speexenc segfaults on amd64

Bug #19482 reported by Patrik Grip-Jansson
12
Affects Status Importance Assigned to Milestone
speex (Ubuntu)
Fix Released
Medium
Tollef Fog Heen

Bug Description

Whenever I try to encode anything with speexenc it seg faults. The following is
last part of a strace;

mmap(NULL, 131072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x2aaaaaac4000
read(3, "RIFF\322\374\34\1WAVEfmt \20\0\0\0\1\0\1\0\0}\0\0\0\372"..., 131072) =
131072
write(2, "Encoding 32000 Hz audio using ul"..., 73Encoding 32000 Hz audio using
ultra-wideband (sub-band CELP) mode (mono)
) = 73
brk(0x549000) = 0x549000
open("foo.spx", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
mmap(NULL, 8556253184, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
-1 ENOMEM (Cannot allocate memory)
brk(0x1fe52a000) = 0x549000
mmap(NULL, 8556388352, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
-1 ENOMEM (Cannot allocate memory)
mmap(NULL, 17112506368, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= -1 ENOMEM (Cannot allocate memory)
brk(0x3fc50b000) = 0x549000
mmap(NULL, 17112641536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= -1 ENOMEM (Cannot allocate memory)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

Revision history for this message
Tristan Wibberley (tristan-wibberley) wrote : audio file that segfaults speexenc

This audio file segfaults speexenc on up-to-date dapper (amd64):

 $ gdb speexenc
GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) set args lugradioshort.wav lugradioshort.spx
(gdb) r
Starting program: /usr/bin/speexenc lugradioshort.wav lugradioshort.spx
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Encoding 8000 Hz audio using narrowband mode (mono)

Program received signal SIGSEGV, Segmentation fault.
0x00002aaaaafde954 in memcpy () from /lib/libc.so.6
(gdb) thread apply all bt
(gdb) q

Revision history for this message
Matt Zimmerman (mdz) wrote : Re: speexenc seg faults

This file encodes fine for me on current Dapper; please reopen if it is not fixed for you

Changed in speex:
status: Unconfirmed → Fix Released
Revision history for this message
Tristan Wibberley (tristan-wibberley) wrote :

I can see no changes to speex in the repository, and it is still crashing with the version I have (1.1.11.1-1).

This dapper was installed as breezy, then upgraded.

Revision history for this message
Tristan Wibberley (tristan-wibberley) wrote :

I can't remember what it''s status was, so I've set it to unconfirmed since Matt Zimmerman has reported it as working.

Changed in speex:
status: Fix Released → Unconfirmed
Revision history for this message
Tristan Wibberley (tristan-wibberley) wrote : strace

Attached an strace as the backtrace is empty. This shows a very large mmap attempt failing shortly before the segfault. Could be some data munging somewhere.

Revision history for this message
Tristan Wibberley (tristan-wibberley) wrote : Re: speexenc seg faults

I noticed that other such immediate crashers are marked major, doing the same here so it doesn't get lost.

Changed in speex:
status: Unconfirmed → Confirmed
Revision history for this message
Tristan Wibberley (tristan-wibberley) wrote : speex.diff

This is a 64bit correctness bug. There seem to be several like this one, but this patch only fixes this bug, not any others.

apply the diff within the speex-1.1.11.1 directory using patch -p1 < path_to_diff

Revision history for this message
Tristan Wibberley (tristan-wibberley) wrote : Re: speexenc seg faults

- free(comments);
+ //free(comments);

That bit is wrong. Its a leftover from earlier debugging work.

Revision history for this message
Matt Zimmerman (mdz) wrote :

Patch available for review

Changed in speex:
assignee: nobody → tfheen
Revision history for this message
Tristan Wibberley (tristan-wibberley) wrote :

The #error message should say "converting to long" instead of "casting to long", I didn't put a cast in.

Revision history for this message
Tristan Wibberley (tristan-wibberley) wrote :

Is the reliance on promotion in "#if SIZE_MAX > LONG_MAX" correct?

Revision history for this message
jmspeex (jean-marc-valin) wrote :

Just saw this today. I'm the maintainer of Speex (for some reason the Speex project no longer appears on launchpad). I'll fix the problem in Speex for the next release. In the mean time, I suggest simply doing the following change instead:

- op.packet = (unsigned char *)speex_header_to_packet(&header, (int*)&(op.bytes));
+ int bytes;
+ op.packet = (unsigned char *)speex_header_to_packet(&header, &bytes);
+ op.bytes = bytes;

It's much simpler and the Speex header size is guaranteed to fit in an int (actually, it would even fit in a char), so no need to change anything to size_t.

Revision history for this message
jmspeex (jean-marc-valin) wrote :

Bit off-topic, but I just noticed that Speex is listed as an Ubuntu package instead of an individual project. In any case, how can I get automatically notified of bugs filed against Speex?

Revision history for this message
jmspeex (jean-marc-valin) wrote :

I talked too soon. The patch I was proposing was actually applied on 01/01/06 19:21:21 (see http://trac.xiph.org/changeset/10684) and actually made it into 1.1.12. You probably want to apply the same patch in Dapper.

Revision history for this message
jmspeex (jean-marc-valin) wrote :

Any plan on fixing this bug? The fix was found even before Dapper was officially released, but nobody applied it. Also, the patch I submitted (above) last month has actually been in Speex for more than 6 months, so it's fairly safe. Definitely better than having speexenc crash 100% of the time on AMD64.

Revision history for this message
jmspeex (jean-marc-valin) wrote :

Based on what I see at http://packages.ubuntulinux.org/edgy/source/speex it seems like Edgy is not affected by the bug (which was fixed in 1.1.12). Now will someone finally apply the 4-line fix (above) to Dapper... or does LTS just stand for "Long Time to get Support"?

Revision history for this message
jmspeex (jean-marc-valin) wrote :

Considering the refusal to fix the speex encoder 6 months after a patch was posted, I request (as the Speex maintainer) that package "speex" (not libspeex1) be removed from the amd64 version of Dapper. The package is broken beyond any use on that system, so all it does is give people a bad impression of Ubuntu and/or Speex. Thank you.

Revision history for this message
Ming Hua (minghua) wrote :

To update a package in dapper, the procedures in https://wiki.ubuntu.com/StableReleaseUpdates needs to be followed. Although speex is in universe, as speex and libspeex1 are built from the same source package, and libspeex1 is in main, I believe this update needs to follow main's stable release update procedure.

Revision history for this message
Daniel T Chen (crimsun) wrote : [Fwd: SRU proposal for 6.06.1's speex 1.1.11.1]

[Resending to LP due to buggered recipient address]

-------- Original Message --------
Subject: SRU proposal for 6.06.1's speex 1.1.11.1
Date: Sat, 04 Nov 2006 16:21:02 -0500
From: Daniel T. Chen <email address hidden>
Reply-To: <email address hidden>
To: <email address hidden>, <email address hidden>
CC: <email address hidden>, <email address hidden>

Hi Matt, Colin,

Early this morning, Jean-Marc Valin made me aware of an outstanding
segfault[0] affecting the speexenc executable for Dapper/AMD64 (release-
and arch-specific, purportedly only AMD64 is affected) upon attempting
to encode files. A straightforward fix[1] was applied upstream on 01
January 2006 and is present in Edgy's speex source package; only Dapper
is affected.

Attached please find a SRU debdiff against 6.06.1's speex source package.

% debdiff speex_1.1.11.1-1.dsc speex_1.1.11.1-1ubuntu0.1.dsc |diffstat
 speex-1.1.11.1/debian/changelog | 7 +++++++
 src/speexenc.c | 5 +++--
 2 files changed, 10 insertions(+), 2 deletions(-)

[0] https://launchpad.net/distros/ubuntu/+source/speex/+bug/19482
[1] https://trac.xiph.org/changeset/10684

Thanks,
--
Daniel T. Chen <email address hidden>
GPG key: 0xC88ABDA3

diff -u speex-1.1.11.1/debian/changelog speex-1.1.11.1/debian/changelog
--- speex-1.1.11.1/debian/changelog
+++ speex-1.1.11.1/debian/changelog
@@ -1,3 +1,10 @@
+speex (1.1.11.1-1ubuntu0.1) dapper-proposed; urgency=low
+
+ * Apply patch from https://trac.xiph.org/changeset/10684 fixing
+ speexenc segfault on AMD64 (Closes Ubuntu: #19482).
+
+ -- Daniel T Chen <email address hidden> Sat, 4 Nov 2006 16:09:19 -0500
+
 speex (1.1.11.1-1) unstable; urgency=low

   * New upstream release
only in patch2:
unchanged:
--- speex-1.1.11.1.orig/src/speexenc.c
+++ speex-1.1.11.1/src/speexenc.c
@@ -628,8 +628,9 @@

    /*Write header*/
    {
-
- op.packet = (unsigned char *)speex_header_to_packet(&header, (int*)&(op.bytes));
+ int packet_size;
+ op.packet = (unsigned char *)speex_header_to_packet(&header, &packet_size);
+ op.bytes = packet_size;
       op.b_o_s = 1;
       op.e_o_s = 0;
       op.granulepos = 0;

Revision history for this message
Daniel T Chen (crimsun) wrote : [Fwd: Re: SRU proposal for 6.06.1's speex 1.1.11.1]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Forwarding due to my original goof on the CC.

- -------- Original Message --------
Subject: Re: SRU proposal for 6.06.1's speex 1.1.11.1
Date: Sun, 19 Nov 2006 18:22:00 -0800
From: Matt Zimmerman <email address hidden>
To: <email address hidden>
CC: <email address hidden>, <email address hidden>
References: <email address hidden>

OK for -proposed

- --
 - mdz

- --
Daniel T. Chen <email address hidden>
GPG key: 0xC88ABDA3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFYUd5e9GwFciKvaMRAgFCAKC88N7CS6O/ksrjSOUkwKhsh0+1pQCgqvXq
kEPXRjR8Ql4CpZH5FHf1cP4=
=klou
-----END PGP SIGNATURE-----

Revision history for this message
Colin Watson (cjwatson) wrote :

Accepted into dapper-proposed. Daniel, once this has built, please proceed with testing via the QA team as per StableReleaseUpdates.

Changed in speex:
status: Confirmed → In Progress
Revision history for this message
Daniel T Chen (crimsun) wrote : StableReleaseUpdates - Ubuntu bug 19482 - testing phase notification

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA team et al.,

Per SRU policy, I've tagged Ubuntu bug report 19482 after Colin has
accepted speex (1.1.11.1-1ubuntu0.1) into dapper-proposed. Because this
fix is arch-specific (amd64), and I don't have physical access to one
such machine, I'm unable to personally verify the fix. Please test on
available dapper/amd64 configurations.

Thanks,
- --
Daniel T. Chen <email address hidden>
GPG key: 0xC88ABDA3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFZAgBe9GwFciKvaMRAkYQAJ4/e0gweXEhGQLyi7u2gvDHtR4BOwCfe5ig
BujdMxIuQWGNt5AUhUTMbJE=
=N8BF
-----END PGP SIGNATURE-----

Revision history for this message
jmspeex (jean-marc-valin) wrote :

I don't have a Dapper64 machine, but if anyone has, the test is really simple:

% speexenc /dev/zero /dev/null

If it doesn't crash after a millisecond or so, then the bug is fixed.

Revision history for this message
Tollef Fog Heen (tfheen) wrote :

I can verify that jmspeex's test completes (well, it never completes until C-c-ed) successfully for me, using the package in -proposed.

Revision history for this message
Simon Law (sfllaw) wrote :

This package is available in -proposed.

Changed in speex:
status: In Progress → Fix Committed
Revision history for this message
Simon Law (sfllaw) wrote :

According to https://wiki.ubuntu.com/MOTU/Processes/SRU

"Works for me."

Tested on a Dapper AMD64 machine. Verified that the package in -proposed fixed the breakage, while not causing any regressions from previous behaviour. Also, speexenc appears to actually encode files, which makes it work better than before.

Revision history for this message
jmspeex (jean-marc-valin) wrote :

Considering that the patch has been in the main Speex tree for over a year without complaints and the previous behaviour was totally broken anyway, I say go for it now.

Revision history for this message
Daniel T Chen (crimsun) wrote :

"Works for me" in a [current] amd64 Dapper chroot:

root@adhd:/# dpkg -l speex|grep ^ii|awk '{print $3}'
1.1.11.1-1ubuntu0.1
root@adhd:/# speexenc /usr/share/sounds/startup.wav /tmp/startup.spx ; echo $?
Warning: Speex is only optimized for 8, 16 and 32 kHz. It will still work at 44100 Hz but your mileage may vary
Encoding 44100 Hz audio using ultra-wideband (sub-band CELP) mode (stereo)
0
root@adhd:/# ls -l /tmp/startup.spx
-rw-r--r-- 1 root root 74729 Feb 22 05:56 /tmp/startup.spx

Revision history for this message
Chris Halse Rogers (raof) wrote :

Also "Works for me" in a [current] amd64 Dapper chroot:

root@RAOF:/root# dpkg -l speex | grep ^ii| awk '{print $3}'
1.1.11.1-1ubuntu0.1
root@RAOF:/root# speexenc lugradioshort.wav lugradioshort.spx
Encoding 8000 Hz audio using narrowband mode (mono)
root@RAOF:/root# ls -l lugradioshort.spx
-rw-r--r-- 1 root root 1212 Feb 22 06:14 lugradioshort.spx

Revision history for this message
Michael F. Rimbert (mrimbert) wrote :

Also works for me in an updated/upgraded amd64 Dapper LiveCD session:

ubuntu@ubuntu:~$ dpkg -l speex|grep ^ii|awk '{print $3}'
1.1.11.1-1ubuntu0.1
ubuntu@ubuntu:~$ speexenc /usr/share/sounds/startup.wav /tmp/startup.spx
Warning: Speex is only optimized for 8, 16 and 32 kHz. It will still work at 44100 Hz but your mileage may vary
Encoding 44100 Hz audio using ultra-wideband (sub-band CELP) mode (stereo)
ubuntu@ubuntu:~$ ls -l /tmp/startup.spx
-rw-r--r-- 1 ubuntu ubuntu 74729 2007-02-22 21:59 /tmp/startup.spx

Revision history for this message
Daniel T Chen (crimsun) wrote :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 7 Mar 2007 00:54:29 -0500
Source: speex
Binary: speex-doc libspeex-dev speex libspeex1
Architecture: source
Version: 1.1.11.1-1ubuntu0.2
Distribution: dapper-updates
Urgency: low
Maintainer: Debian VoIP Team <email address hidden>
Changed-By: Daniel T Chen <email address hidden>
Description:
 libspeex-dev - The Speex Speech Codec
 libspeex1 - The Speex Speech Codec
 speex - The Speex Speech Codec
 speex-doc - Documentation for speex
Launchpad-Bugs-Fixed: 19482
Changes:
 speex (1.1.11.1-1ubuntu0.2) dapper-updates; urgency=low
 .
   * No-change upload propagating to dapper-updates.
   * LP: #19482
   * Thanks to testing by Tollef Fog Heen, Simon Law, Chris Halse Rogers
     and Michael Rimbert.
 .
 speex (1.1.11.1-1ubuntu0.1) dapper-proposed; urgency=low
 .
   * Apply patch from https://trac.xiph.org/changeset/10684 fixing
     speexenc segfault on AMD64 (Closes Ubuntu: #19482).
Files:
 3a408e57d55d69ad975a679131dc0112 892 sound optional speex_1.1.11.1-1ubuntu0.2.d
sc
 6f7065145e19013c1ff50e74d14a0cdf 16157 sound optional speex_1.1.11.1-1ubuntu0.2
.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF7lSde9GwFciKvaMRAl0dAJ9V1+sLaXjjiIcmDRiaQjl6vO66BwCeKL8J
s6eml19NtmtF2Wux6XFLaFU=
=7BGM
-----END PGP SIGNATURE-----

Revision history for this message
Martin Pitt (pitti) wrote :

Accepted into dapper-updates, thank you!

Changed in speex:
status: Fix Committed → Fix Released
Changed in edubuntu-addon-cd:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers