Bug#1021056: free(): invalid pointer and double free or corruption (!prev) when taking screenshot of 540x360 video
Package: vlc
Version: 3.0.17.4-0+deb11u1
Severity: normal
I discovered this bug when I tried to take the screenshot of "I Died
in a Car Crash" contemporary dance video by Ana Zimhart ([1]), which
have been downloaded to my computer. The video resolution was 540x360.
When the video was played at position 1:53 (when Ana did arc penché
trick at 90 degrees leg position), I took a snapshot. Instead of
vlcsnap-* image on ~/Pictures be generated, VLC exited with invalid
pointer error on free(). The tail from "vlc -vvv" was:
```
[0000555556b17d80] main filter debug: Filter 'VAAPI filters' (0x555556b184f0) appended to chain
[0000555556b1c9d0] main filter debug: looking for video converter module matching "any": 23 candidates
[0000555556b1c9d0] swscale filter debug: 540x360 (544x368) chroma: I420 -> 540x360 (544x368) chroma: RV24 with scaling using Bicubic (good quality)
[0000555556b1c9d0] main filter debug: using video converter module "swscale"
[0000555556b17d80] main filter debug: Filter 'Swscale' (0x555556b1c9d0) appended to chain
[0000555556b17d80] main filter debug: using video converter module "chain"
[0000555556b16560] main filter debug: Filter 'chain' (0x555556b17d80) appended to chain
[0000555556b2f2f0] main filter debug: looking for video converter module matching "any": 23 candidates
[swscaler @ 0x555556b31e40] Forcing full internal H chroma due to input having non subsampled chroma
[0000555556b2f2f0] swscale filter debug: 540x360 (544x368) chroma: RV24 -> 540x360 (540x360) chroma: RV24 with scaling using Bicubic (good quality)
[0000555556b2f2f0] main filter debug: using video converter module "swscale"
[0000555556b16560] main filter debug: Filter 'Swscale' (0x555556b2f2f0) appended to chain
[0000555556b16560] main filter debug: using video converter module "chain"
[0000555556b0ee00] main encoder debug: removing module "png"
[0000555556b16560] main filter debug: removing module "chain"
[0000555556b17d80] main filter debug: removing module "chain"
[0000555556b184f0] main filter debug: removing module "vaapi_filters"
free(): invalid pointer
```
The log above was from gdb session. When vlc was invoked outside gdb with the
reproducer above, I got double free or corruption (!prev) error. The tail log
for that case was:
```
[00007efe3044dcb0] main filter debug: Filter 'VAAPI filters' (0x7efe300d5d30) appended to chain
[00007efe300d0f70] main filter debug: looking for video converter module matching "any": 23 candidates
[00007efe300d0f70] swscale filter debug: 540x360 (544x368) chroma: I420 -> 540x360 (544x368) chroma: RV24 with scaling using Bicubic (good quality)
[00007efe300d0f70] main filter debug: using video converter module "swscale"
[00007efe3044dcb0] main filter debug: Filter 'Swscale' (0x7efe300d0f70) appended to chain
[00007efe3044dcb0] main filter debug: using video converter module "chain"
[00007efe306b3d00] main filter debug: Filter 'chain' (0x7efe3044dcb0) appended to chain
[00007efe300d0700] main filter debug: looking for video converter module matching "any": 23 candidates
[swscaler @ 0x7efe309eac80] Forcing full internal H chroma due to input having non subsampled chroma
[00007efe300d0700] swscale filter debug: 540x360 (544x368) chroma: RV24 -> 540x360 (540x360) chroma: RV24 with scaling using Bicubic (good quality)
[00007efe300d0700] main filter debug: using video converter module "swscale"
[00007efe306b3d00] main filter debug: Filter 'Swscale' (0x7efe300d0700) appended to chain
[00007efe306b3d00] main filter debug: using video converter module "chain"
[00007efe30188880] main encoder debug: removing module "png"
[00007efe306b3d00] main filter debug: removing module "chain"
[00007efe3044dcb0] main filter debug: removing module "chain"
[00007efe300d5d30] main filter debug: removing module "vaapi_filters"
double free or corruption (!prev)
```
The bug didn't occur on 640x360 and 1280x720 videos.
The similar bug have been reported on Ubuntu ([2]) with older VLC
version.
[1]: https://www.youtube.com/watch?v=eoocJ3euHy8
[2]: https://bugs.launchpad.net/ubuntu/+source/vlc/+bug/1894968
-- System Information:
Debian Release: 11.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.19.12-local (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages vlc depends on:
ii vlc-bin 3.0.17.4-0+deb11u1
ii vlc-plugin-base 3.0.17.4-0+deb11u1
ii vlc-plugin-qt 3.0.17.4-0+deb11u1
ii vlc-plugin-video-output 3.0.17.4-0+deb11u1
Versions of packages vlc recommends:
ii vlc-l10n 3.0.17.4-0+deb11u1
ii vlc-plugin-access-extra 3.0.17.4-0+deb11u1
ii vlc-plugin-notify 3.0.17.4-0+deb11u1
ii vlc-plugin-samba 3.0.17.4-0+deb11u1
ii vlc-plugin-skins2 3.0.17.4-0+deb11u1
ii vlc-plugin-video-splitter 3.0.17.4-0+deb11u1
ii vlc-plugin-visualization 3.0.17.4-0+deb11u1
Versions of packages vlc suggests:
pn vlc-plugin-fluidsynth <none>
pn vlc-plugin-jack <none>
pn vlc-plugin-svg <none>
Versions of packages libvlc-bin depends on:
ii libc6 2.31-13+deb11u4
ii libvlc5 3.0.17.4-0+deb11u1
Versions of packages libvlc5 depends on:
ii libc6 2.31-13+deb11u4
ii libvlccore9 3.0.17.4-0+deb11u1
Versions of packages libvlc5 recommends:
ii libvlc-bin 3.0.17.4-0+deb11u1
Versions of packages vlc-bin depends on:
ii libc6 2.31-13+deb11u4
ii libvlc-bin 3.0.17.4-0+deb11u1
ii libvlc5 3.0.17.4-0+deb11u1
Versions of packages vlc-plugin-access-extra depends on:
ii libc6 2.31-13+deb11u4
ii libvlccore9 [vlc-plugin-abi-3-0-0f] 3.0.17.4-0+deb11u1
ii libvncclient1 0.9.13+dfsg-2
ii libxcb-composite0 1.14-3
ii libxcb-shm0 1.14-3
ii libxcb1 1.14-3
Versions of packages vlc-plugin-base depends on:
ii liba52-0.7.4 0.7.4-20
ii libarchive13 3.4.3-2+deb11u1
ii libaribb24-0 1.0.3-2
ii libasound2 1.2.4-1.1
ii libass9 1:0.15.0-2
ii libavahi-client3 0.8-5+deb11u1
ii libavahi-common3 0.8-5+deb11u1
ii libavc1394-0 0.5.4-5
ii libavcodec58 7:4.3.4-0+deb11u1
ii libavformat58 7:4.3.4-0+deb11u1
ii libavutil56 7:4.3.4-0+deb11u1
ii libbluray2 1:1.2.1-4+deb11u1
ii libc6 2.31-13+deb11u4
ii libcairo2 1.16.0-5
ii libcddb2 1.3.2-6+b1
ii libchromaprint1 1.5.0-2
ii libdav1d4 0.7.1-3
ii libdbus-1-3 1.12.20-2
ii libdc1394-25 2.2.6-3
ii libdca0 0.0.7-2
ii libdvbpsi10 1.3.3-1
ii libdvdnav4 6.1.0-1+b1
ii libdvdread8 6.1.1-2
ii libebml5 1.4.2-1
ii libfaad2 2.10.0-1
ii libflac8 1.3.3-2+deb11u1
ii libfontconfig1 2.13.1-4.2
ii libfreetype6 2.10.4+dfsg-1+deb11u1
ii libfribidi0 1.0.8-2+deb11u1
ii libgcc-s1 10.2.1-6
ii libgcrypt20 1.8.7-6
ii libglib2.0-0 2.66.8-1
ii libgnutls30 3.7.1-5+deb11u2
ii libgpg-error0 1.38-2
ii libharfbuzz0b 2.7.4-1
ii libixml10 1:1.8.4-2
ii libjpeg62-turbo 1:2.0.6-4
ii libkate1 0.4.1-11
ii liblirc-client0 0.10.1-6.3
ii liblua5.2-0 5.2.4-1.1+b3
ii libmad0 0.15.1b-10
ii libmatroska7 1.6.2-1
ii libmpcdec6 2:0.1~r495-2
ii libmpeg2-4 0.5.1-9
ii libmpg123-0 1.26.4-1
ii libmtp9 1.1.17-3
ii libncursesw6 6.2+20201114-2
ii libnfs13 4.0.0-1
ii libogg0 1.3.4-0.1
ii libopenmpt-modplug1 0.4.11-1
ii libopus0 1.3.1-0.1
ii libpng16-16 1.6.37-3
ii libpostproc55 7:4.3.4-0+deb11u1
ii libprotobuf-lite23 3.12.4-1
ii libpulse0 14.2-2
ii libraw1394-11 2.1.2-2
ii libresid-builder0c2a 2.1.1-15+b1
ii librsvg2-2 2.50.3+dfsg-1
ii libsamplerate0 0.2.1+ds0-1
ii libsdl-image1.2 1.2.12-12
ii libsdl1.2debian 1.2.15+dfsg2-6
ii libsecret-1-0 0.20.4-2
ii libshine3 3.1.1-2
ii libshout3 2.4.5-1+b1
ii libsidplay2 2.1.1-15+b1
ii libsndio7.0 1.5.0-3
ii libsoxr0 0.1.3-4
ii libspatialaudio0 0.3.0+git20180730+dfsg1-2+b1
ii libspeex1 1.2~rc1.2-1.1
ii libspeexdsp1 1.2~rc1.2-1.1
ii libssh2-1 1.9.0-2
ii libstdc++6 10.2.1-6
ii libswscale5 7:4.3.4-0+deb11u1
ii libsystemd0 247.3-7+deb11u1
ii libtag1v5 1.11.1+dfsg.1-3
ii libtheora0 1.1.1+dfsg.1-15
ii libtinfo6 6.2+20201114-2
ii libtwolame0 0.4.0-2
ii libudev1 247.3-7+deb11u1
ii libupnp13 1:1.8.4-2
ii libva-drm2 2.10.0-1
ii libva2 2.10.0-1
ii libvlccore9 [vlc-plugin-abi-3-0-0f] 3.0.17.4-0+deb11u1
ii libvorbis0a 1.3.7-1
ii libvorbisenc2 1.3.7-1
ii libx264-160 2:0.160.3011+gitcde9a93-2.1
ii libx265-192 3.4-2
ii libxcb-keysyms1 0.4.0-1+b2
ii libxcb1 1.14-3
ii libxml2 2.9.10+dfsg-6.7+deb11u2
ii libzvbi0 0.2.35-18
ii vlc-data 3.0.17.4-0+deb11u1
ii zlib1g 1:1.2.11.dfsg-2+deb11u2
Versions of packages vlc-plugin-base recommends:
ii xdg-utils 1.1.3-4.1
Versions of packages vlc-plugin-base suggests:
pn libdvdcss2 <none>
Versions of packages vlc-plugin-notify depends on:
ii libc6 2.31-13+deb11u4
ii libgdk-pixbuf-2.0-0 2.42.2+dfsg-1+deb11u1
ii libglib2.0-0 2.66.8-1
ii libgtk-3-0 3.24.24-4+deb11u2
ii libnotify4 0.7.9-3
ii libvlccore9 [vlc-plugin-abi-3-0-0f] 3.0.17.4-0+deb11u1
Versions of packages vlc-plugin-qt depends on:
ii libc6 2.31-13+deb11u4
ii libgcc-s1 10.2.1-6
ii libqt5core5a 5.15.2+dfsg-9
ii libqt5gui5 5.15.2+dfsg-9
ii libqt5svg5 5.15.2-3
ii libqt5widgets5 5.15.2+dfsg-9
ii libqt5x11extras5 5.15.2-2
ii libstdc++6 10.2.1-6
ii libvlccore9 [vlc-plugin-abi-3-0-0f] 3.0.17.4-0+deb11u1
ii libwayland-client0 1.18.0-2~exp1.1
ii libx11-6 2:1.7.2-1
Versions of packages vlc-plugin-qt recommends:
ii vlc-bin 3.0.17.4-0+deb11u1
Versions of packages vlc-plugin-skins2 depends on:
ii fonts-freefont-ttf 20120503-10
ii libc6 2.31-13+deb11u4
ii libfreetype6 2.10.4+dfsg-1+deb11u1
ii libfribidi0 1.0.8-2+deb11u1
ii libgcc-s1 10.2.1-6
ii libstdc++6 10.2.1-6
ii libvlccore9 [vlc-plugin-abi-3-0-0f] 3.0.17.4-0+deb11u1
ii libx11-6 2:1.7.2-1
ii libxext6 2:1.3.3-1.1
ii libxinerama1 2:1.1.4-2
ii libxpm4 1:3.5.12-1
ii vlc-plugin-qt 3.0.17.4-0+deb11u1
Versions of packages vlc-plugin-skins2 recommends:
ii vlc-bin 3.0.17.4-0+deb11u1
Versions of packages vlc-plugin-video-output depends on:
ii libaa1 1.4p5-48
ii libavcodec58 7:4.3.4-0+deb11u1
ii libavutil56 7:4.3.4-0+deb11u1
ii libc6 2.31-13+deb11u4
ii libcaca0 0.99.beta19-2.2
ii libegl1 1.3.2-1
ii libgl1 1.3.2-1
ii libgles2 1.3.2-1
ii libplacebo72 2.72.2-1
ii libva-drm2 2.10.0-1
ii libva-wayland2 2.10.0-1
ii libva-x11-2 2.10.0-1
ii libva2 2.10.0-1
ii libvlccore9 [vlc-plugin-abi-3-0-0f] 3.0.17.4-0+deb11u1
ii libwayland-client0 1.18.0-2~exp1.1
ii libwayland-egl1 1.18.0-2~exp1.1
ii libx11-6 2:1.7.2-1
ii libxcb-keysyms1 0.4.0-1+b2
ii libxcb-shm0 1.14-3
ii libxcb-xv0 1.14-3
ii libxcb1 1.14-3
Versions of packages vlc-plugin-video-splitter depends on:
ii libc6 2.31-13+deb11u4
ii libvlccore9 [vlc-plugin-abi-3-0-0f] 3.0.17.4-0+deb11u1
ii libxcb-randr0 1.14-3
ii libxcb1 1.14-3
Versions of packages vlc-plugin-visualization depends on:
ii libc6 2.31-13+deb11u4
ii libgl1 1.3.2-1
ii libvlccore9 [vlc-plugin-abi-3-0-0f] 3.0.17.4-0+deb11u1
-- no debconf information
Reply to: