unicap

[PATCH] libucil - SIGSEGV within ucil_theora_encode_thread()

Bug #588662 reported by Kamil Dudka
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unicap
Fix Released
Undecided
Unassigned

Bug Description

(gdb) bt full
#0 0x010045b6 in memcpy () from /lib/libc.so.6
No symbol table info available.
#1 0xb3849378 in ?? ()
No symbol table info available.
#2 0x00c593e1 in oc_img_plane_copy_pad (_dst=<value optimized out>,
_src=<value optimized out>, _pic_x=<value optimized out>, _pic_y=<value
optimized out>,
    _pic_width=<value optimized out>, _pic_height=<value optimized out>) at
/usr/include/bits/string3.h:52
        dst_data = 0xb3849378 ""
        src = <value optimized out>
        sstride = -640
        x = <value optimized out>
        dst = <value optimized out>
        dstride = 131573075
        frame_width = <value optimized out>
        frame_height = 480
        y = <value optimized out>
#3 0x00c5b8c7 in th_encode_ycbcr_in (_enc=<value optimized out>, _img=<value
optimized out>) at encode.c:1514
        img = {{width = 640, height = 480, stride = -640, data = 0x4ad80
<Address 0x4ad80 out of bounds>}, {width = 320, height = 240, stride = -320,
            data = 0x5dac0 <Address 0x5dac0 out of bounds>}, {width = 320,
height = 240, stride = -320, data = 0x706c0 <Address 0x706c0 out of bounds>}}
        cpic_width = 480
        cpic_height = <value optimized out>
        hdec = 1
        vdec = 1
        pli = <value optimized out>
        refi = <value optimized out>
        drop = <value optimized out>
#4 0x00c5873c in theora_encode_YUVin (_te=<value optimized out>, _yuv=<value
optimized out>) at encapiwrapper.c:96
        api = 0x8303018
        buf = {{width = 640, height = 480, stride = 640, data = 0x0}, {width =
320, height = 240, stride = 320, data = 0x4b000 <Address 0x4b000 out of
bounds>}, {
            width = 320, height = 240, stride = 320, data = 0x5dc00 <Address
0x5dc00 out of bounds>}}
        ret = <value optimized out>
#5 0x00121235 in ucil_theora_encode_thread (vobj=0x825fa98) at
ucil_theora.c:725
        last_data_buffer = 0xb2f6c008
        streampos = 0.13198499999999999
        streamtime = {tv_sec = 0, tv_usec = 131985}
        data_buffer = 0x8353928
        og = {header = 0x676ff4 "\264n\001", header_len = 10489856, body =
0x10634c6 "\211\323=\001\360\377\377s\001\303\350\023\067\004", body_len =
6705680}
        yuv = {y_width = 640, y_height = 480, y_stride = 640, uv_width = 320,
uv_height = 240, uv_stride = 320, y = 0x0,
          u = 0x4b000 <Address 0x4b000 out of bounds>, v = 0x5dc00 <Address
0x5dc00 out of bounds>}
        videopos = 0.033333000000000002
        audiopos = 0.15385487528344674
        gotpage = 0
        ds_y_buffer = 0x0
        ds_u_buffer = 0x0
        ds_v_buffer = 0x0
#6 0x00665ab5 in start_thread () from /lib/libpthread.so.0
No symbol table info available.
#7 0x01066dae in clone () from /lib/libc.so.6

Original bug report:
https://bugzilla.redhat.com/595863

Revision history for this message
Kamil Dudka (kdudka) wrote :
Revision history for this message
Arne Caspari (arne-datafloater) wrote :

Commited fix in r61

Changed in unicap:
status: New → Fix Committed
Revision history for this message
Kamil Dudka (kdudka) wrote :

It looks like the fix committed in r61 was incomplete, here is my tiny amendment:

https://bugzilla.redhat.com/show_bug.cgi?id=627161#c2

Thanks in advance for considering the patch!

Changed in unicap:
status: Fix Committed → In Progress
Revision history for this message
Arne Caspari (arne-datafloater) wrote :

Unless I am missing something, this new patch does not fix anything that is not already fixed in the Launchpad repository?!?!

As far as I can tell, the patch for this issue in r61 is complete.

Changed in unicap:
status: In Progress → Fix Committed
Revision history for this message
Kamil Dudka (kdudka) wrote :

Sorry for the noise. You're right. The fix is already there, though it wasn't in my original patch. It comes from r30:

revno: 30
committer: Arne Caspari
branch nick: trunk
timestamp: Thu 2010-04-29 15:33:39 +0200
message:
  fixed crash when closing an OGG video file

Nevertheless, may I ask why the explicit casts are still there?

last_data_buffer = (unicap_data_buffer_t *)vobj->last_frame;

The safer way is IMO:

last_data_buffer = vobj->last_frame;

... as there is no cast really necessary unless I am missing something.

If you hadn't the casts there, _compiler_ would have told you about the mistake (not debugger).

Arne Caspari (arne-datafloater)
Changed in unicap:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.