Date: Sat, 7 Jul 2012 15:15:24 GMT From: Fabian Keil <fk@fabiankeil.de> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/169698: multimedia/libdvdnav 4.2.0 ignores WITH_DEBUG and segfaults with some discs Message-ID: <201207071515.q67FFOZC072176@red.freebsd.org> Resent-Message-ID: <201207071520.q67FK8vZ007800@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 169698 >Category: ports >Synopsis: multimedia/libdvdnav 4.2.0 ignores WITH_DEBUG and segfaults with some discs >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sat Jul 07 15:20:08 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Fabian Keil >Release: HEAD >Organization: >Environment: FreeBSD r500.local 10.0-CURRENT FreeBSD 10.0-CURRENT #451 r+221ea6b: Thu Jul 5 15:21:14 CEST 2012 fk@r500.local:/usr/obj/usr/src/sys/ZOEY amd64 >Description: Some discs can cause multimedia/libdvdnav 4.2.0 to segfault in dvdnav_describe_title_chapters(): (gdb) where #0 0x0000000802a17956 in dvdnav_describe_title_chapters (this=0x80d90be00, title=35, times=0x7fffff7f9a90, duration=0x7fffff7f9a98) at /usr/obj-ports/usr/ports/multimedia/libdvdnav/work/libdvdnav-4.2.0/src/searching.c:633 #1 0x0000000802806b06 in DemuxTitles (p_demux=<optimized out>) at dvdnav.c:1005 #2 Open (p_this=<optimized out>) at dvdnav.c:320 #3 0x0000000800ad5528 in generic_start (func=0x8028060c0, ap=0x7fffff7f9bc0) at modules/modules.c:413 #4 0x0000000800ad50ff in vlc_module_load (p_this=0x80d81b158, psz_capability=0x800b1582c "access_demux", psz_name=0x80d810068 "dvd", b_strict=true, probe=0x800ad54b0 <generic_start>) at modules/modules.c:342 #5 0x0000000800ad55ef in module_need (obj=0x80d81b158, cap=0x800b1582c "access_demux", name=0x80d810068 "dvd", strict=true) at modules/modules.c:428 #6 0x0000000800a83dbb in demux_New (p_obj=0x806428078, p_parent_input=0x806428078, psz_access=0x80d851040 "dvd", psz_demux=0x800b17349 "", psz_location=0x80d851046 "/dev/cd0", s=0x0, out=0x80d812040, b_quick=false) at input/demux.c:194 #7 0x0000000800a99b90 in InputSourceInit (p_input=0x806428078, in=0x80642b8b0, psz_mrl=0x80ae21340 "dvd:///dev/cd0", psz_forced_demux=0x0, b_in_can_fail=false) at input/input.c:2391 #8 0x0000000800a96730 in Init (p_input=0x806428078) at input/input.c:1237 #9 0x0000000800a93ed5 in Run (obj=0x806428078) at input/input.c:539 #10 0x00000008016d59f9 in thread_start (curthread=0x806454400) at /usr/src/lib/libthr/thread/thr_create.c:284 #11 0x0000000000000000 in ?? () (gdb) f 0 #0 0x0000000802a17956 in dvdnav_describe_title_chapters (this=0x80d90be00, title=35, times=0x7fffff7f9a90, duration=0x7fffff7f9a98) at /usr/obj-ports/usr/ports/multimedia/libdvdnav/work/libdvdnav-4.2.0/src/searching.c:633 633 if(!(cell->block_type == BLOCK_TYPE_ANGLE_BLOCK && (gdb) p cell->block_type Cannot access memory at address 0x200d812838 [...] (gdb) p cellnr $5 = 0 The port also ignores WITH_DEBUG which doesn't help when analyzing core dumps. >How-To-Repeat: Open the first disc of Grey's Anatomy Season 2 RC2 with VLC 2.1. The "current" VLC version in the ports isn't affected, I assume it doesn't use dvdnav_describe_title_chapters() yet, but didn't investigate this. >Fix: The attached update to 4.2.0_1 contains an upstream patch from Erik Hovland that fixes the problem. It also lets the port honor WITH_DEBUG in case of crashes in the future. Patch attached with submission follows: diff -ruN .zfs/snapshot/2012-06-27_00:47/multimedia/libdvdnav/Makefile multimedia/libdvdnav/Makefile --- .zfs/snapshot/2012-06-27_00:47/multimedia/libdvdnav/Makefile 2012-01-20 22:54:10.617951980 +0100 +++ multimedia/libdvdnav/Makefile 2012-07-07 16:39:00.351502645 +0200 @@ -7,6 +7,7 @@ PORTNAME= libdvdnav PORTVERSION= 4.2.0 +PORTREVISION= 1 CATEGORIES= multimedia # Svn repository URL : svn://svn.mplayerhq.hu/dvdnav/trunk/libdvdnav MASTER_SITES= http://dvdnav.mplayerhq.hu/releases/ \ @@ -29,8 +30,12 @@ --shlibdir="${PREFIX}/lib" \ --incdir="${PREFIX}/include/dvdnav" \ --disable-opts \ - --disable-debug \ --cc="${CC}" +.if defined(WITH_DEBUG) +CONFIGURE_ARGS+= --disable-strip +.else +CONFIGURE_ARGS+= --disable-debug +.endif USE_GMAKE= yes CONFLICTS= libdvdnav-mplayer-[0-9]* USE_LDCONFIG= yes diff -ruN .zfs/snapshot/2012-06-27_00:47/multimedia/libdvdnav/files/patch-src-searching.c multimedia/libdvdnav/files/patch-src-searching.c --- .zfs/snapshot/2012-06-27_00:47/multimedia/libdvdnav/files/patch-src-searching.c 1970-01-01 01:00:00.000000000 +0100 +++ multimedia/libdvdnav/files/patch-src-searching.c 2012-07-07 16:34:53.000000000 +0200 @@ -0,0 +1,44 @@ +From 49c67ccf88c688e0e0e9e3b04f651b12c7d7f7f3 Mon Sep 17 00:00:00 2001 +From: Erik Hovland <erik@hovland.org> +Date: Mon, 16 Apr 2012 14:56:43 -0700 +Subject: [PATCH] Check cell new row before using it to index into + cell_playback + +cellnr is used to index into cell_playback after subtracting +one from it. If cellnr is 0, then it will index -1 in cell_playback +which will seek out of boundary of cell_playback. This manifested into a +segfault for some users as reported by this launchpad bug: +https://bugs.launchpad.net/ubuntu/+source/libdvdnav/+bug/934471 + +By checking cellnr and skipping the indexing if cellnr is equal to zero +then we avoid the segfault. There might be a bigger issue w/ regard to +retrieving a value of zero for cell new row, but this fix works for the +reporter. + +Thanks goes to Sylvain Henry (hsyl20 AT gmail DOT com for both +reporting the bug to launchpad and submitting a potential patch (even +though we went w/ a different fix). +--- + src/searching.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/searching.c b/src/searching.c +index 3649e9d..0b5f22a 100644 +--- src/searching.c ++++ src/searching.c +@@ -640,7 +640,11 @@ uint32_t dvdnav_describe_title_chapters(dvdnav_t *this, int32_t title, uint64_t + goto fail; + } + +- cellnr = pgc->program_map[ptt[i].pgn-1]; ++ if ((cellnr = pgc->program_map[ptt[i].pgn-1]) == 0) { ++ printerr("Cell new row cannot be 0"); ++ continue; ++ } ++ + if(ptt[i].pgn < pgc->nr_of_programs) + endcellnr = pgc->program_map[ptt[i].pgn]; + else +-- +1.7.10.3 + >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207071515.q67FFOZC072176>