Bug#941559: libxvidcore4: immediately crashes on amd64 since binNMU
James Cowgill
jcowgill at debian.org
Wed Oct 2 00:45:17 BST 2019
Package: libxvidcore4
Version: 2:1.3.5-1
Severity: grave
Tags: sid bullseye
Hi,
Just over a month ago xvidcore was binNMUed and this seems to have
triggered a bug somewhere and now any application which tries to
initialize libxvidcore will segfault.
Test app:
#include <stddef.h>
#include <xvid.h>
int main(void)
{
xvid_gbl_init_t init = {
.version = XVID_VERSION,
.cpu_flags = 0,
.debug = 0,
};
xvid_global(NULL, XVID_GBL_INIT, &init, NULL);
return 0;
}
$ gcc -o xvid-test xvid-test.c -lxvidcore
$ ./xvid-test
Segmentation fault (core dumped)
The crash happens here:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f22940 in check_cpu_features () from /usr/lib/x86_64-linux-gnu/libxvidcore.so.4
(gdb) bt
#0 0x00007ffff7f22940 in check_cpu_features () from /usr/lib/x86_64-linux-gnu/libxvidcore.so.4
#1 0x00007ffff7e9c15b in detect_cpu_flags () at ../../src/xvid.c:156
#2 0x00007ffff7e9d265 in xvid_gbl_init (init=0x7fffffffdee4, init=0x7fffffffdee4) at ../../src/xvid.c:793
#3 xvid_global (handle=<optimized out>, opt=<optimized out>, param1=0x7fffffffdee4, param2=<optimized out>) at ../../src/xvid.c:816
#4 0x000055555555516d in main ()
Which in turn seems to happen because the check_cpu_features function is
in a non-executable read only memory region.
$ /proc/4658/maps
[...]
7ffff7e87000-7ffff7e8b000 rw-p 00000000 00:00 0
7ffff7e8b000-7ffff7e8d000 r--p 00000000 fd:00 954232 /usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3
7ffff7e8d000-7ffff7ef5000 r-xp 00002000 fd:00 954232 /usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3
[vvv]
7ffff7ef5000-7ffff7f2b000 r--p 0006a000 fd:00 954232 /usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3
[^^^]
7ffff7f2b000-7ffff7f2c000 r--p 0009f000 fd:00 954232 /usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3
7ffff7f2c000-7ffff7f36000 rw-p 000a0000 fd:00 954232 /usr/lib/x86_64-linux-gnu/libxvidcore.so.4.3
7ffff7f36000-7ffff7fa1000 rw-p 00000000 00:00 0
[...]
Indeed readelf contains some non-executable program headers in
2:1.3.5-1+b1 which do not appear in 2:1.3.5-1 in buster. The
".rotext" section sounds suspicious.
2:1.3.5-1+b1:
$ readelf -l /usr/lib/x86_64-linux-gnu/libxvidcore.so.4
[...]
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x00000000000018a8 0x00000000000018a8 R 0x1000
LOAD 0x0000000000002000 0x0000000000002000 0x0000000000002000
0x00000000000673c9 0x00000000000673c9 R E 0x1000
LOAD 0x000000000006a000 0x000000000006a000 0x000000000006a000
0x0000000000035088 0x0000000000035088 R 0x1000
LOAD 0x000000000009fb90 0x00000000000a0b90 0x00000000000a0b90
0x00000000000098d0 0x0000000000073138 RW 0x1000
[...]
00 .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt
01 .init .plt .plt.got .text .fini
02 .rodata .rotext .eh_frame_hdr .eh_frame
03 .init_array .fini_array .data.rel.ro .dynamic .got .data .bss
2:1.3.5-1:
$ readelf -l /usr/lib/x86_64-linux-gnu/libxvidcore.so.4
[...]
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x000000000009da50 0x000000000009da50 R E 0x200000
LOAD 0x000000000009db90 0x000000000029db90 0x000000000029db90
0x00000000000098d0 0x0000000000073138 RW 0x200000
[...]
00 .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .plt.got .text .fini .rodata .rotext .eh_frame_hdr .eh_frame
01 .init_array .fini_array .data.rel.ro .dynamic .got .data .bss
James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-multimedia-maintainers/attachments/20191002/ea955369/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list