[email protected]
[Top] [All Lists]

[Ekiga-list] Segfault when theora is first codec in list.

Subject: [Ekiga-list] Segfault when theora is first codec in list.
From: Stefan Lucke
Date: Wed, 31 Dec 2008 14:27:18 +0100
Hi,

sorry for next bug report.
I receive a segfault when theora is the first entry of available codec list.
Segfault happens when the connection is accepted.
This is between ekiga 3.0.2beta WinXP and
ekiga-svn (was the same with ekiga 3.0.1) on linux.


GNU gdb 6.7.1
Copyright (C) 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) run
Starting program: /usr/bin/ekiga
[Thread debugging using libthread_db enabled]
[New Thread 0xb5f1f6d0 (LWP 14978)]
[New Thread 0xb521db90 (LWP 14984)]
[New Thread 0xb51dcb90 (LWP 14985)]
[New Thread 0xb519bb90 (LWP 14986)]
[New Thread 0xb515ab90 (LWP 14987)]
[New Thread 0xb5119b90 (LWP 14988)]
[New Thread 0xb50d8b90 (LWP 14989)]
[New Thread 0xb5097b90 (LWP 14990)]
[New Thread 0xb5056b90 (LWP 14991)]
[New Thread 0xb4effb90 (LWP 14992)]
[New Thread 0xb4ebeb90 (LWP 14993)]
[New Thread 0xb46bdb90 (LWP 15002)]
[New Thread 0xaf6fdb90 (LWP 15009)]
[Thread 0xaf6fdb90 (LWP 15009) exited]
[Thread 0xb4effb90 (LWP 14992) exited]
[Thread 0xb5097b90 (LWP 14990) exited]
[New Thread 0xb5097b90 (LWP 15011)]
[Thread 0xb5056b90 (LWP 14991) exited]
[New Thread 0xb5056b90 (LWP 15012)]
[New Thread 0xb4effb90 (LWP 15013)]
[Thread 0xb4effb90 (LWP 15013) exited]
[New Thread 0xb4effb90 (LWP 15014)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb4effb90 (LWP 15014)]
0xb6050cbc in memcpy () from /lib/libc.so.6
(gdb) thread apply all bt

Thread 17 (Thread 0xb4effb90 (LWP 15014)):
#0  0xb6050cbc in memcpy () from /lib/libc.so.6
#1  0xb5a0afe8 in theoraFrame::SetFromTableConfig () from 
/usr/lib/opal-3.5.2/codecs/video/theora_video_pwplugin.so
#2  0xb5a0d70e in theoraEncoderContext::theoraEncoderContext ()
   from /usr/lib/opal-3.5.2/codecs/video/theora_video_pwplugin.so
#3  0xb5a0d758 in create_encoder () from 
/usr/lib/opal-3.5.2/codecs/video/theora_video_pwplugin.so
#4  0xb7790a5a in OpalPluginTranscoder::OpalPluginTranscoder () from 
/usr/lib/libopal.so.3.5-beta2
#5  0xb7791314 in OpalPluginVideoTranscoder::OpalPluginVideoTranscoder () from 
/usr/lib/libopal.so.3.5-beta2
#6  0xb779bacc in 
OpalPluginTranscoderFactory<OpalPluginVideoTranscoder>::Worker::Create ()
   from /usr/lib/libopal.so.3.5-beta2
#7  0xb7494f38 in PFactory<OpalTranscoder, std::pair<PString, PString> 
>::WorkerBase::CreateInstance ()
   from /usr/lib/libopal.so.3.5-beta2
#8  0xb7496137 in PFactory<OpalTranscoder, std::pair<PString, PString> 
>::CreateInstance_Internal ()
   from /usr/lib/libopal.so.3.5-beta2
#9  0xb7496174 in PFactory<OpalTranscoder, std::pair<PString, PString> 
>::CreateInstance ()
   from /usr/lib/libopal.so.3.5-beta2
#10 0xb7494361 in OpalTranscoder::Create () from /usr/lib/libopal.so.3.5-beta2
#11 0xb7491a8f in OpalMediaPatch::AddSink () from /usr/lib/libopal.so.3.5-beta2
#12 0xb747de20 in OpalCall::OpenSourceMediaStreams () from 
/usr/lib/libopal.so.3.5-beta2
#13 0xb7745653 in SIPConnection::OnReceivedSDPMediaDescription () from 
/usr/lib/libopal.so.3.5-beta2
#14 0xb77423a5 in SIPConnection::OnReceivedSDP () from 
/usr/lib/libopal.so.3.5-beta2
#15 0xb7743b32 in SIPConnection::OnReceivedOK () from 
/usr/lib/libopal.so.3.5-beta2
#16 0xb774161e in SIPConnection::OnReceivedResponse () from 
/usr/lib/libopal.so.3.5-beta2
#17 0xb7756d80 in SIPTransaction::OnReceivedResponse () from 
/usr/lib/libopal.so.3.5-beta2
#18 0xb7759f44 in SIPInvite::OnReceivedResponse () from 
/usr/lib/libopal.so.3.5-beta2
#19 0xb7738ac3 in SIPEndPoint::SIP_PDU_Thread::Main () from 
/usr/lib/libopal.so.3.5-beta2
#20 0xb7037115 in PThread::PX_ThreadStart () from /usr/lib/libpt.so.2.5-beta2
#21 0xb6c1118b in start_thread () from /lib/libpthread.so.0
#22 0xb60a409e in clone () from /lib/libc.so.6

With a selfmade trace message in 'opal/plugins/video/THEORA/theora_frame.cxx'
I  get the following output with option -d 4:

[email protected] ~ $ tail -n 20 xx6
2008/12/31 12:27:21.440   0:18.328        Aggregator:0xb4f3cb90 PVidInDev       
G_PARM failed (preserving frame rate may not work) : Das Argument ist ungültig
2008/12/31 12:27:21.440   0:18.328        Aggregator:0xb4f3cb90 PVidInDev       
unable to reset frame rate.
2008/12/31 12:27:21.440   0:18.328        Aggregator:0xb4f3cb90 PVidDev Colour 
converter used from 320x240 [YUV420P] to 176x144 [YUV420P]
2008/12/31 12:27:22.341   0:19.229      AudioEvent...0xb5220b90 AEScheduler     
Checking pending list with 1 elements
2008/12/31 12:27:22.341   0:19.229      AudioEvent...0xb5220b90 AEScheduler     
Trying to load /usr/share/sounds/ekiga/dialtone.wav for event ring_tone_sound
2008/12/31 12:27:22.342   0:19.230      AudioEvent...0xb5220b90 AudioOutputCore 
Dropping sound event, primary device not set
2008/12/31 12:27:23.993   0:20.881        Aggregator:0xb4f3cb90 PVidDev 
SetColourFormatConverter success for native YUV420P
2008/12/31 12:27:23.994   0:20.882        Aggregator:0xb4f3cb90 OpalMan 
OnOpenMediaStream Call[g5c0bb3d61]-EP<pc>[1],OpalVideoMediaStream-Source-YUV420P
2008/12/31 12:27:23.994   0:20.882        Aggregator:0xb4f3cb90 OpalCon Opened 
source stream g5c0bb3d61_2 with format YUV420P
2008/12/31 12:27:23.994   0:20.882        Aggregator:0xb4f3cb90 Call    
IsMediaBypassPossible 
Call[g5c0bb3d61]-EP<sip>[[email protected]] session 2
2008/12/31 12:27:23.994   0:20.882        Aggregator:0xb4f3cb90 OpalMan 
IsMediaBypassPossible: session 2
2008/12/31 12:27:23.994   0:20.882        Aggregator:0xb4f3cb90 OpalCon 
IsMediaBypassPossible: default returns false
2008/12/31 12:27:23.994   0:20.882        Aggregator:0xb4f3cb90 RTP     Found 
existing media session 2
2008/12/31 12:27:23.995   0:20.883        Aggregator:0xb4f3cb90 OpalMan 
OnOpenMediaStream 
Call[g5c0bb3d61]-EP<sip>[[email protected]],OpalRTPMediaStream-Sink-theora
2008/12/31 12:27:23.995   0:20.883        Aggregator:0xb4f3cb90 OpalCon Opened 
sink stream g5c0bb3d61_2 with format theora
2008/12/31 12:27:23.995   0:20.883        Aggregator:0xb4f3cb90 RateController  
New paramaters: bitrate=1024000, window=500, frame time=3000(rate=30), max 
skipped frames=1
2008/12/31 12:27:23.995   0:20.883        Aggregator:0xb4f3cb90 Patch   Created 
Sink: format=theora
theora_frame.cxx(75)    THEORA  Encap   Got Header Packet from encoder that has 
len 148 != 42
SetFromTableConfig len = -1240923378 (0xb609030e)
h264helper_unix.cxx(72) H264    IPC     CP: Terminating

My change:
void theoraFrame::SetFromTableConfig (ogg_packet* tablePacket) {
  TRACE_UP(4, "THEORA\tEncap\tGot table packet with len " << 
tablePacket->bytes);
fprintf(stderr, "SetFromTableConfig len = %d (0x%08x)\n", tablePacket->bytes, 
tablePacket->bytes);
  memcpy (_packedConfigData.ptr + THEORA_HEADER_PACKET_SIZE, 
tablePacket->packet, tablePacket->bytes);
..

As on my system ogg_packet->bytes is of size long, negative values of
bytes should be checked and rejected like in ffmpeg (libavcodec/libtheoraenc.c).
Such values could be source of stack overflows and other type of intrusion.

-- 
Stefan Lucke
_______________________________________________
ekiga-list mailing list
[email protected]
http://mail.gnome.org/mailman/listinfo/ekiga-list

<Prev in Thread] Current Thread [Next in Thread>