Ubuntu
libmms package

[apport] totem crashed with SIGSEGV in strlen()

Bug #101876 reported by Milan.D
4
Affects Status Importance Assigned to Milestone
libmms
Fix Released
Unknown
libmms (Ubuntu)
Fix Released
Medium
Ubuntu Desktop Bugs

Bug Description

Binary package hint: totem

crash on wrong wms url

ProblemType: Crash
Architecture: i386
Date: Mon Apr 2 14:30:31 2007
DistroRelease: Ubuntu 7.04
ExecutablePath: /usr/bin/totem
Package: totem-gstreamer 2.18.0-0ubuntu2
PackageArchitecture: i386
ProcCmdline: totem mms://irtv.carnet.hr
ProcCwd: /home/mile
ProcEnviron:
 SHELL=/bin/bash
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/opt/oracle/product/10.2.0/bin
 LANG=en_US.UTF-8
Signal: 11
SourcePackage: totem
Stacktrace:
 #0 0xb70cdc23 in strlen () from /lib/tls/i686/cmov/libc.so.6
 #1 0xb1a8e214 in mms_connect () from /usr/lib/libmms.so.0
 #2 0xb14d0a88 in ?? () from /usr/lib/gstreamer-0.10/libgstmms.so
 #3 0x00000000 in ?? ()
StacktraceTop:
 strlen () from /lib/tls/i686/cmov/libc.so.6
 mms_connect () from /usr/lib/libmms.so.0
 ?? () from /usr/lib/gstreamer-0.10/libgstmms.so
 ?? ()
Uname: Linux mile-laptop 2.6.20-13-generic #2 SMP Sun Mar 25 00:21:25 UTC 2007 i686 GNU/Linux
UserGroups: adm admin audio cdrom dialout dip floppy lpadmin netdev plugdev powerdev scanner video

Revision history for this message
Milan.D (milan-drobac) wrote :
Revision history for this message
Daniel Holbach (dholbach) wrote :

Thanks for your bug report.

Changed in totem:
assignee: nobody → desktop-bugs
importance: Undecided → Medium
Revision history for this message
Apport retracing service (apport) wrote : Symbolic stack trace

StacktraceTop:strlen () from /lib/tls/i686/cmov/libc.so.6
?? ()
?? ()

Revision history for this message
Apport retracing service (apport) wrote : Symbolic threaded stack trace
Revision history for this message
Sebastien Bacher (seb128) wrote :
Download full text (9.2 KiB)

Core was generated by `totem mms://irtv.carnet.hr'.
Program terminated with signal 11, Segmentation fault.
#0 0xb70cdc23 in strlen () from /lib/tls/i686/cmov/libc.so.6
(gdb) thread apply all bt full

Thread 3 (process 9712):
#0 0xffffe410 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb7373986 in ?? () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#2 0xb71f9d72 in IA__g_usleep (microseconds=50000) at gtimer.c:170
        request = {tv_sec = 0, tv_nsec = 50000000}
        remaining = {tv_sec = -516, tv_nsec = -1222375608}
#3 0xb32f98c1 in gst_xvimagesink_event_thread (xvimagesink=0x852a000) at xvimagesink.c:1451
        __PRETTY_FUNCTION__ = "gst_xvimagesink_event_thread"
#4 0xb71f7b7f in g_thread_create_proxy (data=0x855d7c8) at gthread.c:591
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#5 0xb736c31b in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#6 0xb712f50e in clone () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.

Thread 2 (process 9714):
#0 0xffffe410 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb73705c6 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#2 0xb741fdd8 in gst_system_clock_async_thread (clock=0x8495d20) at gstsystemclock.c:260
        entry = (GstClockEntry *) 0xb7240d50
        requested = 7284167576
        res = 3072591688
        sysclock = (GstSystemClock *) 0x8495d20
        __PRETTY_FUNCTION__ = "gst_system_clock_async_thread"
#3 0xb71f7b7f in g_thread_create_proxy (data=0x80c0fc0) at gthread.c:591
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#4 0xb736c31b in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#5 0xb712f50e in clone () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.

Thread 1 (process 9706):
#0 0xb70cdc23 in strlen () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#1 0xb1a8e214 in mms_connect (io=0x0, data=0x0, url=0x8592388 "mms://irtv.carnet.hr", bandwidth=131072) at mms.c:1162
        command_buffer = {buffer = 0x8595b6c "", pos = 8}
        this = (mms_t *) 0x8595b18
        res = <value optimized out>
        uri = <value optimized out>
#2 0xb14d0a88 in gst_mms_start (bsrc=0x8575878) at gstmms.c:290
        __txt = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        __dbg = <value optimized out>
        mms = (GstMMS *) 0x8575878
        __PRETTY_FUNCTION__ = "gst_mms_start"
#3 0xb76601fc in gst_base_src_start (basesrc=0x8575878) at gstbasesrc.c:1795
        bclass = (GstBaseSrcClass *) 0x8591dc0
        result = 1
        size = <value optimized out>
        __PRETTY_FUNCTION__ = "gst_base_src_start"
#4 0xb7661422 in gst_base_src_activate_push (pad=0x85263d8, active=1) at gstbasesrc.c:1927
        basesrc = (GstBaseSrc *) 0x8575878
        event = <value optimized out>
        __PRETTY_FUNCTION__ = "gst_base_src_activate_push"
#5 0xb740fd4f in gst_pad_activate_push (pad=0x85263d8, active=1) at gstpad.c:886
        old = GST_ACTIVATE_NONE
        new = GST_ACTIVATE_PUSH
        ...

Read more...

Revision history for this message
Sebastien Bacher (seb128) wrote :

==14686== Invalid read of size 1
==14686== at 0x4022488: strlen (mc_replace_strmem.c:246)
==14686== by 0x46BF213: mms_connect (mms.c:1162)
==14686== by 0x46B9A87: gst_mms_start (gstmms.c:290)
==14686== by 0x49301FB: gst_base_src_start (gstbasesrc.c:1795)
==14686== by 0x4931421: gst_base_src_activate_push (gstbasesrc.c:1927)
==14686== by 0x4088D4E: gst_pad_activate_push (gstpad.c:886)
==14686== by 0x4089234: gst_pad_activate_default (gstpad.c:559)
==14686== by 0x40892FB: gst_pad_set_active (gstpad.c:648)
==14686== by 0x4070D7A: activate_pads (gstelement.c:2371)
==14686== by 0x407CC86: gst_iterator_fold (gstiterator.c:503)
==14686== by 0x40707F1: iterator_activate_fold_with_resync (gstelement.c:2403)
==14686== by 0x407088D: gst_element_pads_activate (gstelement.c:2438)

Revision history for this message
Tim Müller (t-i-m-zen) wrote :

Problem is that there is no path element so this->uri is NULL instead of "/" or whatever.

Patch can be found here:
http://sourceforge.net/tracker/index.php?func=detail&aid=1693536&group_id=101989&atid=630609

Revision history for this message
Sebastien Bacher (seb128) wrote :

Thank you Tim

Changed in libmms:
status: Unconfirmed → Confirmed
Revision history for this message
Luca Falavigna (dktrkranz) wrote :

libmms (0.3-4ubuntu1) gutsy; urgency=low

  [Gabriel Velo]
  * Fix handle of mms URIs (LP: #79401 LP: #101876 LP: #119641)

  [Luca Falavigna]
  * Update Maintainer field in debian/control

 -- Luca Falavigna <dktrkranz@localhost> Tue, 3 Jul 2007 16:07:30 +0200

Launchpad Janitor (janitor)
Changed in libmms:
status: Confirmed → Fix Released
Revision history for this message
James Henstridge (jamesh) wrote :

Set status from imported bug 176873

Changed in libmms:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.