Bug#885606: crash at startup: double free or corruption (bug 885606)
Hello all,
I just tried to find out what caused the crash.
This bug seems to be caused by libcdio17_1.0.0-2.
In this library the memory of p_env->cdtext
gets freed once in cdtext_destroy and then
again in get_cdtext_generic.
Upstream was notified about the issue in [1] and
fixed the issue in commits [2] and [3].
I expect this issue gets resolved when
libcdio18_2.0.0* gets installed.
So either this bug should be forwarded to libcdio
or closed directly.
Kind regards,
Bernhard
(gdb) list cdtext_destroy
238 cdtext_destroy(cdtext_t *p_cdtext)
...
255 free(p_cdtext);
(gdb) list get_cdtext_generic
281 get_cdtext_generic (void *p_user_data)
...
300 cdtext_destroy (p_env->cdtext); <- once freed inside this function
301 free(p_env->cdtext); <- again freed here
[1] http://lists.gnu.org/archive/html/libcdio-devel/2017-12/msg00010.html
[2] http://git.savannah.gnu.org/cgit/libcdio.git/commit/lib/driver/_cdio_generic.c?id=f6f9c48fb40b8a1e8218799724b0b61a7161eb1d
[3] http://git.savannah.gnu.org/cgit/libcdio.git/commit/lib/driver/_cdio_generic.c?id=dec2f876c2d7162da213429bce1a7140cdbdd734
*** Error in `/usr/lib/x86_64-linux-gnu/kodi/kodi.bin': double free or corruption (out): 0x00007f0af0004530 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x722fb)[0x7f0b506ae2fb]
/lib/x86_64-linux-gnu/libc.so.6(+0x7895e)[0x7f0b506b495e]
/lib/x86_64-linux-gnu/libc.so.6(+0x791be)[0x7f0b506b51be]
/usr/lib/x86_64-linux-gnu/libcdio.so.17(+0x8937)[0x7f0b560ac937]
/usr/lib/x86_64-linux-gnu/kodi/kodi.bin(_ZN12MEDIA_DETECT12CCdIoSupport13GetCdTextInfoERSt3mapI14cdtext_field_tNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEESt4lessIS2_ESaISt4pairIKS2_S8_EEEi+0x47)[0x556cf9cde727]
/usr/lib/x86_64-linux-gnu/kodi/kodi.bin(_ZN12MEDIA_DETECT12CCdIoSupport9GetCdInfoEPc+0xcae)[0x556cf9cdf55e]
/usr/lib/x86_64-linux-gnu/kodi/kodi.bin(_ZN12MEDIA_DETECT15CDetectDVDMedia15DetectMediaTypeEv+0xe7)[0x556cf9ce06a7]
/usr/lib/x86_64-linux-gnu/kodi/kodi.bin(_ZN12MEDIA_DETECT15CDetectDVDMedia12UpdateDvdromEv+0x17e)[0x556cf9ce0c7e]
/usr/lib/x86_64-linux-gnu/kodi/kodi.bin(_ZN12MEDIA_DETECT15CDetectDVDMedia7ProcessEv+0x98)[0x556cf9ce10d8]
/usr/lib/x86_64-linux-gnu/kodi/kodi.bin(_ZN7CThread6ActionEv+0x1f)[0x556cfa1f44ff]
/usr/lib/x86_64-linux-gnu/kodi/kodi.bin(_ZN7CThread12staticThreadEPv+0xbf)[0x556cfa1f47bf]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x7519)[0x7f0b593be519]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x3f)[0x7f0b50728a4f]
======= Memory map: ========
apt update
apt install mc htop xserver-xorg sddm openbox valgrind strace gdb dpkg-dev devscripts
deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20171231T200000Z/ buster main
deb-src [check-valid-until=no] https://snapshot.debian.org/archive/debian/20171231T200000Z/ buster main
deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-debug/20171231T200000Z/ buster-debug main
apt update
apt install kodi kodi-bin-dbgsym libcdio17-dbgsym
mkdir kodi/orig -p
cd kodi/orig
apt source kodi
cd ../..
mkdir libcdio17/orig -p
cd libcdio17/orig
apt source libcdio17
cd ../..
systemctl start sddm
ps aux | grep kodi.bin | grep -v grep
benutzer 23787 2.3 10.7 4595216 331584 ? Sl 10:03 0:19 /usr/lib/x86_64-linux-gnu/kodi/kodi.bin --standalone
gdb -q --pid 23787
set height 0
set width 0
set pagination off
directory /home/benutzer/libcdio17/orig/libcdio-1.0.0/src
directory /home/benutzer/libcdio17/orig/libcdio-1.0.0/lib/driver
disassemble cdio_get_cdtext --> ./gnu_linux.c: .get_cdtext = get_cdtext_generic,
disassemble get_cdtext_generic
0x00007f04f66ba932 <+114>: callq 0x7f04f66b8b00 <free@plt>
0x00007f04f66ba937 <+119>: movq $0x0,0x1028(%rbx)
disassemble _ZN12MEDIA_DETECT12CCdIoSupport13GetCdTextInfoERSt3mapI14cdtext_field_tNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEESt4lessIS2_ESaISt4pairIKS2_S8_EEEi
0x000055c888a7f722 <+66>: callq 0x55c88833b150 <cdio_get_cdtext@plt>
0x000055c888a7f727 <+71>: test %rax,%rax
disassemble _ZN12MEDIA_DETECT12CCdIoSupport9GetCdInfoEPc
0x000055c888a80559 <+3241>: callq 0x55c888a7f6e0 <MEDIA_DETECT::CCdIoSupport::GetCdTextInfo(std::map<cdtext_field_t, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<cdtext_field_t>, std::allocator<std::pair<cdtext_field_t const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >&, int)>
0x000055c888a8055e <+3246>: lea 0x50(%rsp),%r14
disassemble _ZN12MEDIA_DETECT15CDetectDVDMedia15DetectMediaTypeEv
0x000055c888a816a2 <+226>: callq 0x55c888a7f8b0 <MEDIA_DETECT::CCdIoSupport::GetCdInfo(char*)>
0x000055c888a816a7 <+231>: test %rax,%rax
disassemble _ZN12MEDIA_DETECT15CDetectDVDMedia12UpdateDvdromEv
0x000055c888a81c79 <+377>: callq 0x55c888a815c0 <MEDIA_DETECT::CDetectDVDMedia::DetectMediaType()>
0x000055c888a81c7e <+382>: lea 0x40(%rsp),%r12
disassemble _ZN12MEDIA_DETECT15CDetectDVDMedia7ProcessEv
0x000055c888a820d3 <+147>: callq 0x55c888a81b00 <MEDIA_DETECT::CDetectDVDMedia::UpdateDvdrom()>
0x000055c888a820d8 <+152>: movb $0x0,0x2a0(%rbp)
disassemble _ZN7CThread6ActionEv
0x000055c888f954fc <+28>: callq *0x30(%rax)
0x000055c888f954ff <+31>: mov (%rbx),%rax
disassemble _ZN7CThread12staticThreadEPv
0x000055c888f957ba <+186>: callq 0x55c888f954e0 <CThread::Action()>
0x000055c888f957bf <+191>: lea 0x230(%rbx),%r12
.
(gdb) list cdio_get_cdtext
63 cdtext_t *
64 cdio_get_cdtext (CdIo *obj)
65 {
66 if (obj == NULL) return NULL;
67
68 if (NULL != obj->op.get_cdtext) {
69 return obj->op.get_cdtext (obj->env);
70 } else {
71 return NULL;
72 }
73 }
(gdb) list get_cdtext_generic
280 cdtext_t *
281 get_cdtext_generic (void *p_user_data)
282 {
283 generic_img_private_t *p_env = p_user_data;
284 uint8_t *p_cdtext_data = NULL;
285 size_t len;
286
287 if (!p_env) return NULL;
288
289 if (p_env->b_cdtext_error) return NULL;
290
291 if (NULL == p_env->cdtext) {
292 p_cdtext_data = read_cdtext_generic (p_env);
293
294 if (NULL != p_cdtext_data) {
295 len = CDIO_MMC_GET_LEN16(p_cdtext_data)-2;
296 p_env->cdtext = cdtext_init();
297
298 if(len <= 0 || 0 != cdtext_data_init (p_env->cdtext, &p_cdtext_data[4], len)) {
299 p_env->b_cdtext_error = true;
300 cdtext_destroy (p_env->cdtext);
301 free(p_env->cdtext);
302 p_env->cdtext = NULL;
303 }
304
305 free(p_cdtext_data);
306 }
307 }
308
309 return p_env->cdtext;
310 }
(gdb) disassemble /m 0x00007f04f66ba92b,0x00007f04f66ba942
Dump of assembler code from 0x7f04f66ba92b to 0x7f04f66ba942:
301 free(p_env->cdtext);
0x00007f04f66ba92b <get_cdtext_generic+107>: mov 0x1028(%rbx),%rdi
0x00007f04f66ba932 <get_cdtext_generic+114>: callq 0x7f04f66b8b00 <free@plt>
302 p_env->cdtext = NULL;
0x00007f04f66ba937 <get_cdtext_generic+119>: movq $0x0,0x1028(%rbx)
End of assembler dump.
http://git.savannah.gnu.org/cgit/libcdio.git/tree/lib/driver/_cdio_generic.c
http://git.savannah.gnu.org/cgit/libcdio.git/log/lib/driver/_cdio_generic.c
(gdb) list cdtext_destroy
237 void
238 cdtext_destroy(cdtext_t *p_cdtext)
239 {
240 cdtext_field_t k;
241 track_t j;
242 int i;
243
244 if (!p_cdtext) return;
245 for (i=0; i<CDTEXT_NUM_BLOCKS_MAX; i++) {
246 for (j=0; j<CDTEXT_NUM_TRACKS_MAX; j++) {
247 for (k=0; k < MAX_CDTEXT_FIELDS; k++) {
248 if (p_cdtext->block[i].track[j].field[k]) {
249 free(p_cdtext->block[i].track[j].field[k]);
250 p_cdtext->block[i].track[j].field[k] = NULL;
251 }
252 }
253 }
254 }
255 free(p_cdtext);
256 }
http://git.savannah.gnu.org/cgit/libcdio.git/tree/lib/driver/cdtext.c
http://git.savannah.gnu.org/cgit/libcdio.git/log/lib/driver/cdtext.c
-----
http://git.savannah.gnu.org/cgit/libcdio.git/commit/lib/driver/_cdio_generic.c?id=f6f9c48fb40b8a1e8218799724b0b61a7161eb1d
http://git.savannah.gnu.org/cgit/libcdio.git/commit/lib/driver/_cdio_generic.c?id=dec2f876c2d7162da213429bce1a7140cdbdd734
http://lists.gnu.org/archive/html/libcdio-devel/2017-12/msg00010.html
Reply to: