Date: Sat, 7 Jul 2012 15:15:24 GMT From: Fabian Keil <fk@fabiankeil.de> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/169698: multimedia/libdvdnav 4.2.0 ignores WITH_DEBUG and segfaults with some discs Message-ID: <201207071515.q67FFOZC072176@red.freebsd.org> Resent-Message-ID: <201207071520.q67FK8vZ007800@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 169698
>Category: ports
>Synopsis: multimedia/libdvdnav 4.2.0 ignores WITH_DEBUG and segfaults with some discs
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Sat Jul 07 15:20:08 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Fabian Keil
>Release: HEAD
>Organization:
>Environment:
FreeBSD r500.local 10.0-CURRENT FreeBSD 10.0-CURRENT #451 r+221ea6b: Thu Jul 5 15:21:14 CEST 2012 fk@r500.local:/usr/obj/usr/src/sys/ZOEY amd64
>Description:
Some discs can cause multimedia/libdvdnav 4.2.0 to segfault in dvdnav_describe_title_chapters():
(gdb) where
#0 0x0000000802a17956 in dvdnav_describe_title_chapters (this=0x80d90be00, title=35, times=0x7fffff7f9a90, duration=0x7fffff7f9a98)
at /usr/obj-ports/usr/ports/multimedia/libdvdnav/work/libdvdnav-4.2.0/src/searching.c:633
#1 0x0000000802806b06 in DemuxTitles (p_demux=<optimized out>) at dvdnav.c:1005
#2 Open (p_this=<optimized out>) at dvdnav.c:320
#3 0x0000000800ad5528 in generic_start (func=0x8028060c0, ap=0x7fffff7f9bc0) at modules/modules.c:413
#4 0x0000000800ad50ff in vlc_module_load (p_this=0x80d81b158, psz_capability=0x800b1582c "access_demux", psz_name=0x80d810068 "dvd", b_strict=true,
probe=0x800ad54b0 <generic_start>) at modules/modules.c:342
#5 0x0000000800ad55ef in module_need (obj=0x80d81b158, cap=0x800b1582c "access_demux", name=0x80d810068 "dvd", strict=true) at modules/modules.c:428
#6 0x0000000800a83dbb in demux_New (p_obj=0x806428078, p_parent_input=0x806428078, psz_access=0x80d851040 "dvd", psz_demux=0x800b17349 "",
psz_location=0x80d851046 "/dev/cd0", s=0x0, out=0x80d812040, b_quick=false) at input/demux.c:194
#7 0x0000000800a99b90 in InputSourceInit (p_input=0x806428078, in=0x80642b8b0, psz_mrl=0x80ae21340 "dvd:///dev/cd0", psz_forced_demux=0x0, b_in_can_fail=false)
at input/input.c:2391
#8 0x0000000800a96730 in Init (p_input=0x806428078) at input/input.c:1237
#9 0x0000000800a93ed5 in Run (obj=0x806428078) at input/input.c:539
#10 0x00000008016d59f9 in thread_start (curthread=0x806454400) at /usr/src/lib/libthr/thread/thr_create.c:284
#11 0x0000000000000000 in ?? ()
(gdb) f 0
#0 0x0000000802a17956 in dvdnav_describe_title_chapters (this=0x80d90be00, title=35, times=0x7fffff7f9a90, duration=0x7fffff7f9a98)
at /usr/obj-ports/usr/ports/multimedia/libdvdnav/work/libdvdnav-4.2.0/src/searching.c:633
633 if(!(cell->block_type == BLOCK_TYPE_ANGLE_BLOCK &&
(gdb) p cell->block_type
Cannot access memory at address 0x200d812838
[...]
(gdb) p cellnr
$5 = 0
The port also ignores WITH_DEBUG which doesn't help when analyzing core dumps.
>How-To-Repeat:
Open the first disc of Grey's Anatomy Season 2 RC2 with VLC 2.1.
The "current" VLC version in the ports isn't affected,
I assume it doesn't use dvdnav_describe_title_chapters()
yet, but didn't investigate this.
>Fix:
The attached update to 4.2.0_1 contains an upstream patch from
Erik Hovland that fixes the problem. It also lets the port honor
WITH_DEBUG in case of crashes in the future.
Patch attached with submission follows:
diff -ruN .zfs/snapshot/2012-06-27_00:47/multimedia/libdvdnav/Makefile multimedia/libdvdnav/Makefile
--- .zfs/snapshot/2012-06-27_00:47/multimedia/libdvdnav/Makefile 2012-01-20 22:54:10.617951980 +0100
+++ multimedia/libdvdnav/Makefile 2012-07-07 16:39:00.351502645 +0200
@@ -7,6 +7,7 @@
PORTNAME= libdvdnav
PORTVERSION= 4.2.0
+PORTREVISION= 1
CATEGORIES= multimedia
# Svn repository URL : svn://svn.mplayerhq.hu/dvdnav/trunk/libdvdnav
MASTER_SITES= http://dvdnav.mplayerhq.hu/releases/ \
@@ -29,8 +30,12 @@
--shlibdir="${PREFIX}/lib" \
--incdir="${PREFIX}/include/dvdnav" \
--disable-opts \
- --disable-debug \
--cc="${CC}"
+.if defined(WITH_DEBUG)
+CONFIGURE_ARGS+= --disable-strip
+.else
+CONFIGURE_ARGS+= --disable-debug
+.endif
USE_GMAKE= yes
CONFLICTS= libdvdnav-mplayer-[0-9]*
USE_LDCONFIG= yes
diff -ruN .zfs/snapshot/2012-06-27_00:47/multimedia/libdvdnav/files/patch-src-searching.c multimedia/libdvdnav/files/patch-src-searching.c
--- .zfs/snapshot/2012-06-27_00:47/multimedia/libdvdnav/files/patch-src-searching.c 1970-01-01 01:00:00.000000000 +0100
+++ multimedia/libdvdnav/files/patch-src-searching.c 2012-07-07 16:34:53.000000000 +0200
@@ -0,0 +1,44 @@
+From 49c67ccf88c688e0e0e9e3b04f651b12c7d7f7f3 Mon Sep 17 00:00:00 2001
+From: Erik Hovland <erik@hovland.org>
+Date: Mon, 16 Apr 2012 14:56:43 -0700
+Subject: [PATCH] Check cell new row before using it to index into
+ cell_playback
+
+cellnr is used to index into cell_playback after subtracting
+one from it. If cellnr is 0, then it will index -1 in cell_playback
+which will seek out of boundary of cell_playback. This manifested into a
+segfault for some users as reported by this launchpad bug:
+https://bugs.launchpad.net/ubuntu/+source/libdvdnav/+bug/934471
+
+By checking cellnr and skipping the indexing if cellnr is equal to zero
+then we avoid the segfault. There might be a bigger issue w/ regard to
+retrieving a value of zero for cell new row, but this fix works for the
+reporter.
+
+Thanks goes to Sylvain Henry (hsyl20 AT gmail DOT com for both
+reporting the bug to launchpad and submitting a potential patch (even
+though we went w/ a different fix).
+---
+ src/searching.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/searching.c b/src/searching.c
+index 3649e9d..0b5f22a 100644
+--- src/searching.c
++++ src/searching.c
+@@ -640,7 +640,11 @@ uint32_t dvdnav_describe_title_chapters(dvdnav_t *this, int32_t title, uint64_t
+ goto fail;
+ }
+
+- cellnr = pgc->program_map[ptt[i].pgn-1];
++ if ((cellnr = pgc->program_map[ptt[i].pgn-1]) == 0) {
++ printerr("Cell new row cannot be 0");
++ continue;
++ }
++
+ if(ptt[i].pgn < pgc->nr_of_programs)
+ endcellnr = pgc->program_map[ptt[i].pgn];
+ else
+--
+1.7.10.3
+
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207071515.q67FFOZC072176>