Ubuntu
gstreamer0.10 package

Phil Collins causes Nautilus to segfault

Bug #60146 reported by jonnieo
6
Affects Status Importance Assigned to Milestone
gstreamer0.10 (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

I have a Phil Collins mp3, which if I look at its properties in Nautilus, or try to add it to Rhythmbox, causes a segfault. In general, doing anything with it in gnome causes a segfault, and it is 100% reproducible. The mp3 doesn't actually play (thank god) and is only 128 bytes. Of all my mp3's, it is the only one that does this. Renaming it to remove the mp3 extension causes the problem to go away.

In /var/log/messages, I get (for example):

rhythmbox[6642]: segfault at 0000000000000040 rip 00002aaaacb1d0bf rsp 00000000407fee90 error 4

or

localhost kernel: [65168.779237] nautilus[5190]: segfault at 0000000000000040 rip 00002aaab2da90bf rsp 00007fffffbb0c10 error 4

I am running Dapper Drake amd64

Using gdb I get the following output (I needed to run in sudo to get gdb to report anything:

[Thread 1090791776 (LWP 8839) exited]
[Thread 1157933408 (LWP 8847) exited]

Program received signal SIGINT, Interrupt.
[Switching to Thread 46912595793472 (LWP 8810)]
0x00002aaaad992e22 in poll () from /lib/libc.so.6
(gdb) thread apply all bt

Thread 2 (Thread 1074006368 (LWP 8813)):
#0 0x00002aaaad992e22 in poll () from /lib/libc.so.6
#1 0x00002aaaad0a6d00 in g_main_context_iterate (context=0x736ae0, block=1, dispatch=1, self=<value optimized out>) at gmain.c:2849
#2 0x00002aaaad0a718a in IA__g_main_loop_run (loop=0x7320f0) at gmain.c:2751
#3 0x00002aaaacbebb90 in link_thread_io_context () from /usr/lib/libORBit-2.so.0
#4 0x00002aaaad0bfb6b in g_thread_create_proxy (data=<value optimized out>) at gthread.c:582
#5 0x00002aaaacf6e0fa in start_thread () from /lib/libpthread.so.0
#6 0x00002aaaad99bce2 in clone () from /lib/libc.so.6
#7 0x0000000000000000 in ?? ()

Thread 1 (Thread 46912595793472 (LWP 8810)):
#0 0x00002aaaad992e22 in poll () from /lib/libc.so.6
#1 0x00002aaaad0a6d00 in g_main_context_iterate (context=0x6950d0, block=1, dispatch=1, self=<value optimized out>) at gmain.c:2849
#2 0x00002aaaad0a718a in IA__g_main_loop_run (loop=0x648ae0) at gmain.c:2751
#3 0x00002aaaabc19582 in IA__gtk_main () at gtkmain.c:1026
#4 0x000000000043acd5 in main (argc=<value optimized out>, argv=0x7fffff98cd28) at nautilus-main.c:406
#5 0x00002aaaad8f049b in __libc_start_main () from /lib/libc.so.6
#6 0x000000000042942a in _start () at ../sysdeps/x86_64/elf/start.S:113
(gdb)

I am new to this gdb thing, so not sure I did it correctly.

Revision history for this message
Kees Cook (kees) wrote :

Thanks for the report! Can you attach the weird file to this bug report? That will help us reproduce the problem.

Looking at the gdb output, it seems the program died with a SIGINT, rather than a SIGSEGV. As a result, I'm not sure if that backtrace captured the situation.

Changed in nautilus:
status: Unconfirmed → Needs Info
Revision history for this message
jonnieo (lejono+spam) wrote :

I attach the Phil Collins mp3

Revision history for this message
Kees Cook (kees) wrote :

Thanks for the file! I can confirm, this crashes me too. This appears to be an issue in gstreamer. At first glance, this seems to be a NULL pointer dereference, but I'll dig a little more.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46912595928640 (LWP 6025)]
0x00002aaab2db30bf in gst_push_src_get_type ()
   from /usr/lib/libgstbase-0.10.so.0
(gdb) bt
#0 0x00002aaab2db30bf in gst_push_src_get_type ()
   from /usr/lib/libgstbase-0.10.so.0
#1 0x00002aaab4c80b43 in mpeg_ts_probe_headers ()
   from /usr/lib/gstreamer-0.10/libgsttypefindfunctions.so
...
(gdb) info reg rip
rip 0x2aaab2db30bf 0x2aaab2db30bf <gst_push_src_get_type+735>
(gdb) disass
...
0x00002aaab2db30b6 <gst_push_src_get_type+726>: test %eax,%eax
0x00002aaab2db30b8 <gst_push_src_get_type+728>: jne 0x2aaab2db3108 <gst_push_src_get_type+808>
0x00002aaab2db30ba <gst_push_src_get_type+730>: mov 0x38(%rsp),%rsi
0x00002aaab2db30bf <gst_push_src_get_type+735>: mov 0x40(%rsi),%rcx
0x00002aaab2db30c3 <gst_push_src_get_type+739>: cmp %rbx,%rcx
0x00002aaab2db30c6 <gst_push_src_get_type+742>: jne 0x2aaab2db30d2 <gst_push_src_get_type+754>
0x00002aaab2db30c8 <gst_push_src_get_type+744>: cmp 0x20(%rsi),%r12d
...

Changed in nautilus:
status: Needs Info → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

Is this on dapper? I can't reproduce it in edgy:

$ gst-launch-0.10 playbin uri=file:///tmp/Phil_Collins.mp3
Setting pipeline to PAUSED ...
ERROR: Pipeline doesn't want to pause.
ERROR: from element /playbin0/decoder/id3demux0: Could not determine type of stream.
Additional debug info:
gstid3demux.c(880): gst_id3demux_sink_activate (): /playbin0/decoder/id3demux0:
Could not detect type for contents within an ID3 tag
Setting pipeline to NULL ...
FREEING pipeline ...

Revision history for this message
Kees Cook (kees) wrote :

I'm pretty certain this is fixed in Edgy. This appears to be the change entry for gstreamer that fixed it:

http://webcvs.freedesktop.org/gstreamer/gst-plugins-good/gst/id3demux/gstid3demux.c?r1=1.17&r2=1.18

Revision history for this message
jonnieo (lejono+spam) wrote :

Yes, I am using Dapper. Great that it is fixed in Edgy! However, as I undertand things, it does present a bad security risk in Dapper, if I can get a segfault just by sending someone an mp3.

Revision history for this message
Martin Pitt (pitti) wrote : Re: [Bug 60146] Re: Phil Collins causes Nautilus to segfault

Hi,

jonnieo [2006-09-24 12:13 -0000]:
> Yes, I am using Dapper. Great that it is fixed in Edgy! However, as I
> undertand things, it does present a bad security risk in Dapper, if I
> can get a segfault just by sending someone an mp3.

This depends on whether it merely crashes the player (we do not issue
security updates for crashes of non-daemon client-side programs) or
can be exploited to execute arbitrary code (in which case it would
deserve a security update).

Revision history for this message
Kees Cook (kees) wrote :

Since this is fixed in Edgy, I'm marking the bug as "Fix Released". Thanks again for the report!

Changed in gstreamer0.10:
importance: Untriaged → Low
status: Confirmed → Fix Released
Kees Cook (kees)
Changed in gstreamer0.10:
importance: Low → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.