: frame_reader_run (ffsox_frame_reader.c:277) ==14641==by 0x111EDF: ffsox_engine_run (ffsox_engine.c:33) ==14641==by 0x113A0D: ffsox_sox_reader_read (ffsox_sox_reader.c:117) ==14641==by 0x113AFD: drain (ffsox_sox_read_handler.c:56) ==14641==by 0x4871932: drain_effect (effects.c:352) ==14641==by 0x4871932: sox_flow_effects (effects.c:445) ==14641==by 0x110797: ffsox_analyze (ffsox_analyze.c:164) ==14641==by 0x10E7E8: bs1770gain_tree_analyze (bs1770gain_tree.c:155) ==14641==by 0x10C3F2: main (bs1770gain.c:1000) ==14641== Address 0x11fc6eb8 is 8 bytes inside a block of size 16 free'd ==14641==at 0x48369EB: free (vg_replace_malloc.c:530) ==14641==by 0x4EC0A78: av_packet_free_side_data (avpacket.c:275) ==14641==by 0x4EC149C: av_packet_unref (avpacket.c:594) ==14641==by 0x1126B3: source_run (ffsox_source.c:173) ==14641==by 0x111EDF: ffsox_engine_run (ffsox_engine.c:33) ==14641==by 0x113A0D: ffsox_sox_reader_read (ffsox_sox_reader.c:117) ==14641==by 0x113AFD: drain (ffsox_sox_read_handler.c:56) ==14641==by 0x4871932: drain_effect (effects.c:352) ==14641==by 0x4871932: sox_flow_effects (effects.c:445) ==14641==by 0x110797: ffsox_analyze (ffsox_analyze.c:164) ==14641==by 0x10E7E8: bs1770gain_tree_analyze (bs1770gain_tree.c:155) ==14641==by 0x10C3F2: main (bs1770gain.c:1000) ==14641== Block was alloc'd at ==14641==at 0x48356EF: malloc (vg_replace_malloc.c:298) ==14641==by 0x4837A34: realloc (vg_replace_malloc.c:785) ==14641==by 0x4EC0BA2: av_packet_add_side_data (avpacket.c:315) ==14641==by 0x4EC0C6C: av_packet_new_side_data (avpacket.c:341) ==14641==by 0x4C76E25: read_frame_internal (utils.c:1714) ==14641==by 0x4C7853A: avformat_find_stream_info (utils.c:3767) ==14641==by 0x112901: ffsox_source_create (ffsox_source.c:43) ==14641==by 0x110559: ffsox_analyze (ffsox_analyze.c:58) ==14641==by 0x10E7E8: bs1770gain_tree_analyze (bs1770gain_tree.c:155) ==14641==by 0x10C3F2: main (bs1770gain.c:1000) ==14641== ==14641== (action on error) vgdb me ... Stepped over av_packet_unref(pkt) in "source_run (ffsox_source.c:173)" and the side_data pointer in that pkt got set to 0. Therefore it looks like there is once made a copy of pkt/avpkt/src, in which the pointer to the side_data is still alive after it got freed. Kind regards, Bernhard # from Initial bug report (gdb) bt #0 0x555d08b0 in () #1 0x77da900e in av_buffer_unref () at /usr/lib/x86_64-linux-gnu/libavutil.so.56 #2 0x76a0d4c5 in av_packet_unref (pkt=pkt@entry=0x555b6300) at src/libavcodec/avpacket.c:595 #3 0x76a930f8 in decode_simple_internal (frame=0x555b6480, avctx=0x555b4640) at src/libavcodec/decode.c:377 #4 0x76a930f8 in decode_simple_receive_frame (frame=, avctx=) at src/libavcodec/decode.c:594 #5 0x76a930f8 in decode_receive_frame_internal (avctx=avctx@entry=0x555b4640, frame=frame@entry=0x555b6480) at src/libavcodec/decode.c:612 #6 0x76a95bbb in avcodec_receive_frame (avctx=0x555b4640, frame=0x555b6480) at src/libavcodec/decode.c:726 #7 0x76a95e7b in compat_decode (avctx=avctx@entry=0x555b4640, frame=frame@entry=0x555b6480, got_frame=got_frame@entry=0x7fffd964, pkt=pkt@entry=0x555b39a0) at src/libavcodec/decode.c:782 #8 0x76a9624d in avcodec_decode_audio4 (avctx=avctx@entry=0x555b4640, frame=frame@entry=0x555b6480, got_frame_ptr=got_frame_ptr@entry=0x7fffd964, avpkt=avpkt@entry=0x555b39a0) at src/libavcodec/decode.c:838 #9 0xd5e2 in frame_reader_run (n=0x555b3960) at ffsox_frame_reader.c:172 #10 0xdb0c in ffsox_machine_run (m=m@entry=0x7fffd9d0, node=, node@entry=0x55592410) at ffsox_machine.c:30 #11 0xf4be in ffsox_sox_reader_read (sa=sa@entry=0x55592410, buf=, len=) at ffsox_sox_reader.c:117 #12 0xf5a2 in drain (e=, obuf=, osamp=0x7fffdac8) at ffsox_sox_read_handler.c:56 #13 0x763bd933 in drain_effect (n=0, chain=0x5558f3e0) at effects.c:352 #14 0x763bd933 in sox_flow_effects (chain=chain@entry=0x5558f3e0, callback=callback@entry=0x0, client_data=client_data@entry=0x0) at effects.c:445 #15 0xc704 in ffsox_analyze (ac=ac@entry=0x7fffdde0, ai=, vi=) at ffsox_analyze.c:159 #16 0xa6ae in bs1770gain_tree_analyze (tree=, odirname=0x0, options=0x7fffdef0) at bs1770gain_tree.c:141 #17 0x808a in
Bug#910451: bs1770gain segfaults on MP3 files
Same outcome with 0.5.0 manually built from upstream. Stack trace with 0.5.0: #0 0x555d78b0 in () #1 0x77da900e in av_buffer_unref () at /usr/lib/x86_64-linux-gnu/libavutil.so.56 #2 0x76a0d4c5 in av_packet_unref (pkt=pkt@entry=0x555bd300) at src/libavcodec/avpacket.c:595 #3 0x76a930f8 in decode_simple_internal (frame=0x555bd480, avctx=0x555bb640) at src/libavcodec/decode.c:377 #4 0x76a930f8 in decode_simple_receive_frame (frame=, avctx=) at src/libavcodec/decode.c:594 #5 0x76a930f8 in decode_receive_frame_internal (avctx=avctx@entry=0x555bb640, frame=frame@entry=0x555bd480) at src/libavcodec/decode.c:612 #6 0x76a95bbb in avcodec_receive_frame (avctx=0x555bb640, frame=0x555bd480) at src/libavcodec/decode.c:726 #7 0x76a95e7b in compat_decode (avctx=0x555bb640, frame=0x555bd480, got_frame=0x7fffd910, pkt=0x555ba9a0) at src/libavcodec/decode.c:782 #8 0xf3a4 in frame_reader_run (n=0x555ba960) at ffsox_frame_reader.c:277 #9 0xf633 in ffsox_engine_run (e=0x7fffd9a0, node=0x555ba960) at ffsox_engine.c:33 #10 0x5556147d in ffsox_sox_reader_read (sa=0x55599410, buf=0x555c91c0, len=8192) at ffsox_sox_reader.c:117 #11 0x55561a0c in drain (e=0x555bdb90, obuf=0x555c91c0, osamp=0x7fffda98) at ffsox_sox_read_handler.c:56 #12 0x763bd933 in drain_effect (n=0, chain=0x555963e0) at effects.c:352 #13 0x763bd933 in sox_flow_effects (chain=, callback=0x0, client_data=0x0) at effects.c:445 #14 0xdae4 in ffsox_analyze (ac=0x7fffdda0, ai=-1, vi=-1) at ffsox_analyze.c:164 #15 0xa77a in bs1770gain_tree_analyze (tree=0x7fffde60, odirname=0x0, options=0x7fffdeb0) at bs1770gain_tree.c:155 #16 0x8f96 in main (argc=2, argv=0x7fffe0e8) at bs1770gain.c:1053 On Sat, 6 Oct 2018 at 15:58, Etienne Dechamps wrote: > > Package: bs1770gain > Version: 0.4.12-3+b1 > Severity: important > > --- Please enter the report below this line. --- > bs1770gain segfaults when running on most MP3 files. (Other formats, > like FLAC, appear to work fine.) > > Steps to reproduce: > $ sox -n sine.wav synth 1 sine 1000 > ... > $ ffmpeg -i sine.wav sine.mp3 > ... > $ bs1770gain sine.mp3 > analyzing ... > [1/1] "sine.mp3": Segmentation fault (core dumped) > > GDB stacktrace with debug symbols: > > analyzing ... > [1/1] "sine.mp3": > Program received signal SIGSEGV, Segmentation fault. > 0x555d08b0 in ?? () > (gdb) bt > #0 0x555d08b0 in () > #1 0x77da900e in av_buffer_unref () at > /usr/lib/x86_64-linux-gnu/libavutil.so.56 > #2 0x76a0d4c5 in av_packet_unref > (pkt=pkt@entry=0x555b6300) at src/libavcodec/avpacket.c:595 > #3 0x76a930f8 in decode_simple_internal > (frame=0x555b6480, avctx=0x555b4640) at > src/libavcodec/decode.c:377 > #4 0x76a930f8 in decode_simple_receive_frame > (frame=, avctx=) at > src/libavcodec/decode.c:594 > #5 0x76a930f8 in decode_receive_frame_internal > (avctx=avctx@entry=0x555b4640, frame=frame@entry=0x555b6480) > at src/libavcodec/decode.c:612 > #6 0x76a95bbb in avcodec_receive_frame (avctx=0x555b4640, > frame=0x555b6480) at src/libavcodec/decode.c:726 > #7 0x76a95e7b in compat_decode > (avctx=avctx@entry=0x555b4640, frame=frame@entry=0x555b6480, > got_frame=got_frame@entry=0x7fffd964, > pkt=pkt@entry=0x555b39a0) at src/libavcodec/decode.c:782 > #8 0x76a9624d in avcodec_decode_audio4 > (avctx=avctx@entry=0x555b4640, frame=frame@entry=0x555b6480, > got_frame_ptr=got_frame_ptr@entry=0x7fffd964, > avpkt=avpkt@entry=0x555b39a0) at src/libavcodec/decode.c:838 > #9 0xd5e2 in frame_reader_run (n=0x555b3960) at > ffsox_frame_reader.c:172 > #10 0xdb0c in ffsox_machine_run (m=m@entry=0x7fffd9d0, > node=, node@entry=0x55592410) > at ffsox_machine.c:30 > #11 0xf4be in ffsox_sox_reader_read > (sa=sa@entry=0x55592410, buf=, len=) > at ffsox_sox_reader.c:117 > #12 0xf5a2 in drain (e=, obuf= out>, osamp=0x7fffdac8) at ffsox_sox_read_handler.c:56 > #13 0x763bd933 in drain_effect (n=0, chain=0x5558f3e0) at > effects.c:352 > #14 0x763bd933 in sox_flow_effects > (chain=chain@entry=0x5558f3e0, callback=callback@entry= > 0x0, client_data=client_data@entry=0x0) at effects.c:445 > #15 0xc704 in ffsox_analyze (ac=ac@entry=0x7fffdde0, > ai=, vi=) at ffsox_analyze.c:159 > #16 0xa6ae in bs1770gain_tree_analyze (tree= out>, odirname=0x0, options=0x7fffdef0) at bs1770gain_tree.c:141 > #17 0x808a in main (argc=, > argv=0x7fffe118) at bs1770gain.c:970 > > --- System information. --- > Architecture: > Kernel: Linux 4.18.0-1-amd64 > > Debian Release: buster/sid > 500 unstable-debug
Bug#910451: bs1770gain segfaults on MP3 files
Package: bs1770gain Version: 0.4.12-3+b1 Severity: important --- Please enter the report below this line. --- bs1770gain segfaults when running on most MP3 files. (Other formats, like FLAC, appear to work fine.) Steps to reproduce: $ sox -n sine.wav synth 1 sine 1000 ... $ ffmpeg -i sine.wav sine.mp3 ... $ bs1770gain sine.mp3 analyzing ... [1/1] "sine.mp3": Segmentation fault (core dumped) GDB stacktrace with debug symbols: analyzing ... [1/1] "sine.mp3": Program received signal SIGSEGV, Segmentation fault. 0x555d08b0 in ?? () (gdb) bt #0 0x555d08b0 in () #1 0x77da900e in av_buffer_unref () at /usr/lib/x86_64-linux-gnu/libavutil.so.56 #2 0x76a0d4c5 in av_packet_unref (pkt=pkt@entry=0x555b6300) at src/libavcodec/avpacket.c:595 #3 0x76a930f8 in decode_simple_internal (frame=0x555b6480, avctx=0x555b4640) at src/libavcodec/decode.c:377 #4 0x76a930f8 in decode_simple_receive_frame (frame=, avctx=) at src/libavcodec/decode.c:594 #5 0x76a930f8 in decode_receive_frame_internal (avctx=avctx@entry=0x555b4640, frame=frame@entry=0x555b6480) at src/libavcodec/decode.c:612 #6 0x76a95bbb in avcodec_receive_frame (avctx=0x555b4640, frame=0x555b6480) at src/libavcodec/decode.c:726 #7 0x76a95e7b in compat_decode (avctx=avctx@entry=0x555b4640, frame=frame@entry=0x555b6480, got_frame=got_frame@entry=0x7fffd964, pkt=pkt@entry=0x555b39a0) at src/libavcodec/decode.c:782 #8 0x76a9624d in avcodec_decode_audio4 (avctx=avctx@entry=0x555b4640, frame=frame@entry=0x555b6480, got_frame_ptr=got_frame_ptr@entry=0x7fffd964, avpkt=avpkt@entry=0x555b39a0) at src/libavcodec/decode.c:838 #9 0xd5e2 in frame_reader_run (n=0x555b3960) at ffsox_frame_reader.c:172 #10 0xdb0c in ffsox_machine_run (m=m@entry=0x7fffd9d0, node=, node@entry=0x55592410) at ffsox_machine.c:30 #11 0xf4be in ffsox_sox_reader_read (sa=sa@entry=0x55592410, buf=, len=) at ffsox_sox_reader.c:117 #12 0xf5a2 in drain (e=, obuf=, osamp=0x7fffdac8) at ffsox_sox_read_handler.c:56 #13 0x763bd933 in drain_effect (n=0, chain=0x5558f3e0) at effects.c:352 #14 0x763bd933 in sox_flow_effects (chain=chain@entry=0x5558f3e0, callback=callback@entry= 0x0, client_data=client_data@entry=0x0) at effects.c:445 #15 0xc704 in ffsox_analyze (ac=ac@entry=0x7fffdde0, ai=, vi=) at ffsox_analyze.c:159 #16 0xa6ae in bs1770gain_tree_analyze (tree=, odirname=0x0, options=0x7fffdef0) at bs1770gain_tree.c:141 #17 0x808a in main (argc=, argv=0x7fffe118) at bs1770gain.c:970 --- System information. --- Architecture: Kernel: Linux 4.18.0-1-amd64 Debian Release: buster/sid 500 unstable-debug deb.debian.org 500 unstabledeb.debian.org 500 stretch packagecloud.io 500 stable www.ubnt.com 1 experimental-debug deb.debian.org 1 experimentaldeb.debian.org --- Package information. --- Depends (Version) | Installed ===-+-= libavcodec58(>= 7:4.0) | 7:4.0.2-2 OR libavcodec-extra58 (>= 7:4.0) | libavformat58(>= 7:4.0) | 7:4.0.2-2 libavutil56 (>= 7:4.0) | 7:4.0.2-2 libc6 (>= 2.14) | 2.27-6 libsox3(>= 14.4.2~) | 14.4.2-3 libswresample3 (>= 7:4.0) | 7:4.0.2-2 Package's Recommends field is empty. Package's Suggests field is empty.
