Description of problem: After lib64mad0-0.15.1b-17.2.mga5.x86_64.rpm update, selecting of any IPTV channel stream from my playlist crashes VLC player. Looks like crash happens inside demuxer plugin (see gdb output). Downgrading to lib64mad0-0.15.1b-16.1.mga5.x86_64.rpm fixes the problem. Version-Release number of selected component (if applicable): lib64mad0-0.15.1b-17.2.mga5.x86_64.rpm vlc-plugin-common-2.2.4-1.mga5.x86_64.rpm How reproducible: Always Steps to Reproduce: 1. Open a playlist with IPTV streams. 2. Select another/next stream.
Created attachment 8058 [details] gdb where
Correction: Version-Release number of selected component (if applicable): lib64mad0-0.15.1b-17.2.mga5.x86_64.rpm vlc-plugin-common-2.2.1-1.1.mga5.tainted.x86_64.rpm
It's a maddening package :-( Assigning to all packagers collectively, since there is no maintainer for mad.
CC: (none) => marja11, shlomif
Now really assigning
Assignee: bugsquad => pkg-bugs
JUst one extra snippet of informatio. The message before the backtrace is:- *** Error in `vlc': double free or corruption (fasttop): 0x00007f6c18c4f2b0 ***
CC: (none) => deri
The same problem occurs when the playlist is dvb-t channels using a usb dvb-t stick.
Which version of libmad worked for you?
CC: (none) => lists.jjorge
For me? As already mentioned in initial post, downgrading to lib64mad0-0.15.1b-16.1.mga5.x86_64.rpm fixes the problem.
For me this command got vlc working again (as root):- urpmi --downgrade lib64mad0-0.15.1b-16.mga5.x86_64 (For a 64bit installation).
Here's the result of running the program under gdb:- (gdb) l 68 63 * NAME: stream->finish() 64 * DESCRIPTION: deallocate any dynamic memory associated with stream 65 */ 66 void mad_stream_finish(struct mad_stream *stream) 67 { 68 if (stream->main_data) { 69 free(stream->main_data); 70 stream->main_data = 0; 71 } 72 73 mad_bit_w_len_finish(stream->l_anc_ptr); 74 mad_bit_w_len_finish(stream->l_ptr); 75 free(stream->l_ptr); 76 stream->l_ptr = NULL; 77 free(stream->l_anc_ptr); 78 stream->l_anc_ptr = NULL; 79 } 80 81 /* 82 * NAME: stream->buffer() (gdb) R The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/bin/vlc channels.xspf [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". VLC media player 2.2.4 Weatherwax (revision 2.2.3-37-g888b7e89) [New Thread 0x7fffeebb0700 (LWP 13452)] [New Thread 0x7ffff7f67700 (LWP 13453)] [New Thread 0x7ffff2b07700 (LWP 13454)] [New Thread 0x7fffecf28700 (LWP 13455)] [0000000000605118] core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. [New Thread 0x7fffe06c1700 (LWP 13457)] [New Thread 0x7fffce163700 (LWP 13459)] [Thread 0x7ffff2b07700 (LWP 13454) exited] [New Thread 0x7fffc7df9700 (LWP 13460)] [Thread 0x7fffce163700 (LWP 13459) exited] [New Thread 0x7fffce163700 (LWP 13461)] [New Thread 0x7ffff2b07700 (LWP 13462)] [New Thread 0x7fffc232d700 (LWP 13463)] [00000000006cafc8] core playlist: stopping playback [New Thread 0x7fffc222c700 (LWP 13464)] [New Thread 0x7fffc212b700 (LWP 13465)] [Thread 0x7ffff2b07700 (LWP 13462) exited] [New Thread 0x7ffff2b07700 (LWP 13466)] [Thread 0x7fffc222c700 (LWP 13464) exited] [Thread 0x7fffc232d700 (LWP 13463) exited] [New Thread 0x7fffc232d700 (LWP 13476)] [New Thread 0x7fffc222c700 (LWP 13477)] [New Thread 0x7fffa8669700 (LWP 13478)] [Thread 0x7fffc212b700 (LWP 13465) exited] [Thread 0x7fffc232d700 (LWP 13476) exited] [Thread 0x7fffc222c700 (LWP 13477) exited] [Switching to Thread 0x7ffff2b07700 (LWP 13466)] Breakpoint 1, mad_stream_finish (stream=stream@entry=0x7fff9c009cc0) at stream.c:67 67 { (gdb) s 68 if (stream->main_data) { (gdb) 75 free(stream->l_ptr); (gdb) 77 free(stream->l_anc_ptr); (gdb) 76 stream->l_ptr = NULL; (gdb) 77 free(stream->l_anc_ptr); (gdb) p *stream $4 = { buffer = 0x7fff9c029dc0 "\377\374\304\f)\362\231UUwffffU43$\222I$\222I$", bufend = 0x7fff9c02a0c8 "X\252\034n\215\254a\270\064Z\n\023y\374\350\203+\314\034\222\373\265\245NC\032e205ptk6\254\277Q\\\004\201\325\vuZ\244i2Ú¼#K1\213", skiplen = 0, sync = 1, freerate = 0, this_frame = 0x7fff9c029dc0 "\377\374\304\f)\362\231UUwffffU43$\222I$\222I$", next_frame = 0x7fff9c02a0c0 "\377\374\304\f\236\344\211UX\252\034n\215\254a\270\064Z\n\023y\374\350\203+314\034\222\373\265\245NC\032e\205ptk6\254\277Q\\\004\201\325\vuZ\244i2Ú¼#K1\213", { ptr = { byte = 0x0, cache = 29920, left = 39936 }, l_ptr = 0x0 }, { anc_ptr = { byte = 0x7fff9c0051e0 "", cache = 20912, left = 41268 }, l_anc_ptr = 0x7fff9c0051e0 }, anc_bitlen = 2, main_data = 0x0, md_len = 0, options = 1, error = MAD_ERROR_NONE } I have no idea why line 77 is being executed twice (some compiler optimisation setting?), but at the point it is executed again it has already been set to NULL and vlc aborts.
I meant to say it has already been freed, it is nulled in line 78.
I have slightly changed the contrib patch which was causing the problem. The immediate problem was that l_ptr and l_anc_ptr contained the same value, because, although they are both malloced in stream.c, they can be to the same value in two other files. So when they have been set to the same value the attempt to free l_anc_ptr fails. I tested by changing the code to this:- void mad_stream_finish(struct mad_stream *stream) { if (stream->main_data) { free(stream->main_data); stream->main_data = 0; } mad_bit_w_len_finish(stream->l_anc_ptr); mad_bit_w_len_finish(stream->l_ptr); free(stream->l_ptr); if (stream->l_ptr != stream->l_anc) free(stream->l_anc_ptr); stream->l_anc_ptr = NULL; stream->l_ptr = NULL; } This fixed the crashing but not the potential memory leak.
Created attachment 8067 [details] Updated patch See Comment #12
(In reply to Deri James from comment #13) > Created attachment 8067 [details] > Updated patch > > See Comment #12 Now submitted this patch as part of mad-0.15.1b-17.3.mga5 in mageia 5 core/updates_testing. Please test: http://pkgsubmit.mageia.org/ .
Newly submitted lib64mad0-0.15.1b-17.3.mga5.x86_64.rpm fixed the problem for me.
Thanks everyone. Assigning to QA so we can get this released. Shlomi, could you provide an advisory for the update?
Assignee: pkg-bugs => qa-bugsWhiteboard: (none) => MGA5-64-OK
(In reply to David Walser from comment #16) > Thanks everyone. Assigning to QA so we can get this released. > > Shlomi, could you provide an advisory for the update? Yes, I can. Stay tuned.
Here is the advisory: Suggested advisory: =================== Updated mad package fixes a double-free bug in the mageia version. Alexander Krylov reported that VLC with the patched mad/libmad packages was partially broken. Further analysis indicated it was a double free bug which was fixed by Deri James. References: https://bugs.mageia.org/show_bug.cgi?id=18776 =================== Updated packages in {core}/updates_testing: =================== lib64mad0-0.15.1b-17.3.mga5 lib64mad-devel-0.15.1b-17.3.mga5 mad-debuginfo-0.15.1b-17.3.mga5 Source RPMs: mad-0.15.1b-17.3.mga5.src.rpm
Validating
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: MGA5-64-OK => advisory MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGAA-2016-0100.html
Status: NEW => RESOLVEDResolution: (none) => FIXED