[Ekiga-list] Segfault when theora is first codec in list.

From: Stefan Lucke <stefan lucke in-berlin de>
To: Ekiga mailing list <ekiga-list gnome org>
Subject: [Ekiga-list] Segfault when theora is first codec in list.
Date: Wed, 31 Dec 2008 14:27:18 +0100
Hi,

sorry for next bug report.
I receive a segfault when theora is the first entry of available codec list.
Segfault happens when the connection is accepted.
This is between ekiga 3.0.2beta WinXP and
ekiga-svn (was the same with ekiga 3.0.1) on linux.


GNU gdb 6.7.1
Copyright (C) 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) run
Starting program: /usr/bin/ekiga
[Thread debugging using libthread_db enabled]
[New Thread 0xb5f1f6d0 (LWP 14978)]
[New Thread 0xb521db90 (LWP 14984)]
[New Thread 0xb51dcb90 (LWP 14985)]
[New Thread 0xb519bb90 (LWP 14986)]
[New Thread 0xb515ab90 (LWP 14987)]
[New Thread 0xb5119b90 (LWP 14988)]
[New Thread 0xb50d8b90 (LWP 14989)]
[New Thread 0xb5097b90 (LWP 14990)]
[New Thread 0xb5056b90 (LWP 14991)]
[New Thread 0xb4effb90 (LWP 14992)]
[New Thread 0xb4ebeb90 (LWP 14993)]
[New Thread 0xb46bdb90 (LWP 15002)]
[New Thread 0xaf6fdb90 (LWP 15009)]
[Thread 0xaf6fdb90 (LWP 15009) exited]
[Thread 0xb4effb90 (LWP 14992) exited]
[Thread 0xb5097b90 (LWP 14990) exited]
[New Thread 0xb5097b90 (LWP 15011)]
[Thread 0xb5056b90 (LWP 14991) exited]
[New Thread 0xb5056b90 (LWP 15012)]
[New Thread 0xb4effb90 (LWP 15013)]
[Thread 0xb4effb90 (LWP 15013) exited]
[New Thread 0xb4effb90 (LWP 15014)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb4effb90 (LWP 15014)]
0xb6050cbc in memcpy () from /lib/libc.so.6
(gdb) thread apply all bt

Thread 17 (Thread 0xb4effb90 (LWP 15014)):
#0  0xb6050cbc in memcpy () from /lib/libc.so.6
#1  0xb5a0afe8 in theoraFrame::SetFromTableConfig () from /usr/lib/opal-3.5.2/codecs/video/theora_video_pwplugin.so
#2  0xb5a0d70e in theoraEncoderContext::theoraEncoderContext ()
   from /usr/lib/opal-3.5.2/codecs/video/theora_video_pwplugin.so
#3  0xb5a0d758 in create_encoder () from /usr/lib/opal-3.5.2/codecs/video/theora_video_pwplugin.so
#4  0xb7790a5a in OpalPluginTranscoder::OpalPluginTranscoder () from /usr/lib/libopal.so.3.5-beta2
#5  0xb7791314 in OpalPluginVideoTranscoder::OpalPluginVideoTranscoder () from /usr/lib/libopal.so.3.5-beta2
#6  0xb779bacc in OpalPluginTranscoderFactory<OpalPluginVideoTranscoder>::Worker::Create ()
   from /usr/lib/libopal.so.3.5-beta2
#7  0xb7494f38 in PFactory<OpalTranscoder, std::pair<PString, PString> >::WorkerBase::CreateInstance ()
   from /usr/lib/libopal.so.3.5-beta2
#8  0xb7496137 in PFactory<OpalTranscoder, std::pair<PString, PString> >::CreateInstance_Internal ()
   from /usr/lib/libopal.so.3.5-beta2
#9  0xb7496174 in PFactory<OpalTranscoder, std::pair<PString, PString> >::CreateInstance ()
   from /usr/lib/libopal.so.3.5-beta2
#10 0xb7494361 in OpalTranscoder::Create () from /usr/lib/libopal.so.3.5-beta2
#11 0xb7491a8f in OpalMediaPatch::AddSink () from /usr/lib/libopal.so.3.5-beta2
#12 0xb747de20 in OpalCall::OpenSourceMediaStreams () from /usr/lib/libopal.so.3.5-beta2
#13 0xb7745653 in SIPConnection::OnReceivedSDPMediaDescription () from /usr/lib/libopal.so.3.5-beta2
#14 0xb77423a5 in SIPConnection::OnReceivedSDP () from /usr/lib/libopal.so.3.5-beta2
#15 0xb7743b32 in SIPConnection::OnReceivedOK () from /usr/lib/libopal.so.3.5-beta2
#16 0xb774161e in SIPConnection::OnReceivedResponse () from /usr/lib/libopal.so.3.5-beta2
#17 0xb7756d80 in SIPTransaction::OnReceivedResponse () from /usr/lib/libopal.so.3.5-beta2
#18 0xb7759f44 in SIPInvite::OnReceivedResponse () from /usr/lib/libopal.so.3.5-beta2
#19 0xb7738ac3 in SIPEndPoint::SIP_PDU_Thread::Main () from /usr/lib/libopal.so.3.5-beta2
#20 0xb7037115 in PThread::PX_ThreadStart () from /usr/lib/libpt.so.2.5-beta2
#21 0xb6c1118b in start_thread () from /lib/libpthread.so.0
#22 0xb60a409e in clone () from /lib/libc.so.6

With a selfmade trace message in 'opal/plugins/video/THEORA/theora_frame.cxx'
I  get the following output with option -d 4:

stefan jarada ~ $ tail -n 20 xx6
2008/12/31 12:27:21.440   0:18.328        Aggregator:0xb4f3cb90 PVidInDev       G_PARM failed (preserving frame rate may not work) : Das Argument ist ungültig
2008/12/31 12:27:21.440   0:18.328        Aggregator:0xb4f3cb90 PVidInDev       unable to reset frame rate.
2008/12/31 12:27:21.440   0:18.328        Aggregator:0xb4f3cb90 PVidDev Colour converter used from 320x240 [YUV420P] to 176x144 [YUV420P]
2008/12/31 12:27:22.341   0:19.229      AudioEvent...0xb5220b90 AEScheduler     Checking pending list with 1 elements
2008/12/31 12:27:22.341   0:19.229      AudioEvent...0xb5220b90 AEScheduler     Trying to load /usr/share/sounds/ekiga/dialtone.wav for event ring_tone_sound
2008/12/31 12:27:22.342   0:19.230      AudioEvent...0xb5220b90 AudioOutputCore Dropping sound event, primary device not set
2008/12/31 12:27:23.993   0:20.881        Aggregator:0xb4f3cb90 PVidDev SetColourFormatConverter success for native YUV420P
2008/12/31 12:27:23.994   0:20.882        Aggregator:0xb4f3cb90 OpalMan OnOpenMediaStream Call[g5c0bb3d61]-EP<pc>[1],OpalVideoMediaStream-Source-YUV420P
2008/12/31 12:27:23.994   0:20.882        Aggregator:0xb4f3cb90 OpalCon Opened source stream g5c0bb3d61_2 with format YUV420P
2008/12/31 12:27:23.994   0:20.882        Aggregator:0xb4f3cb90 Call    IsMediaBypassPossible Call[g5c0bb3d61]-EP<sip>[dc4443a5-9bd5-dd11-8e73-00138fd10815 jarada] session 2
2008/12/31 12:27:23.994   0:20.882        Aggregator:0xb4f3cb90 OpalMan IsMediaBypassPossible: session 2
2008/12/31 12:27:23.994   0:20.882        Aggregator:0xb4f3cb90 OpalCon IsMediaBypassPossible: default returns false
2008/12/31 12:27:23.994   0:20.882        Aggregator:0xb4f3cb90 RTP     Found existing media session 2
2008/12/31 12:27:23.995   0:20.883        Aggregator:0xb4f3cb90 OpalMan OnOpenMediaStream Call[g5c0bb3d61]-EP<sip>[dc4443a5-9bd5-dd11-8e73-00138fd10815 jarada],OpalRTPMediaStream-Sink-theora
2008/12/31 12:27:23.995   0:20.883        Aggregator:0xb4f3cb90 OpalCon Opened sink stream g5c0bb3d61_2 with format theora
2008/12/31 12:27:23.995   0:20.883        Aggregator:0xb4f3cb90 RateController  New paramaters: bitrate=1024000, window=500, frame time=3000(rate=30), max skipped frames=1
2008/12/31 12:27:23.995   0:20.883        Aggregator:0xb4f3cb90 Patch   Created Sink: format=theora
theora_frame.cxx(75)    THEORA  Encap   Got Header Packet from encoder that has len 148 != 42
SetFromTableConfig len = -1240923378 (0xb609030e)
h264helper_unix.cxx(72) H264    IPC     CP: Terminating

My change:
void theoraFrame::SetFromTableConfig (ogg_packet* tablePacket) {
  TRACE_UP(4, "THEORA\tEncap\tGot table packet with len " << tablePacket->bytes);
fprintf(stderr, "SetFromTableConfig len = %d (0x%08x)\n", tablePacket->bytes, tablePacket->bytes);
  memcpy (_packedConfigData.ptr + THEORA_HEADER_PACKET_SIZE, tablePacket->packet, tablePacket->bytes);
..

As on my system ogg_packet->bytes is of size long, negative values of
bytes should be checked and rejected like in ffmpeg (libavcodec/libtheoraenc.c).
Such values could be source of stack overflows and other type of intrusion.

-- 
Stefan Lucke
Follow-Ups:
- Re: [Ekiga-list] Segfault when theora is first codec in list.
  - From: Damien Sandras
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]