Bug 182595

Summary: buffer smaller than AVCODEC_MAX_AUDIO_FRAME_SIZE
Product: [Applications] k3b Reporter: michel munnix <michel.munnix>
Component: generalAssignee: Sebastian Trueg <trueg>
Status: RESOLVED FIXED    
Severity: normal CC: jabouzane, kimrhh, michalm, steffen.sobiech
Priority: NOR    
Version: 1.91.0   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: test audio file
plugin configuration
Fix for this bug
Updated patch that applies cleanly at head
Updated patch in svn diff format

Description michel munnix 2009-01-31 16:05:35 UTC 
Version:           1.0.5 (using 3.5.10 "release 21.11" , openSUSE )
Compiler:          Target: x86_64-suse-linux
OS:                Linux (x86_64) release 2.6.27.7-9-default

when trying to burn an audio CD from aac files, I am getting many identical messages:
[aac @ 0x1846460]buffer smaller than AVCODEC_MAX_AUDIO_FRAME_SIZE
then k3b closes without error message
same problem when trying to play the peace with right-click context menu.

for testing, I created a small file with :
ffmpeg -i /usr/share/ooo3/basis3.0/share/gallery/sounds/curve.wav curve.aac
Comment 1 michel munnix 2009-01-31 16:06:40 UTC 
Created attachment 30783 [details]
test audio file
Comment 2 michel munnix 2009-01-31 16:08:51 UTC 
Created attachment 30784 [details]
plugin configuration
Comment 3 Steffen Sobiech 2009-05-10 14:09:42 UTC 
I can confirm this one. It also happens on 32bit.
Comment 4 Sebastian Trueg 2009-05-11 09:59:59 UTC 
tried with K3b trunk. Does not crash.
Comment 5 Jason Bouzane 2010-04-19 01:08:53 UTC 
Created attachment 42878 [details]
Fix for this bug
Comment 6 Jason Bouzane 2010-04-19 01:11:43 UTC 
I'm a little disappointed that this was closed without further investigation. The code that is being used here is very obviously broken and the original bug had enough information to figure this out. There are three major bugs in the code.

In fillOutputBuffer, you call avcodec_decode_audio2 but you don't check the return value. If it returns -1, you increase packet size by 1 every time and go into an infinite loop.

You incorrectly set d->outputBufferSize to 0 before calling avcodec_decode_audio2, which is explicitly warned against in the documentation.

You don't 16-byte align the output buffer. This is also explicitly warned against in the documentation and will result in crashes if you are using an sse2 enabled processor and you fix the previous two bugs.

On top of those three, there's no way to return an error from fillOutputBuffer, even though the function can fail.

I've attached a patch that fixes these problems for me.
Comment 7 Jason Bouzane 2010-05-03 11:11:08 UTC 
Any update on this? It'd be nice to get this patch submitted against head.
Comment 8 Jason Bouzane 2010-05-18 06:48:21 UTC 
Can someone provide an update on this bug? I don't think anything needs to be done besides submitting the attached patch.
Comment 9 Jason Bouzane 2010-05-23 11:54:54 UTC 
Created attachment 43817 [details]
Updated patch that applies cleanly at head
Comment 10 Jason Bouzane 2010-05-23 20:05:38 UTC 
Created attachment 43825 [details]
Updated patch in svn diff format
Comment 11 Kim Højgaard-Hansen 2010-05-24 11:35:47 UTC 
changing this to unconfirmed now, since i apparently can't re-open :)

@Jason

Thank you for the extra information and work, we will look into this issue.
Comment 12 Michał Małek 2010-05-24 19:04:51 UTC 
Patch applied on revision 1130188. Thanks for patch and for patience!
WebSVN link: http://websvn.kde.org/?view=rev&revision=1130188