[mako] out of index crash when handling media_codec output buffers list

Bug #1234007 reported by Ricardo Salveti on 2013-10-02
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gst-plugins-bad1.0 (Ubuntu)
Undecided
Unassigned
libhybris (Ubuntu)
Critical
Jim Hodapp

Bug Description

Image: 20131001.3, + updated packages to use gstreamer 1.2 (also happens with gst 1.1.4).
Device: mako

Steps to reproduce:
* Install mediaplayer-app-autopilot and gstreamer1.0-tools
* As phablet: stop unity8
* gst-launch-1.0 -v playbin uri=file:///usr/share/mediaplayer-app/videos/small.mp4

Will crash when initializing the decoding/playback.

Logs attached.

Ricardo Salveti (rsalveti) wrote :

See that mako's OMX element is a bit smarter and decides to release a few buffers before they are consumed later on. This breaks the current buffer list logic inside compat/media/media_codec_layer.cpp, causing an index out of range issue.

V/MediaCodecLayer( 4647): size_t media_codec_get_output_buffers_size(MediaCodecDelegate)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
F/MediaCodecLayer( 4647): const TYPE& android::Vector<TYPE>::operator[](size_t) const [with TYPE = android::sp<android::ABuffer>; size_t = unsigned int]: index=9 out of range (9)

description: updated
Ricardo Salveti (rsalveti) wrote :
Changed in libhybris (Ubuntu):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jim Hodapp (jhodapp)
Ricardo Salveti (rsalveti) wrote :

This issue is currently blocking the mediaplayer-app autotests.

http://reports.qa.ubuntu.com/smokeng/saucy/touch_ro/4512/mediaplayer-app-autopilot/

Ricardo Salveti (rsalveti) wrote :

The following patch, to just request outputbuffers from media_codec every time the function is called, fixes the issue.

Not pushing it further as I want Jim to make sure this is not reflected somewhere in the hybris/gstreamer code.

diff --git a/compat/media/media_codec_layer.cpp b/compat/media/media_codec_layer.cpp
index b5f3bc8..eed34af 100644
--- a/compat/media/media_codec_layer.cpp
+++ b/compat/media/media_codec_layer.cpp
@@ -478,8 +478,8 @@ size_t media_codec_get_output_buffers_size(MediaCodecDelegate delegate)
     if (d == NULL)
         return BAD_VALUE;

- if (d->output_buffers.size() == 0)
- {
+// if (d->output_buffers.size() == 0)
+// {
         status_t ret = d->media_codec->getOutputBuffers(&d->output_buffers);
         if (ret != OK)
         {
@@ -487,7 +487,7 @@ size_t media_codec_get_output_buffers_size(MediaCodecDelegate delegate)
             return 0;
         }
         ALOGD("Got %d output buffers", d->output_buffers.size());
- }
+// }

     return d->output_buffers.size();
 }

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libhybris - 0.1.0+git20130606+c5d897a-0ubuntu31

---------------
libhybris (0.1.0+git20130606+c5d897a-0ubuntu31) saucy; urgency=low

  * 0031-Fixes-bug-lp-1234007-out-of-index-crash-for-handling.patch:
    - Fixing an out of index crash when handling media_codec_layer output
      buffers list (LP: #1234007)
 -- Ricardo Salveti de Araujo <email address hidden> Wed, 02 Oct 2013 11:35:46 -0300

Changed in libhybris (Ubuntu):
status: In Progress → Fix Released
Changed in gst-plugins-bad1.0 (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers