Bug#537088: mt-daapd: Crashes when trying to transcode .ogg files

[Julien BLACHE]

Peter Denison <bug-repo...@marshadder.org> wrote:

Hi,

> Done a bit more work on this (though still haven't managed to work out
> how to debug properly!). Your patch now forces it to fail, as the
> malloc() will always return an address which is 8-byte-aligned, but
> not 16-byte aligned, due to the arena header.

Hmm, not good but not bad either if it becomes 100% reproducible ;)

> The ebx value is 0x1000 greater than the value of handle->buffer, that
> is assigned from the return from malloc(). It doesn't fail on the
> first call to avcodec_decode_audio2() from _ssc_ffmpeg_read_frame(),
> but on the second, repeatably.

If the problem lies in the output buffer alignment, then the first
frame doesn't get decoded in the same way, otherwise we'd see that
here too.

New patch attached, same as the previous one except it uses ffmpeg's
malloc() which will take care of the alignment.

So this one should really fix it, if we are having an alignment issue.

JB.

-- 
 Julien BLACHE <jbla...@debian.org>  |  Debian, because code matters more 
 Debian & GNU/Linux Developer        |       <http://www.debian.org>
 Public key available on <http://www.jblache.org> - KeyID: F5D6 5169 
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169 


#! /bin/sh /usr/share/dpatch/dpatch-run
## 17_fix_ffmpeg_buffer.dpatch by  <jbla...@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix ffmpeg buffer alignment - allocate the buffer with av_malloc()
## DP: instead of using a static buffer inside a struct where we can't
## DP: control the alignment.

@DPATCH@
diff -urNad mt-daapd-0.9~r1696.dfsg~/src/plugins/ssc-ffmpeg.c mt-daapd-0.9~r1696.dfsg/src/plugins/ssc-ffmpeg.c
--- mt-daapd-0.9~r1696.dfsg~/src/plugins/ssc-ffmpeg.c	2009-07-22 11:20:39.729138836 +0200
+++ mt-daapd-0.9~r1696.dfsg/src/plugins/ssc-ffmpeg.c	2009-07-22 11:22:22.993223299 +0200
@@ -52,7 +52,7 @@
     int packet_size;
     int audio_stream;
 
-    char buffer[BUFFER_SIZE];
+    char *buffer;
 
     char *buf_remainder;
     int buf_remainder_len;
@@ -149,6 +149,14 @@
     handle=(SSCHANDLE *)malloc(sizeof(SSCHANDLE));
     if(handle) {
         memset(handle,0,sizeof(SSCHANDLE));
+
+	handle->buffer = (char *)av_malloc(BUFFER_SIZE);
+	if (!handle->buffer) {
+	  free(handle);
+	  return NULL;
+	}
+
+	memset(handle->buffer, 0, BUFFER_SIZE);
     }
 
     return (void*)handle;
@@ -158,6 +166,7 @@
     SSCHANDLE *handle = (SSCHANDLE *)vp;
     ssc_ffmpeg_close(handle);
     if(handle) {
+        av_free(handle->buffer);
         free(handle);
     }