Package: gmediaserver
Version: 0.13.0-6
Severity: serious
Tags: patch
Hi!
The current version of the server crashes at random times, although
easily reproducibly by doing ranged requests, for example fast
forwarding on a video, or depending on the implementation by
the simple fact that it requests ranges of data when streaming.
I've just seen two types of crashers due to the same cause, one with
an abort() due to a double free or a corrupted heap chunk from eglibc
(which was a impossible to debug on armel as gdb does not do proper
backtraces beyond the abort() :/), and the other due to invalid
memory accesses segfaults from
libupnp-1.6.6/upnp/src/genlib/net/http/webserver.c in
CheckOtherHTTPHeaders() when calling map_str_to_int().
After reproducing this on amd64 it was easy to see the problem:
The src/main.c:conv_filename() function is not thread safe, as it uses
a static buffer to be able to return the computed string, w/o leaking.
Due the UPnP web server being threaded and the function freeing the
pointer on entry, the string used by the server might happen to end up
doubly freed, or used while the pointer is not valid any longer. Just
declaring the variable as Thread Local Storage correctly fixes the
issue. I've not seen any crashers since.
I think this should be fixed for squeeze as it's quite unreliable
otherwise.
thanks,
guillem
Description: Fix thread unsafe function causing crashes
The conv_filename function is not thread safe, as it uses a static buffer
to be able to return the computed string, w/o leaking. Due the UPnP web
server being threaded and the function freeing the pointer on entry, the
string used by the server might happen to be doubly freed, or used while
the pointer is not valid any longer. Just declare the variable as Thread
Local Storage.
Author: Guillem Jover <guil...@debian.org>
--- gmediaserver-0.13.0.orig/src/main.c
+++ gmediaserver-0.13.0/src/main.c
@@ -127,7 +127,7 @@ convert_string_to_log(const char *str)
return xstrdup(str);
}
-static char *cache_fs_str = NULL;
+static __thread char *cache_fs_str = NULL;
char *
conv_filename(const char *str)
