Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 300042 - media-libs/xine-lib-1.1.17 glibc detected corrupted unsorted chunks
Summary: media-libs/xine-lib-1.1.17 glibc detected corrupted unsorted chunks
Status: RESOLVED TEST-REQUEST
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: High major (vote)
Assignee: Gentoo Media-video project
URL: http://vestige.lmsal.com/TRACE/Public...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-01-07 14:18 UTC by Hugo Mildenberger
Modified: 2012-01-28 04:51 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
glibc debug output (dragon.glibc-detected-free:corrupted-unsorted-chunks.log,8.68 KB, text/plain)
2010-01-07 14:19 UTC, Hugo Mildenberger
Details
valgrind log for dragon (dragon.valgrind.log,24.15 KB, text/plain)
2010-01-07 14:22 UTC, Hugo Mildenberger
Details
output of emerge --info =media-libs/xine-lib-1.1.17 (emerge--info-xine-lib.txt,4.67 KB, text/plain)
2010-01-07 14:29 UTC, Hugo Mildenberger
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Hugo Mildenberger 2010-01-07 14:18:19 UTC
When using dragon or xine playing the video mentioned above in URL field, both programs get aborted in a similar way. 

$dragon --nocrashhandler T171_000828.avi
*** glibc detected *** dragon: free(): corrupted unsorted chunks: 0x00000fa3672f7780 ***
======= Backtrace: =========
/lib/libc.so.6(+0x72ec7)[0x6fbf04a30ec7]
/lib/libc.so.6(cfree+0x6c)[0x6fbf04a35cfc]
/usr/lib64/xine/plugins/1.27/xineplug_decode_ff.so(+0x4edb)[0x6fbefb8d7edb]
/usr/lib64/libxine.so.1(_x_free_video_decoder+0x2f)[0x6fbf0774164f]
/usr/lib64/libxine.so.1(+0x2182e)[0x6fbf0774782e]
/lib/libpthread.so.0(+0x74e7)[0x6fbf061384e7]
/lib/libc.so.6(clone+0x6d)[0x6fbf04a8fbfd]
 
(full glibc output will be attached)

valgrind has suspicious memory reads and writes, stemming from a probably dangling referenced passed to release_buffer in parameter av_frame:

Thread 7:
==3289== Invalid read of size 4
==3289==    at 0x133A8DC9: release_buffer (ff_video_decoder.c:241)
==3289==    by 0x133A8FAD: ff_dispose (ff_video_decoder.c:1657)
==3289==    by 0x611564E: _x_free_video_decoder (load_plugins.c:2011)
==3289==    by 0x611B82D: video_decoder_loop (video_decoder.c:151)
==3289==    by 0x773C4E6: start_thread (pthread_create.c:297)
==3289==    by 0x8E3ABFC: clone (clone.S:112)
==3289==  Address 0x10bd15b0 is 224 bytes inside a block of size 98,960 free'd
==3289==    at 0x4C259CF: free (vg_replace_malloc.c:325)
==3289==    by 0x13F5A55F: av_freep (mem.c:136)
==3289==    by 0x1361BE13: avcodec_close (utils.c:700)
==3289==    by 0x133A8F82: ff_dispose (ff_video_decoder.c:1649)
==3289==    by 0x611564E: _x_free_video_decoder (load_plugins.c:2011)
==3289==    by 0x611B82D: video_decoder_loop (video_decoder.c:151)
==3289==    by 0x773C4E6: start_thread (pthread_create.c:297)
==3289==    by 0x8E3ABFC: clone (clone.S:112)


and also some invalid write operations stemming from line 258-261:

238 static void release_buffer(struct AVCodecContext *context, AVFrame *av_frame){
 239   ff_video_decoder_t *this = (ff_video_decoder_t *)context->opaque;
 240
 241   if (av_frame->type == FF_BUFFER_TYPE_USER) {
 242     if ( av_frame->opaque ) {
 243       vo_frame_t *img = (vo_frame_t *)av_frame->opaque;
 244
 245       img->free(img);
 246     }
 247
 248     xine_list_iterator_t it;
 249
 250     it = xine_list_find(this->dr1_frames, av_frame);
 251     assert(it);
 252     if( it != NULL )
 253       xine_list_remove(this->dr1_frames, it);
 254   } else {
 255     avcodec_default_release_buffer(context, av_frame);
 256   }
 257
 258   av_frame->opaque = NULL;
 259   av_frame->data[0]= NULL;
 260   av_frame->data[1]= NULL;
 261   av_frame->data[2]= NULL;
 262 }
Comment 1 Hugo Mildenberger 2010-01-07 14:19:55 UTC
Created attachment 215548 [details]
glibc debug output
Comment 2 Hugo Mildenberger 2010-01-07 14:22:55 UTC
Created attachment 215550 [details]
valgrind log for dragon

I'm not attaching debug logs for xine, because the root of the problem is identical. This is from valgrind log for xine:

==3263== Thread 8:
==3263== Invalid read of size 4
==3263==    at 0xC363DC9: release_buffer (ff_video_decoder.c:241)
==3263==    by 0xC363FAD: ff_dispose (ff_video_decoder.c:1657)
==3263==    by 0x4E4764E: _x_free_video_decoder (load_plugins.c:2011)
==3263==    by 0x4E4D82D: video_decoder_loop (video_decoder.c:151)
==3263==    by 0x6CF54E6: start_thread (pthread_create.c:297)
==3263==  Address 0x15e63630 is 224 bytes inside a block of size 98,960 free'd
==3263==    at 0x4C259CF: free (vg_replace_malloc.c:325)
==3263==    by 0xCF1555F: av_freep (mem.c:136)
==3263==    by 0xC5D6E13: avcodec_close (utils.c:700)
==3263==    by 0xC363F82: ff_dispose (ff_video_decoder.c:1649)
==3263==    by 0x4E4764E: _x_free_video_decoder (load_plugins.c:2011)
==3263==    by 0x4E4D82D: video_decoder_loop (video_decoder.c:151)
==3263==    by 0x6CF54E6: start_thread (pthread_create.c:297)
Comment 3 Hugo Mildenberger 2010-01-07 14:29:55 UTC
Created attachment 215552 [details]
output of emerge --info =media-libs/xine-lib-1.1.17
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2010-02-24 21:36:16 UTC
Try 1.1.18 and take this to upstream: http://bugs.xine-project.org/
Comment 5 Hugo Mildenberger 2010-02-25 10:59:58 UTC
(In reply to comment #4)
> Try 1.1.18 and take this to upstream: http://bugs.xine-project.org/

Version 1.1.18 has the same problems, only line numbers have changed. 
Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2012-01-28 04:51:24 UTC
Try xine-lib-1.2.0 and reopen if this is still a problem.