crash when parsing gstreamer null tags

Bug #1028887 reported by Harald Sitter on 2012-07-25
16
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Phonon
Fix Released
High
phonon-backend-gstreamer (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Harald Sitter

Bug Description

SRU
-----

[Impact]
Every Phonon enabled application that uses subtitles (namely most KDE video players) can crash when gstreamer returns a null ptr as cstring. This is addressed by simply checking for null.

[Test Case]
* Try to play http://meta.metaebene.me/media/raumzeit/rz040-goce.m4a in dragon player
* Observe dragon crashing

[Regression Potential]
* none

------

The Phonon GStreamer subtitle code crashes when gstreamer returns null ptrs to tag queries where phonon expects a valid string.

Download full text (24.3 KiB)

Application: dragon (2.0)
KDE Platform Version: 4.7.3 (4.7.3)
Qt Version: 4.8.0
Operating System: Linux 3.1.2-1.fc16.i686.PAE i686
Distribution (Platform): Fedora RPMs

-- Information about the crash:
I had just finished creating a copy of a promotional DVD from The Athlete's Foot using K3b. I reinserted the DVD and opened it with a Video Player (Dragon Player). It displayed the title page but when I clicked on the button to play, Dragon Player crashed.

-- Backtrace:
Application: Dragon Player (dragon), signal: Segmentation fault
Using host libthread_db library "/lib/libthread_db.so.1".
[Current thread is 1 (Thread 0xb7727780 (LWP 21410))]

Thread 14 (Thread 0xb2833b40 (LWP 21413)):
#0 0x00ed9424 in __kernel_vsyscall ()
#1 0x4a2f884c in pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i486/pthread_cond_wait.S:172
#2 0x4dc3fa65 in gst_task_func (task=0x902a860) at gsttask.c:303
#3 0x4dc40a19 in default_func (tdata=0x9007220, pool=0x8b5a008) at gsttaskpool.c:70
#4 0x4a40a34f in g_thread_pool_thread_proxy (data=0x8b59e88) at gthreadpool.c:319
#5 0x4a407ed5 in g_thread_create_proxy (data=0x90168f8) at gthread.c:1962
#6 0x4a2f4cd3 in start_thread (arg=0xb2833b40) at pthread_create.c:309
#7 0x4a22b51e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:133

Thread 13 (Thread 0xb1f4cb40 (LWP 21414)):
#0 0x00ed9424 in __kernel_vsyscall ()
#1 0x4a2f884c in pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i486/pthread_cond_wait.S:172
#2 0x4dc3fa65 in gst_task_func (task=0x902a8e8) at gsttask.c:303
#3 0x4dc40a19 in default_func (tdata=0x9007218, pool=0x8b5a008) at gsttaskpool.c:70
#4 0x4a40a34f in g_thread_pool_thread_proxy (data=0x8b59e88) at gthreadpool.c:319
#5 0x4a407ed5 in g_thread_create_proxy (data=0x90151f0) at gthread.c:1962
#6 0x4a2f4cd3 in start_thread (arg=0xb1f4cb40) at pthread_create.c:309
#7 0x4a22b51e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:133

Thread 12 (Thread 0xb14d4b40 (LWP 21415)):
#0 __pthread_mutex_lock (mutex=0xb0b004e4) at pthread_mutex_lock.c:129
#1 0x4a3df478 in g_main_context_release (context=0xb0b004e0) at gmain.c:2550
#2 0x4a3e0c76 in g_main_context_iterate (context=0xb0b004e0, block=1245640608, dispatch=1, self=0xb0b00d70) at gmain.c:3076
#3 0x4a3e0faf in g_main_context_iteration (context=0xb0b004e0, may_block=1) at gmain.c:3136
#4 0x4b1761c7 in QEventDispatcherGlib::processEvents (this=0xb0b00468, flags=...) at kernel/qeventdispatcher_glib.cpp:426
#5 0x4b1423ae in QEventLoop::processEvents (this=0xb14d4200, flags=...) at kernel/qeventloop.cpp:149
#6 0x4b142659 in QEventLoop::exec (this=0xb14d4200, flags=...) at kernel/qeventloop.cpp:204
#7 0x4b02c03c in QThread::exec (this=0x9015a38) at thread/qthread.cpp:501
#8 0x4b11f33e in QInotifyFileSystemWatcherEngine::run (this=0x9015a38) at io/qfilesystemwatcher_inotify.cpp:248
#9 0x4b02f5c1 in QThreadPrivate::start (arg=0x9015a38) at thread/qthread_unix.cpp:298
#10 0x4a2f4cd3 in start_thread (arg=0xb14d4b40) at pthread_create.c:309
#11 0x4a22b51e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:133

Thread 11 (Thread 0xb0affb40 (LWP 21416)):
#0 0x00ed9424 in __kernel_vsyscall ()...

The problem is with the Phonon-backend-gstreamer, reassigning.

*** Bug 294824 has been marked as a duplicate of this bug. ***

Confirmed by duplicate. Can somebody please also confirm this with the 4.6 final version?

*** Bug 295658 has been marked as a duplicate of this bug. ***

Git commit d5023e1da8ffae1a8e8a6bdf7fd54004c5ab0b7f by Harald Sitter.
Committed on 28/03/2012 at 04:21.
Pushed by sitter into branch 'master'.

Fix QString crash from using null char*

A tag can *always* be empty, that applies to subtitles too.
Now if a subtitle language tag were empty it would crash QString.
Instead we check if it is null and if so simply say it is "Unknown".
Not the best of things, but if gstreamer fails to provide the language
code I do not see how we could possibly get a sensible name here.
I'd encourage checking back with the reporter of the bug this fixes
on whether other players (most notably VLC) display something specific
for the subtitles (I can totally imagine them having arbitrary names,
for which there surely is a way to access via GST).

Please verify this fixes the issue, as I fail to reproduce it.

Also...
DO NOT EVER USE UNTRANSLATED STRINGS IN POSSIBLY USER VISIBLE STUFF!

Incidentally enough we no more compose "Subtitle n - [lang]" as name but
simply use the ISO lang code from GST for reasons of simplicity and
actually that is the expected value of the name as number etc. are
forced upon the world by the model we use for the public API.

CCMAIL: <email address hidden>
FIXED-IN: 4.6.1

M +14 -11 gstreamer/mediaobject.cpp

http://commits.kde.org/phonon-gstreamer/d5023e1da8ffae1a8e8a6bdf7fd54004c5ab0b7f

Git commit bcbae48807480c99b16d4a55382343a1cb7a88c1 by Harald Sitter.
Committed on 28/03/2012 at 04:21.
Pushed by sitter into branch '4.6'.

Fix QString crash from using null char*

A tag can *always* be empty, that applies to subtitles too.
Now if a subtitle language tag were empty it would crash QString.
Instead we check if it is null and if so simply say it is "Unknown".
Not the best of things, but if gstreamer fails to provide the language
code I do not see how we could possibly get a sensible name here.
I'd encourage checking back with the reporter of the bug this fixes
on whether other players (most notably VLC) display something specific
for the subtitles (I can totally imagine them having arbitrary names,
for which there surely is a way to access via GST).

Please verify this fixes the issue, as I fail to reproduce it.

Also...
DO NOT EVER USE UNTRANSLATED STRINGS IN POSSIBLY USER VISIBLE STUFF!

Incidentally enough we no more compose "Subtitle n - [lang]" as name but
simply use the ISO lang code from GST for reasons of simplicity and
actually that is the expected value of the name as number etc. are
forced upon the world by the model we use for the public API.

CCMAIL: <email address hidden>
FIXED-IN: 4.6.1

M +14 -11 gstreamer/mediaobject.cpp

http://commits.kde.org/phonon-gstreamer/bcbae48807480c99b16d4a55382343a1cb7a88c1

*** Bug 298563 has been marked as a duplicate of this bug. ***

*** Bug 298930 has been marked as a duplicate of this bug. ***

*** Bug 299947 has been marked as a duplicate of this bug. ***

*** Bug 301321 has been marked as a duplicate of this bug. ***

*** Bug 301545 has been marked as a duplicate of this bug. ***

Created attachment 72069
New crash information added by DrKonqi

amarok (2.5-GIT) on KDE Platform 4.8.3 (4.8.3) using Qt 4.8.2

- What I was doing when the application crashed:

I listened to a song and decided to skip to the next, so I pressed my global hotkey for that and then Amarok crashed.

I've compiled Amarok from GIT (37016b122ea715f7e132240a966419a4f3dd5772) on Fedora 16 x86_64 KDE 4.8.3.

-- Backtrace (Reduced):
#6 0x0000003ebd6c7a00 in QString::fromAscii_helper(char const*, int) () from /usr/lib64/libQtCore.so.4
#7 0x00007faf955dac59 in QString (ch=<optimized out>, this=0x7fff08614ba0) at /usr/include/QtCore/qstring.h:419
#8 Phonon::Gstreamer::MediaObject::getSubtitleInfo (this=0x15288f0, stream=<optimized out>) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/gstreamer/mediaobject.cpp:403
#9 0x00007faf955daf14 in qt_static_metacall (_a=0x7faef400c660, _id=22, _o=0x15288f0, _c=<optimized out>) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/x86_64-redhat-linux-gnu/gstreamer/moc_mediaobject.cpp:135
#10 Phonon::Gstreamer::MediaObject::qt_static_metacall (_o=0x15288f0, _c=<optimized out>, _id=22, _a=0x7faef400c660) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/x86_64-redhat-linux-gnu/gstreamer/moc_mediaobject.cpp:107

Created attachment 72070
New crash information added by DrKonqi

amarok (2.5-GIT) on KDE Platform 4.8.3 (4.8.3) using Qt 4.8.2

- What I was doing when the application crashed:

I listened to a song and decided to skip to the next, so I pressed my global hotkey for that and then Amarok crashed.

I've compiled Amarok from GIT (37016b122ea715f7e132240a966419a4f3dd5772) on Fedora 16 x86_64 KDE 4.8.3.

-- Backtrace (Reduced):
#6 0x0000003ebd6c7a00 in QString::fromAscii_helper(char const*, int) () from /usr/lib64/libQtCore.so.4
#7 0x00007faf955dac59 in QString (ch=<optimized out>, this=0x7fff08614ba0) at /usr/include/QtCore/qstring.h:419
#8 Phonon::Gstreamer::MediaObject::getSubtitleInfo (this=0x15288f0, stream=<optimized out>) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/gstreamer/mediaobject.cpp:403
#9 0x00007faf955daf14 in qt_static_metacall (_a=0x7faef400c660, _id=22, _o=0x15288f0, _c=<optimized out>) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/x86_64-redhat-linux-gnu/gstreamer/moc_mediaobject.cpp:135
#10 Phonon::Gstreamer::MediaObject::qt_static_metacall (_o=0x15288f0, _c=<optimized out>, _id=22, _a=0x7faef400c660) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/x86_64-redhat-linux-gnu/gstreamer/moc_mediaobject.cpp:107

Created attachment 72071
New crash information added by DrKonqi

amarok (2.5-GIT) on KDE Platform 4.8.3 (4.8.3) using Qt 4.8.2

- What I was doing when the application crashed:

I listened to a song and decided to skip to the next, so I pressed my global hotkey for that and then Amarok crashed.

I've compiled Amarok from GIT (37016b122ea715f7e132240a966419a4f3dd5772) on Fedora 16 x86_64 KDE 4.8.3.

-- Backtrace (Reduced):
#6 0x0000003ebd6c7a00 in QString::fromAscii_helper(char const*, int) () from /usr/lib64/libQtCore.so.4
#7 0x00007faf955dac59 in QString (ch=<optimized out>, this=0x7fff08614ba0) at /usr/include/QtCore/qstring.h:419
#8 Phonon::Gstreamer::MediaObject::getSubtitleInfo (this=0x15288f0, stream=<optimized out>) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/gstreamer/mediaobject.cpp:403
#9 0x00007faf955daf14 in qt_static_metacall (_a=0x7faef400c660, _id=22, _o=0x15288f0, _c=<optimized out>) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/x86_64-redhat-linux-gnu/gstreamer/moc_mediaobject.cpp:135
#10 Phonon::Gstreamer::MediaObject::qt_static_metacall (_o=0x15288f0, _c=<optimized out>, _id=22, _a=0x7faef400c660) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/x86_64-redhat-linux-gnu/gstreamer/moc_mediaobject.cpp:107

Hm, KDE's bugreporting tool seems to be buggy. First it had problems posting my bug report, not it is here 3 times.

Created attachment 72072
New crash information added by DrKonqi

amarok (2.5-GIT) on KDE Platform 4.8.3 (4.8.3) using Qt 4.8.2

- What I was doing when the application crashed:

Ok, this crash is happening reproducible for that one file every time I try to play it. It's a m4a file:
http://meta.metaebene.me/media/raumzeit/rz040-goce.m4a
http://raumzeit-podcast.de/2012/06/22/rz040-goce/

-- Backtrace (Reduced):
#6 0x0000003ebd6c7a00 in QString::fromAscii_helper(char const*, int) () from /usr/lib64/libQtCore.so.4
#7 0x00007fc23e32ec59 in QString (ch=<optimized out>, this=0x7fffb42c34a0) at /usr/include/QtCore/qstring.h:419
#8 Phonon::Gstreamer::MediaObject::getSubtitleInfo (this=0x19bdae0, stream=<optimized out>) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/gstreamer/mediaobject.cpp:403
#9 0x00007fc23e32ef14 in qt_static_metacall (_a=0x7fc1b4011b10, _id=22, _o=0x19bdae0, _c=<optimized out>) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/x86_64-redhat-linux-gnu/gstreamer/moc_mediaobject.cpp:135
#10 Phonon::Gstreamer::MediaObject::qt_static_metacall (_o=0x19bdae0, _c=<optimized out>, _id=22, _a=0x7fc1b4011b10) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/x86_64-redhat-linux-gnu/gstreamer/moc_mediaobject.cpp:107

Created attachment 72073
New crash information added by DrKonqi

amarok (2.5-GIT) on KDE Platform 4.8.3 (4.8.3) using Qt 4.8.2

- What I was doing when the application crashed:

Ok, this crash is happening reproducible for that one file every time I try to play it. It's a m4a file:
http://meta.metaebene.me/media/raumzeit/rz040-goce.m4a
http://raumzeit-podcast.de/2012/06/22/rz040-goce/

-- Backtrace (Reduced):
#6 0x0000003ebd6c7a00 in QString::fromAscii_helper(char const*, int) () from /usr/lib64/libQtCore.so.4
#7 0x00007fc23e32ec59 in QString (ch=<optimized out>, this=0x7fffb42c34a0) at /usr/include/QtCore/qstring.h:419
#8 Phonon::Gstreamer::MediaObject::getSubtitleInfo (this=0x19bdae0, stream=<optimized out>) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/gstreamer/mediaobject.cpp:403
#9 0x00007fc23e32ef14 in qt_static_metacall (_a=0x7fc1b4011b10, _id=22, _o=0x19bdae0, _c=<optimized out>) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/x86_64-redhat-linux-gnu/gstreamer/moc_mediaobject.cpp:135
#10 Phonon::Gstreamer::MediaObject::qt_static_metacall (_o=0x19bdae0, _c=<optimized out>, _id=22, _a=0x7fc1b4011b10) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/x86_64-redhat-linux-gnu/gstreamer/moc_mediaobject.cpp:107

Created attachment 72074
New crash information added by DrKonqi

amarok (2.5-GIT) on KDE Platform 4.8.3 (4.8.3) using Qt 4.8.2

- What I was doing when the application crashed:

Ok, this crash is happening reproducible for that one file every time I try to play it. It's a m4a file:
http://meta.metaebene.me/media/raumzeit/rz040-goce.m4a
http://raumzeit-podcast.de/2012/06/22/rz040-goce/

-- Backtrace (Reduced):
#6 0x0000003ebd6c7a00 in QString::fromAscii_helper(char const*, int) () from /usr/lib64/libQtCore.so.4
#7 0x00007fc23e32ec59 in QString (ch=<optimized out>, this=0x7fffb42c34a0) at /usr/include/QtCore/qstring.h:419
#8 Phonon::Gstreamer::MediaObject::getSubtitleInfo (this=0x19bdae0, stream=<optimized out>) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/gstreamer/mediaobject.cpp:403
#9 0x00007fc23e32ef14 in qt_static_metacall (_a=0x7fc1b4011b10, _id=22, _o=0x19bdae0, _c=<optimized out>) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/x86_64-redhat-linux-gnu/gstreamer/moc_mediaobject.cpp:135
#10 Phonon::Gstreamer::MediaObject::qt_static_metacall (_o=0x19bdae0, _c=<optimized out>, _id=22, _a=0x7fc1b4011b10) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/x86_64-redhat-linux-gnu/gstreamer/moc_mediaobject.cpp:107

Created attachment 72136
New crash information added by DrKonqi

dragon (2.0) on KDE Platform 4.8.3 (4.8.3) using Qt 4.8.1

- What I was doing when the application crashed:

Trying to watch a DVD Video. Crush after clicking "Start movie"

-- Backtrace (Reduced):
#7 QString::fromLatin1_helper (str=0x3b000002 <Address 0x3b000002 out of bounds>, size=-1) at tools/qstring.cpp:3821
#8 0x01b14c6c in QString::fromAscii_helper (str=0x3b000002 <Address 0x3b000002 out of bounds>, size=-1) at tools/qstring.cpp:3887
#9 0x06454406 in QString (ch=<optimized out>, this=0xbfef67a4) at /usr/include/qt4/QtCore/qstring.h:419
#10 Phonon::Gstreamer::MediaObject::getSubtitleInfo (this=0xa0ec0a8, stream=0) at ../../gstreamer/mediaobject.cpp:403
#11 0x06454706 in qt_static_metacall (_a=0xaf730668, _id=22, _o=0xa0ec0a8, _c=<optimized out>) at ./moc_mediaobject.cpp:135

Created attachment 72435
New crash information added by DrKonqi

amarok (2.5-GIT) on KDE Platform 4.8.4 (4.8.4) using Qt 4.8.2

- What I was doing when the application crashed:

I started Amarok and hit play on a previously downloaded podcast (big mp3 file) that was already in the playlist.

-- Backtrace (Reduced):
#6 0x0000003ebd6c7a00 in QString::fromAscii_helper(char const*, int) () from /usr/lib64/libQtCore.so.4
#7 0x00007f91487d8c59 in QString (ch=<optimized out>, this=0x7fffa801d340) at /usr/include/QtCore/qstring.h:419
#8 Phonon::Gstreamer::MediaObject::getSubtitleInfo (this=0x20ecfc0, stream=<optimized out>) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/gstreamer/mediaobject.cpp:403
#9 0x00007f91487d8f14 in qt_static_metacall (_a=0x7f90c0010d30, _id=22, _o=0x20ecfc0, _c=<optimized out>) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/x86_64-redhat-linux-gnu/gstreamer/moc_mediaobject.cpp:135
#10 Phonon::Gstreamer::MediaObject::qt_static_metacall (_o=0x20ecfc0, _c=<optimized out>, _id=22, _a=0x7f90c0010d30) at /usr/src/debug/phonon-backend-gstreamer-4.6.0/x86_64-redhat-linux-gnu/gstreamer/moc_mediaobject.cpp:107

Harald Sitter (apachelogger) wrote :
Changed in phonon-backend-gstreamer (Ubuntu Precise):
assignee: nobody → Harald Sitter (apachelogger)
Changed in phonon:
importance: Unknown → High
status: Unknown → Fix Released

*** Bug 304071 has been marked as a duplicate of this bug. ***

Hello Harald, or anyone else affected,

Accepted into precise-proposed. The package will build now and be available in a few hours in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in phonon-backend-gstreamer (Ubuntu Precise):
status: New → Fix Committed
tags: added: verification-needed

Created attachment 74221
New crash information added by DrKonqi

dragon (2.0) on KDE Platform 4.8.5 (4.8.5) using Qt 4.8.1

- What I was doing when the application crashed: Watching a Movie DVD. HBO *61 - released version. Approximately 2 minuites into movie, Dragon Player crashes / exits.

-- Backtrace (Reduced):
#7 QString::fromLatin1_helper (str=0x4 <Address 0x4 out of bounds>, size=-1) at tools/qstring.cpp:3821
#8 0x014eac6c in QString::fromAscii_helper (str=0x4 <Address 0x4 out of bounds>, size=-1) at tools/qstring.cpp:3887
[...]
#12 0x015c7c7b in QObject::event (this=0x81c44e8, e=0xb010e938) at kernel/qobject.cpp:1195
#13 0x07617ed4 in notify_helper (e=0xb010e938, receiver=0x81c44e8, this=0x8149440) at kernel/qapplication.cpp:4559
#14 QApplicationPrivate::notify_helper (this=0x8149440, receiver=0x81c44e8, e=0xb010e938) at kernel/qapplication.cpp:4531

Harald Sitter (apachelogger) wrote :

Outlined test case works.

tags: added: verification-done
removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package phonon-backend-gstreamer - 4:4.7.0really4.6.2-0ubuntu0.1

---------------
phonon-backend-gstreamer (4:4.7.0really4.6.2-0ubuntu0.1) precise-proposed; urgency=low

  * SRU update (LP: #1028903)
    - Fix deadlock in aboutToFinish (LP: #1005262)
    - Fix crash on null pointer (LP: #1028887)
    - Fix metadata emission for http urls (LP: #1028890)
    - Fix memleaks (LP: #1028895)
    - Fix streamreader/AbstractMediaStream implementation (LP: #1028901)
 -- Harald Sitter <email address hidden> Wed, 25 Jul 2012 15:04:21 +0200

Changed in phonon-backend-gstreamer (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.