Ubuntu
madplay package

madplay crashed with SIGSEGV in _int_free()

Bug #903526 reported by Daniel Richard G. on 2011-12-13

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	madplay (Debian)	Fix Released	Unknown	debbugs #619341
	madplay (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

Playing a list of MP3s, and at the end of the first one, BOOM.

ProblemType: Crash
DistroRelease: Ubuntu 11.10
Package: madplay 0.15.2b-7build1
ProcVersionSignature: Ubuntu 3.0.0-13.22-generic 3.0.6
Uname: Linux 3.0.0-13-generic i686
ApportVersion: 1.23-0ubuntu4
Architecture: i386
Date: Mon Dec 12 22:03:36 2011
ExecutablePath: /usr/bin/madplay
ProcCmdline: madplay 1-1m01--Opening.mp3 1-1m02--The_Courtroom_V1.mp3 1-1m02--The_Courtroom_V2.mp3 ... [long list of .mp3 files elided]
ProcEnviron:
SHELL=/bin/bash
PATH=(custom, no user)
LANG=en_US.UTF-8
SegvAnalysis:
Segfault happened at: 0x5f3656 <_int_free+902>: cmp 0xc(%eax),%ecx
PC (0x005f3656) ok
source "0xc(%eax)" (0x0000000c) not located in a known VMA region (needed readable region)!
destination "%ecx" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: madplay
StacktraceTop:
_int_free (av=0x6fd400, p=0x8cbcd50) at malloc.c:4973
__GI___libc_free (mem=0x8cbcd58) at malloc.c:3738
mad_frame_finish () from /usr/lib/libmad.so.0
?? ()
Title: madplay crashed with SIGSEGV in _int_free()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm audio cdrom dialout floppy plugdev video

See original description

Tags:

Revision history for this message

Daniel Richard G. (skunk) wrote on 2011-12-13:

Dependencies.txt Edit (546 bytes, text/plain; charset="utf-8")
Disassembly.txt Edit (850 bytes, text/plain; charset="utf-8")
ProcMaps.txt Edit (3.9 KiB, text/plain; charset="utf-8")
ProcStatus.txt Edit (771 bytes, text/plain; charset="utf-8")
Registers.txt Edit (472 bytes, text/plain; charset="utf-8")
Stacktrace.txt Edit (701 bytes, text/plain; charset="utf-8")
ThreadStacktrace.txt Edit (743 bytes, text/plain; charset="utf-8")

Revision history for this message

Apport retracing service (apport) wrote on 2011-12-13:

StacktraceTop:
_int_free (av=0x6fd400, p=0x8cbcd50) at malloc.c:4973
__GI___libc_free (mem=0x8cbcd58) at malloc.c:3738
mad_frame_finish () from /tmp/tmp5Afrrv/usr/lib/libmad.so.0
?? ()

Revision history for this message

Apport retracing service (apport) wrote on 2011-12-13: Stacktrace.txt

Stacktrace.txt Edit (715 bytes, text/plain)

Revision history for this message

Apport retracing service (apport) wrote on 2011-12-13: ThreadStacktrace.txt

ThreadStacktrace.txt Edit (757 bytes, text/plain)

Changed in madplay (Ubuntu):
importance:	Undecided → Medium
tags:	removed: need-i386-retrace

Daniel Richard G. (skunk) on 2011-12-13

description:

updated

Revision history for this message

Daniel Richard G. (skunk) wrote on 2011-12-13:

I've dug into this with a debugger and Valgrind, and found the problem. It's a buffer overrun.

In audio_alsa.c, the play() function calls audio_pcm() with a "len" argument of 1152. At 8 bytes per sample, this would fill up a buffer of 9216 bytes. But the buffer "buf" (a static variable in this same file) was allocated to be 8192 bytes in size, enough to handle 1024 samples.

The value of 8192/1024samples comes from the ALSA library. The 1152 appears to be coming from libmad; it was a little hard to follow.

The attached patch makes the segfault go away (and as a bonus, addresses a Valgrind-reported uninitialized-variable error and memory leak). It is not, however, a general fix. For that, the aforementioned discrepancy needs to be resolved.

visibility:

private → public

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-12-13:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in madplay (Ubuntu):
status:	New → Confirmed

Bug Watch Updater (bug-watch-updater) on 2011-12-13

Changed in madplay (Debian):
status:	Unknown → New

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2011-12-14:

The attachment "madplay.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags:

added: patch

Revision history for this message

Daniel Richard G. (skunk) wrote on 2011-12-14:

madplay-bug-workaround.patch Edit (840 bytes, text/plain)

Well, nuts, perhaps I should have actually *listened* to the program running with my patch rather than doing all the work remotely :-]

Revised patch is attached. Not only does this get rid of the static/stuttering caused by the first one, this one can now handle any of the different sample sizes/formats. It's still not a proper fix, but at least it can be called a proper workaround.

Bug Watch Updater (bug-watch-updater) on 2012-04-08

Changed in madplay (Debian):
status:	New → Fix Released

Revision history for this message

Paul Gevers (paul-climbing) wrote on 2017-12-29:

Long time ago fixed.

madplay (0.15.2b-8) unstable; urgency=high
.
   * Fix buffer overflow in the alsa output code (Closes: #619341)
     Thanks to Ben Winslow <email address hidden>
   * Only build with alsa on linux (Closes: #625649)