Bug 315142

KNotify4 crashes when trying to play OGG files inside libvorbis, so this could be libvorbis problem. But I could not crash any other libvorbis-enabled tool using the same files KNotify4 tries to play.

Below is the one of the sample backtraces, followed by some possibly interesting GDB output. Another trace was reported by Alexey Chernov https://bugs.kde.org/show_bug.cgi?id=151293#c8 in 2008. I skip other threads as they are not meaningful (either sleeping or polling).

#0  0x0a9c4458 in res0_look (vd=0x7c7eb548, vr=0x7fa034e0) at /usr/ports/pobj/libvorbis-1.3.3/libvorbis-1.3.3/lib/res0.c:282
#1  0x0a9b5b76 in _vds_shared_init (v=0x7c7eb548, vi=0x7c7eb590, encp=0) at /usr/ports/pobj/libvorbis-1.3.3/libvorbis-1.3.3/lib/block.c:279
#2  0x0a9b6c47 in vorbis_synthesis_init (v=0x7c7eb548, vi=0x7c7eb590) at /usr/ports/pobj/libvorbis-1.3.3/libvorbis-1.3.3/lib/block.c:709
#3  0x01f10fbd in vorbis_handle_header_packet (vd=0x7c7eb400, packet=0x7ccb9b84) at gstvorbisdec.c:392
#4  0x01f11bdb in vorbis_dec_handle_frame (dec=0x7c7eb400, buffer=0x89f7a878) at gstvorbisdec.c:690
#5  0x0dbcc509 in gst_audio_decoder_handle_frame (dec=0x7c7eb400, klass=0x84ce7a00, buffer=0x89f7a878) at gstaudiodecoder.c:945
#6  0x0dbcc83d in gst_audio_decoder_push_buffers (dec=0x7c7eb400, force=0) at gstaudiodecoder.c:1039
#7  0x0dbccd10 in gst_audio_decoder_chain_forward (dec=0x7c7eb400, buffer=0x89f7a878) at gstaudiodecoder.c:1141
#8  0x0dbcebb3 in gst_audio_decoder_chain (pad=0x8a4bf4b0, buffer=0x89f7a878) at gstaudiodecoder.c:1389
#9  0x0d568671 in gst_pad_push (pad=0x8a4bf3e8, buffer=0x89f7a878) at gstpad.c:4710
#10 0x0f41c434 in gst_multi_queue_loop (pad=0x8a4bf3e8) at gstmultiqueue.c:1087
#11 0x0d58f02c in gst_task_func (task=0x8a8a5680) at gsttask.c:327
#12 0x0d590567 in default_func (tdata=0x80202b80, pool=0x88285800) at gsttaskpool.c:70
#13 0x0d4ea3b1 in g_thread_pool_thread_proxy () from /usr/local/lib/libglib-2.0.so.3400.0
#14 0x0d4e9362 in g_thread_proxy () from /usr/local/lib/libglib-2.0.so.3400.0
#15 0x041a710e in _rthread_start (v=0x83317b00) at /usr/src/lib/librthread/rthread.c:122
#16 0x0dd5a272 in __tfork_thread () at /usr/src/lib/libc/arch/i386/sys/tfork_thread.S:95
(gdb) f 0
#0  0x0a9c4458 in res0_look (vd=0x7c7eb548, vr=0x7fa034e0) at /usr/ports/pobj/libvorbis-1.3.3/libvorbis-1.3.3/lib/res0.c:282
282       dim=look->phrasebook->dim;
(gdb) l
272       codec_setup_info     *ci=vd->vi->codec_setup;
273     
274       int j,k,acc=0;
275       int dim;
276       int maxstage=0;
277       look->info=info;
278     
279       look->parts=info->partitions;
280       look->fullbooks=ci->fullbooks;
281       look->phrasebook=ci->fullbooks+info->groupbook;
282       dim=look->phrasebook->dim;
283     
284       look->partbooks=_ogg_calloc(look->parts,sizeof(*look->partbooks));
285     
286       for(j=0;j<look->parts;j++){
287         int stages=ilog(info->secondstages[j]);
288         if(stages){
289           if(stages>maxstage)maxstage=stages;
290           look->partbooks[j]=_ogg_calloc(stages,sizeof(*look->partbooks[j]));
291           for(k=0;k<stages;k++)
(gdb) 
p *vd->vi
$1 = {version = 0, channels = 0, rate = 0, bitrate_upper = 0, bitrate_nominal = 0, bitrate_lower = 0, bitrate_window = 0, 
  codec_setup = 0x8b85d280}
(gdb) p *vd->vi->codec_setup
Attempt to dereference a generic pointer.
(gdb) p *ci
Cannot access memory at address 0x8b85d280
(gdb)

Reproducible: Always




OS: OpenBSD 5.3-BETA
Using KDE 4.10.0 from OpenBSD WIP ports tree: http://github.com/jasperla/openbsd-wip/tree/x11/kde4100/ , but the same problem occured in 4.9, too.

I tried to force crash earlier using MALLOC_OPTIONS (see malloc(3), http://www.openbsd.org/cgi-bin/man.cgi?query=malloc&sektion=3&manpath=OpenBSD+Current&arch=i386&format=html ) but no luck, so probably this is not about use-after-free or use-before-initialization.