Bug 18776 - libmad update partially broke VLC functionality.
Summary: libmad update partially broke VLC functionality.
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-06-23 15:31 CEST by Alexander Krylov
Modified: 2016-07-08 21:51 CEST (History)
5 users (show)

See Also:
Source RPM: mad-0.15.1b-17.2.mga5.src.rpm
CVE:
Status comment:


Attachments
gdb where (2.76 KB, text/plain)
2016-06-23 15:31 CEST, Alexander Krylov
Details
Updated patch (30.70 KB, patch)
2016-06-24 20:39 CEST, Deri James
Details | Diff

Description Alexander Krylov 2016-06-23 15:31:01 CEST
Description of problem:
After lib64mad0-0.15.1b-17.2.mga5.x86_64.rpm update, selecting of any IPTV channel stream from my playlist crashes VLC player. Looks like crash happens inside demuxer plugin (see gdb output).
Downgrading to lib64mad0-0.15.1b-16.1.mga5.x86_64.rpm fixes the problem.


Version-Release number of selected component (if applicable):
lib64mad0-0.15.1b-17.2.mga5.x86_64.rpm
vlc-plugin-common-2.2.4-1.mga5.x86_64.rpm

How reproducible: Always

Steps to Reproduce:
1. Open a playlist with IPTV streams.
2. Select another/next stream.
Comment 1 Alexander Krylov 2016-06-23 15:31:44 CEST
Created attachment 8058 [details]
gdb where
Comment 2 Alexander Krylov 2016-06-23 15:34:34 CEST
Correction: 
Version-Release number of selected component (if applicable):
lib64mad0-0.15.1b-17.2.mga5.x86_64.rpm
vlc-plugin-common-2.2.1-1.1.mga5.tainted.x86_64.rpm
Comment 3 Marja Van Waes 2016-06-23 17:03:28 CEST
 It's a maddening package :-(

Assigning to all packagers collectively, since there is no maintainer for mad.

CC: (none) => marja11, shlomif

Comment 4 Marja Van Waes 2016-06-23 17:18:11 CEST
Now really assigning

Assignee: bugsquad => pkg-bugs

Comment 5 Deri James 2016-06-23 19:01:51 CEST
JUst one extra snippet of informatio. The message before the backtrace is:-

*** Error in `vlc': double free or corruption (fasttop): 0x00007f6c18c4f2b0 ***

CC: (none) => deri

Comment 6 Deri James 2016-06-23 19:07:22 CEST
The same problem occurs when the playlist is dvb-t channels using a usb dvb-t stick.
Comment 7 José Jorge 2016-06-23 21:53:00 CEST
Which version of libmad worked for you?

CC: (none) => lists.jjorge

Comment 8 Alexander Krylov 2016-06-23 22:47:42 CEST
For me?
As already mentioned in initial post, downgrading to lib64mad0-0.15.1b-16.1.mga5.x86_64.rpm fixes the problem.
Comment 9 Deri James 2016-06-23 23:46:12 CEST
For me this command got vlc working again (as root):-

urpmi --downgrade lib64mad0-0.15.1b-16.mga5.x86_64

(For a 64bit installation).
Comment 10 Deri James 2016-06-24 14:55:57 CEST
Here's the result of running the program under gdb:-

(gdb) l 68
63       * NAME:        stream->finish()
64       * DESCRIPTION: deallocate any dynamic memory associated with stream
65       */
66      void mad_stream_finish(struct mad_stream *stream)
67      {
68        if (stream->main_data) {
69          free(stream->main_data);
70          stream->main_data = 0;
71        }
72
73        mad_bit_w_len_finish(stream->l_anc_ptr);
74        mad_bit_w_len_finish(stream->l_ptr);
75        free(stream->l_ptr);
76        stream->l_ptr = NULL;
77        free(stream->l_anc_ptr);
78        stream->l_anc_ptr = NULL;
79      }
80
81      /*
82       * NAME:        stream->buffer()
(gdb) R
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/bin/vlc channels.xspf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
VLC media player 2.2.4 Weatherwax (revision 2.2.3-37-g888b7e89)
[New Thread 0x7fffeebb0700 (LWP 13452)]
[New Thread 0x7ffff7f67700 (LWP 13453)]
[New Thread 0x7ffff2b07700 (LWP 13454)]
[New Thread 0x7fffecf28700 (LWP 13455)]
[0000000000605118] core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
[New Thread 0x7fffe06c1700 (LWP 13457)]
[New Thread 0x7fffce163700 (LWP 13459)]
[Thread 0x7ffff2b07700 (LWP 13454) exited]
[New Thread 0x7fffc7df9700 (LWP 13460)]
[Thread 0x7fffce163700 (LWP 13459) exited]
[New Thread 0x7fffce163700 (LWP 13461)]
[New Thread 0x7ffff2b07700 (LWP 13462)]
[New Thread 0x7fffc232d700 (LWP 13463)]
[00000000006cafc8] core playlist: stopping playback
[New Thread 0x7fffc222c700 (LWP 13464)]
[New Thread 0x7fffc212b700 (LWP 13465)]
[Thread 0x7ffff2b07700 (LWP 13462) exited]
[New Thread 0x7ffff2b07700 (LWP 13466)]
[Thread 0x7fffc222c700 (LWP 13464) exited]
[Thread 0x7fffc232d700 (LWP 13463) exited]
[New Thread 0x7fffc232d700 (LWP 13476)]
[New Thread 0x7fffc222c700 (LWP 13477)]
[New Thread 0x7fffa8669700 (LWP 13478)]
[Thread 0x7fffc212b700 (LWP 13465) exited]
[Thread 0x7fffc232d700 (LWP 13476) exited]
[Thread 0x7fffc222c700 (LWP 13477) exited]
[Switching to Thread 0x7ffff2b07700 (LWP 13466)]

Breakpoint 1, mad_stream_finish (stream=stream@entry=0x7fff9c009cc0) at stream.c:67
67      {
(gdb) s
68        if (stream->main_data) {
(gdb) 
75        free(stream->l_ptr);
(gdb) 
77        free(stream->l_anc_ptr);
(gdb) 
76        stream->l_ptr = NULL;
(gdb) 
77        free(stream->l_anc_ptr);
(gdb) p *stream
$4 = {
  buffer = 0x7fff9c029dc0 "\377\374\304\f)\362\231UUwffffU43$\222I$\222I$", 
  bufend = 0x7fff9c02a0c8 "X\252\034n\215\254a\270\064Z\n\023y\374\350\203+\314\034\222\373\265\245NC\032e205ptk6\254\277Q\\\004\201\325\vuZ\244i2Ú¼#K1\213", 
  skiplen = 0, 
  sync = 1, 
  freerate = 0, 
  this_frame = 0x7fff9c029dc0 "\377\374\304\f)\362\231UUwffffU43$\222I$\222I$", 
  next_frame = 0x7fff9c02a0c0 "\377\374\304\f\236\344\211UX\252\034n\215\254a\270\064Z\n\023y\374\350\203+314\034\222\373\265\245NC\032e\205ptk6\254\277Q\\\004\201\325\vuZ\244i2Ú¼#K1\213", 
  {
    ptr = {
      byte = 0x0, 
      cache = 29920, 
      left = 39936
    }, 
    l_ptr = 0x0
  }, 
  {
    anc_ptr = {
      byte = 0x7fff9c0051e0 "", 
      cache = 20912, 
      left = 41268
    }, 
    l_anc_ptr = 0x7fff9c0051e0
  }, 
  anc_bitlen = 2, 
  main_data = 0x0, 
  md_len = 0, 
  options = 1, 
  error = MAD_ERROR_NONE
}

I have no idea why line 77 is being executed twice (some compiler optimisation setting?), but at the point it is executed again it has already been set to NULL and vlc aborts.
Comment 11 Deri James 2016-06-24 15:05:05 CEST
I meant to say it has already been freed, it is nulled in line 78.
Comment 12 Deri James 2016-06-24 20:34:23 CEST
I have slightly changed the contrib patch which was causing the problem. The immediate problem was that l_ptr and l_anc_ptr contained the same value, because, although they are both malloced in stream.c, they can be to the same value in two other files. So when they have been set to the same value the attempt to free l_anc_ptr fails. I tested by changing the code to this:-

void mad_stream_finish(struct mad_stream *stream)
{
  if (stream->main_data) {
    free(stream->main_data);
    stream->main_data = 0;
  }

  mad_bit_w_len_finish(stream->l_anc_ptr);
  mad_bit_w_len_finish(stream->l_ptr);
  free(stream->l_ptr);
  
  if (stream->l_ptr != stream->l_anc)
    free(stream->l_anc_ptr);
  
  stream->l_anc_ptr = NULL;
  stream->l_ptr = NULL;
}

This fixed the crashing but not the potential memory leak.
Comment 13 Deri James 2016-06-24 20:39:10 CEST
Created attachment 8067 [details]
Updated patch

See Comment #12
Comment 14 Shlomi Fish 2016-06-24 23:14:57 CEST
(In reply to Deri James from comment #13)
> Created attachment 8067 [details]
> Updated patch
> 
> See Comment #12

Now submitted this patch as part of mad-0.15.1b-17.3.mga5 in mageia 5 core/updates_testing. Please test: http://pkgsubmit.mageia.org/ .
Comment 15 Alexander Krylov 2016-06-24 23:27:11 CEST
Newly submitted lib64mad0-0.15.1b-17.3.mga5.x86_64.rpm fixed the problem for me.
Comment 16 David Walser 2016-07-06 20:37:10 CEST
Thanks everyone.  Assigning to QA so we can get this released.

Shlomi, could you provide an advisory for the update?

Assignee: pkg-bugs => qa-bugs
Whiteboard: (none) => MGA5-64-OK

Comment 17 Shlomi Fish 2016-07-07 12:58:32 CEST
(In reply to David Walser from comment #16)
> Thanks everyone.  Assigning to QA so we can get this released.
> 
> Shlomi, could you provide an advisory for the update?

Yes, I can. Stay tuned.
Comment 18 Shlomi Fish 2016-07-07 13:55:04 CEST
Here is the advisory:

Suggested advisory:
===================

Updated mad package fixes a double-free bug in the mageia version.

Alexander Krylov reported that VLC with the patched mad/libmad packages
was partially broken. Further analysis indicated it was a double free bug
which was fixed by Deri James.

References:
https://bugs.mageia.org/show_bug.cgi?id=18776
===================

Updated packages in {core}/updates_testing:
===================

lib64mad0-0.15.1b-17.3.mga5
lib64mad-devel-0.15.1b-17.3.mga5
mad-debuginfo-0.15.1b-17.3.mga5

Source RPMs:
mad-0.15.1b-17.3.mga5.src.rpm
Comment 19 claire robinson 2016-07-08 16:51:17 CEST
Validating

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

claire robinson 2016-07-08 17:52:03 CEST

Whiteboard: MGA5-64-OK => advisory MGA5-64-OK

Comment 20 Mageia Robot 2016-07-08 21:51:36 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGAA-2016-0100.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.