Bug#702581: vlc: VLC crashes in libeml on some video files (mkv, h.264)

Lorenz H.-S. lorenz-dev at lgh-alumni.de
Sat Mar 9 12:50:42 UTC 2013 

Alright, some new insights. libebml is trying to allocate 3219169814460
bytes (src/EbmlBinary.cpp:97), but it gets this number from libmatroska
(src/KaxBlock.cpp:458). My guess is that the KaxSimpleBlock's size is
incorrect in the file.

In modules/demux/mkv/matroska_segment.cpp:1558
(matroska_segment_c::BlockGet):
(gdb) ins *el
$11 = {_vptr.EbmlElement = 0x7fffe2461510, Size = 3219169814460,
DefaultSize = 0, SizeLength = 6, bSizeIsFinite = true, ElementPosition =
135411848, SizePosition = 135411849, bValueIsSet = false, DefaultIsSet =
false, bLocked = false}

One further up, in modules/demux/mkv/mkv.cpp:692 (Demux):

(gdb) ins *simpleblock
$14 = {<libmatroska::KaxInternalBlock> = {<libebml::EbmlBinary> =
{<libebml::EbmlElement> = {_vptr.EbmlElement = 0x7fffe2461510, Size =
3219169814460, DefaultSize = 0, SizeLength = 6, bSizeIsFinite = true,
ElementPosition = 135411848,
        SizePosition = 135411849, bValueIsSet = false, DefaultIsSet =
false, bLocked = false}, Data = 0x0}, myBuffers =
{<std::_Vector_base<libmatroska::DataBuffer*,
std::allocator<libmatroska::DataBuffer*> >> = {
        _M_impl = {<std::allocator<libmatroska::DataBuffer*>> =
{<__gnu_cxx::new_allocator<libmatroska::DataBuffer*>> = {<No data fields>},
<No data fields>}, _M_start = 0x0, _M_finish = 0x0,
          _M_end_of_storage = 0x0}}, <No data fields>}, SizeList =
{<std::_Vector_base<int, std::allocator<int> >> = {_M_impl =
{<std::allocator<int>> = {<__gnu_cxx::new_allocator<int>> = {<No data
fields>}, <No data fields>},
          _M_start = 0x0, _M_finish = 0x0, _M_end_of_storage = 0x0}}, <No
data fields>}, Timecode = 4, LocalTimecode = 0, bLocalTimecodeUsed = false,
TrackNumber = 13057, mLacing = libmatroska::LACING_AUTO, mInvisible =
false,
    FirstFrameLocation = 135411855, ParentCluster = 0x0, bIsSimple = true,
bIsKeyframe = true, bIsDiscardable = false}, static ClassInfos = {Create =
0x7fffe221e831 <libmatroska::KaxSimpleBlock::Create()>, GlobalId =
@0x7fffe2470b50,
    DebugName = 0x7fffe2243ec7 "SimpleBlock", Context = @0x7fffe2470b60}}


Up again, to input/demux.h:44

(gdb) ins *p_demux
$17 = {psz_object_type = 0x7ffff799a1d9 "demux", psz_header = 0x0, i_flags
= 0, b_die = false, b_force = false, p_libvlc = 0x605108, p_parent =
0x6387b8, p_module = 0x751860, psz_access = 0x67fc80 "file", psz_demux =
0x67f390 "",
  psz_location = 0x67f040 "/media/STORE/foo.mkv", psz_file = 0x67eee0
"/media/STORE/foo.mkv", s = 0x68d028, out = 0x68c810, pf_demux =
0x7fffe2480c50 <Demux(demux_t*)>,
  pf_control = 0x7fffe247f6e0 <Control(demux_t *, int, typedef
__va_list_tag __va_list_tag *)>, info = {i_update = 0, i_title = 0,
i_seekpoint = 0}, p_sys = 0x68d1f0, p_input = 0x6387b8}
(gdb) ins *p_demux->p_sys
$18 = {player = 0x7fffe26b7690, config = {clockDefault = 6869336,
clockForced = false, clockSpeed = 7257000, environment = sid2_envPS,
forceDualSids = 112, emulateStereo = 232, frequency = 0, optimisation = 0
'\000',
    playback = sid2_left, precision = 0, sidDefault = SID2_MODEL_CORRECT,
sidEmulation = 0x69d330, sidModel = 6777344, sidSamples = false, leftVolume
= 6777352, rightVolume = 0, sampleFormat = 6777352, powerOnDelay = 0,
    sid2crcCount = 0}, info = {credits = 0x686850, channels = 6842456,
driverAddr = 0, driverLength = 0, name = 0x686858 "", tuneInfo = 0x0,
version = 0x0, eventContext = 0x0, maxsids = 6798144, environment =
sid2_envPS,
    powerOnDelay = 47944, sid2crc = 0, sid2crcCount = 6798152}, tune =
0x6828f0, tuneInfo = {formatString = 0x6828f8 "", statusString = 0x6828f8
"", speedString = 0x69d1b0 "P*h", loadAddr = 0, initAddr = 0, playAddr = 0,
songs = 0,
    startSong = 0, sidChipBase1 = 0, sidChipBase2 = 0, currentSong = 0,
songSpeed = 0 '\000', clockSpeed = 0 '\000', relocStartPage = 0 '\000',
relocPages = 0 '\000', musPlayer = false, sidModel = 0, compatibility = 0,
fixLoad = false,
    songLength = 0, numberOfInfoStrings = 0 '\000', infoString = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, numberOfCommentStrings = 0,
commentString = 0x0, dataFileLen = 0, c64dataLen = 0, path = 0x0,
dataFileName = 0x0,
    infoFileName = 0x0}, bytes_per_frame = 0, block_size = 0, es = 0x0, pts
= {date = 0, i_divider_num = 0, i_divider_den = 0, i_remainder = 0}}
(gdb) ins *p_demux->p_sys->p_current_segment
There is no member named p_current_segment.

That last line seems a bit strange to me, but then I'm not familiar with
vlc's codebase at all. I'd be happy to try out any suggestions you may have.

Kind regards,
Lorenz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20130309/08414ea3/attachment.html>

More information about the pkg-multimedia-maintainers mailing list