Bug#986432: totem: segfault when opening totem
Alban Browaeys
alban.browaeys at gmail.com
Fri May 10 03:13:31 BST 2024
On Mon, 19 Apr 2021 16:31:34 +0200 =?UTF-8?Q?Bernhard_=c3=9cbelacker?=
<bernhardu at mailbox.org> wrote:
> Dear Maintainer,
> I tried to have a look and I could reproduce the crash [1].
>
> I think this is caused by a call to gtk_list_store_set
> in totem_playlist_steal_current_starttime [2].
> There a variadic argument list contains a plain 0,
> which might occupy just 32 bit, but gets later interpreted
> as gint64, therefore the terminating -1 gets overrun.
>
> A totem package rebuilt with attached patch does not show
> the crash inside the test VM.
>
> Kind regards,
> Bernhard
Could you submit a MR upstream for your 32 bits arch patch for totem
(critical to armhf use)?
https://gitlab.gnome.org/GNOME/totem/-/issues
The issue is still
there https://gitlab.gnome.org/GNOME/totem/-/blob/master/src/totem-playlist.c?ref_type=heads#L1734
>
> [1]
> (gdb) bt
> #0 strlen () at ../sysdeps/arm/armv6t2/strlen.S:126
> #1 0xb6e82878 in g_strdup (str=0x63fca6aa <error: Cannot access
memory at address 0x63fca6aa>) at ../../../glib/gstrfuncs.c:363
> #2 0xb6f47144 in value_collect_string (value=0xbeffee60,
n_collect_values=<optimized out>, collect_values=<optimized out>,
collect_flags=<optimized out>) at ../../../gobject/gvaluetypes.c:293
> #3 0xb680a3be in gtk_list_store_set_valist_internal
(list_store=list_store at entry=0xa0b4c8, iter=iter at entry=0xbeffef44,
emit_signal=emit_signal at entry=0xbeffeefc,
maybe_need_sort=maybe_need_sort at entry=0xbeffef00, var_args=...,
var_args at entry=...) at ../../../../gtk/gtkliststore.c:1033
> #4 0xb680ab52 in gtk_list_store_set_valist
(list_store=0xa0b4c8, iter=iter at entry=0xbeffef44, var_args=...,
var_args at entry=...) at ../../../../gtk/gtkliststore.c:1137
> #5 0xb680ac1a in gtk_list_store_set (list_store=<optimized
out>, iter=0xbeffef44) at ../../../../gtk/gtkliststore.c:1179
> #6 0xb6f91c40 in totem_playlist_steal_current_starttime
(playlist=0xa1e100) at ../src/totem-playlist.c:1790
> #7 0xb6f8b590 in update_seekable (totem=0x450140) at
../src/totem-object.c:2524
> #8 property_notify_cb_seekable (bvw=<optimized out>,
spec=<optimized out>, totem=0x450140) at ../src/totem-object.c:2616
> #9 0xb6f2b252 in g_closure_invoke (closure=0x6e7048,
return_value=return_value at entry=0x0, n_param_values=2,
param_values=param_values at entry=0xbefff090,
invocation_hint=invocation_hint at entry=0xbefff00c) at
../../../gobject/gclosure.c:810
> #10 0xb6f38768 in signal_emit_unlocked_R
(node=node at entry=0x448800, detail=105, instance=0xa6e290,
emission_return=emission_return at entry=0x0,
instance_and_params=instance_and_params at entry=0xbefff090) at
../../../gobject/gsignal.c:3739
> #11 0xb6f3ce12 in g_signal_emit_valist
(instance=instance at entry=0xa6e290, signal_id=signal_id at entry=1,
detail=detail at entry=3204444612, var_args=..., var_args at entry=...) at
../../../gobject/gsignal.c:3495
> #12 0xb6f3d0a2 in g_signal_emit
(instance=instance at entry=0xa6e290, signal_id=signal_id at entry=1,
detail=105) at ../../../gobject/gsignal.c:3551
> #13 0xb6f2e33e in g_object_dispatch_properties_changed
(object=0xa6e290, n_pspecs=1, pspecs=<optimized out>) at
../../../gobject/gobject.c:1206
> #14 0xb6f2faac in g_object_notify_by_spec_internal
(pspec=<optimized out>, object=0xa6e290) at
../../../gobject/gobject.c:1299
> #15 g_object_notify (object=0xa6e290, property_name=<optimized
out>) at ../../../gobject/gobject.c:1347
> #16 0xb6f9b9ec in got_time_tick (time_nanos=<optimized out>,
bvw=bvw at entry=0xa6e290, play=<optimized out>) at ../src/backend/bacon-
video-widget.c:2614
> #17 0xb6f9ca02 in bvw_query_timeout (bvw=bvw at entry=0xa6e290) at
../src/backend/bacon-video-widget.c:2830
> #18 0xb6fa0792 in bvw_bus_message_cb (bus=<optimized out>,
message=<optimized out>, bvw=0xa6e290) at ../src/backend/bacon-video-
widget.c:2485
> #19 0xb6f2d2e8 in g_cclosure_marshal_VOID__BOXEDv
(closure=0xaaf750, return_value=<optimized out>, instance=0x9f8bf0,
args=..., marshal_data=0x0, n_params=1, param_types=0x7d1118) at
../../../gobject/gmarshal.c:1686
> #20 0xb6f2b3d8 in _g_closure_invoke_va
(closure=closure at entry=0xaaf750, return_value=0x0, instance=0x9f8bf0,
instance at entry=0x0, args=..., args at entry=...,
n_params=n_params at entry=1, param_types=0x7d1118) at
../../../gobject/gclosure.c:873
> #21 0xb6f3cef6 in g_signal_emit_valist (instance=0x0,
instance at entry=0x9f8bf0, signal_id=<optimized out>, detail=0,
detail at entry=3204445364, var_args=..., var_args at entry=...) at
../../../gobject/gsignal.c:3404
> #22 0xb6f3d0a2 in g_signal_emit
(instance=instance at entry=0x9f8bf0, signal_id=<optimized out>,
detail=289) at ../../../gobject/gsignal.c:3551
> #23 0xb64b1420 in gst_bus_async_signal_func (bus=0x9f8bf0,
message=0xa5405068, data=<optimized out>) at ../gst/gstbus.c:1295
> #24 0xb64b2008 in gst_bus_source_dispatch (source=0xa8a388,
callback=0xb64b13e5 <gst_bus_async_signal_func>, user_data=0x0) at
../gst/gstbus.c:851
> #25 0xb6e6bf4c in g_main_dispatch (context=0x46e678) at
../../../glib/gmain.c:3325
> #26 g_main_context_dispatch (context=context at entry=0x46e678) at
../../../glib/gmain.c:4043
> #27 0xb6e6c1e0 in g_main_context_iterate
(context=context at entry=0x46e678, block=block at entry=1,
dispatch=dispatch at entry=1, self=<optimized out>) at
../../../glib/gmain.c:4119
> #28 0xb6e6c25a in g_main_context_iteration
(context=context at entry=0x46e678, may_block=may_block at entry=1) at
../../../glib/gmain.c:4184
> #29 0xb6d990a6 in g_application_run (application=0x450140,
argc=<optimized out>, argv=0xbefff754) at
../../../gio/gapplication.c:2559
> #30 0x00401160 in main (argc=<optimized out>, argv=<optimized
out>) at ../src/totem.c:83
>
>
> [2]
>
https://sources.debian.org/src/totem/3.38.0-2/src/totem-playlist.c/#L1790
>
https://gitlab.gnome.org/GNOME/totem/-/commit/159e5ae4e884d85d149bd06866a156935eb43d74.patch
> 1790 gtk_list_store_set (GTK_LIST_STORE (playlist-
>priv->model),
> 1791 &iter,
> 1792 STARTTIME_COL, 0,
> 1793 -1);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20240510/bcc248e4/attachment-0001.htm>
More information about the pkg-gnome-maintainers
mailing list