Ubuntu
mediastreamer2 package

Buffer overflow in alsa_card_detect causes linphone to crash at startup

Bug #1967122 reported by Simon Tatham on 2022-03-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	mediastreamer2 (Ubuntu)	New	Undecided	Unassigned

Bug Description

Linphone crashes at startup for me, if too many audio devices are connected, with a message on stderr saying

free(): double free detected in tcache 2
SIGABRT / SIGIOT: Aborted

I debugged the problem and found that the crash was occurring in the libmediastreamer_voip.so.10 shared library. Specifically, in src/audiofilters/alsa.c alsa_card_detect(), the arrays card_names[] and device_names[] were being overrun, because they have size MAX_NUM_DEVICE_ID = 100 and there's no overflow check in the code. So one array was overrunning into the other one, causing the double-free when both arrays full of allocated things were cleaned up at the end of the function.

(I don't have 100 audio devices! But ALSA reports multiple records for each one, with various different details. I found that with HDMI audio output, USB speakers, and a webcam with microphone, the array overrun occurs; disconnecting the webcam allows Linphone to start up, but then of course I can't use it to make calls.)

I've worked around the problem locally by installing a recompiled version of the libmediastreamer-voip10 package in which I reset MAX_NUM_DEVICE_ID from 100 to 1000. With that change, Linphone runs fine and can make calls using my webcam microphone.

(My fix is a bodge, of course! A proper fix would enlarge the arrays as needed. But I know that the affected function has been completely rewritten in later versions of mediastreamer2, and those later versions are already in later Ubuntu releases. So I only need that workaround until I can upgrade from 20.04 to 22.04 next month.)

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: libmediastreamer-voip10 1:2.16.1-4ubuntu2
ProcVersionSignature: Ubuntu 5.11.0-46.51~20.04.1-generic 5.11.22
Uname: Linux 5.11.0-46-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.21
Architecture: amd64
CasperMD5CheckResult: skip
Date: Wed Mar 30 12:35:18 2022
InstallationDate: Installed on 2013-06-01 (3223 days ago)
InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424)
SourcePackage: mediastreamer2
UpgradeStatus: Upgraded to focal on 2020-08-31 (575 days ago)
modified.conffile..etc.default.apport: [modified]
mtime.conffile..etc.default.apport: 2013-06-02T15:20:08.886312

Tags:

Revision history for this message

Simon Tatham (sgtatham) wrote on 2022-03-30:

Dependencies.txt Edit (5.7 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.7 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (126 bytes, text/plain; charset="utf-8")

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntumediastreamer2 package