[Wesnoth-bugs] [bug #23633] Short silence.ogg causes invalid memory access in libogg

Ignacio R. Morelle Tue, 02 Jun 2015 22:42:41 -0700

URL:
  <http://gna.org/bugs/?23633>


                 Summary: Short silence.ogg causes invalid memory access in
libogg
                 Project: Battle for Wesnoth
            Submitted by: shadowmaster
            Submitted on: Wed 03 Jun 2015 02:42:23 AM CLT
                Category: Bug
                Severity: 5 - Blocker
                Priority: 7 - High
              Item Group:  None of the others
                  Status: None
                 Privacy: Public
             Assigned to: shadowmaster
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 1.11.18+dev, 1.12.2+dev, 1.13.0+dev
        Operating System: All (?)

    _______________________________________________________

Details:

Some time ago, I found out that playing mainline's silence.ogg as background
music would randomly cause segmentation faults while playing my add-on
campaign After the Storm with Wesnoth 1.11.18+dev. I determined that the
crashing code path was always the same, and discovered a workaround in the
form of a 40.0 KiB silence.ogg instead of mainline's 5.2 KiB file.

Since then, several bug reports pointing to sound-related crashes have come
up:

* Bug #23599
* Bug #23203
* Bug #23026
* http://forums.wesnoth.org/viewtopic.php?f=4&t=42429
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780853

The silence.ogg case is particularly problematic because this is how music is
turned off in the MP lobby. It doesn't happen *all* the time, but the chances
it does increase considerably with optimized (-O3) builds, possibly due to a
timing issue. I'm tempted to say it's not a Wesnoth bug because it happens
with the attached standalone test program as well.

Example backtrace:


#0  0x00007fffed049cd3 in ogg_page_serialno (og=0x7fffffff9130) at
/home/shadowm/src/debian/4/libogg-1.3.2/src/framing.c:60
#1  0x00007ffff492d9c6 in ov_pcm_seek_page (vf=0x48641d8, pos=0) at
/home/shadowm/src/debian/4/libvorbis-1.3.4/lib/vorbisfile.c:1554
#2  0x00007ffff492dead in ov_pcm_seek (vf=0x48641d8, pos=0) at
/home/shadowm/src/debian/4/libvorbis-1.3.4/lib/vorbisfile.c:1674
#3  0x00007ffff492e550 in ov_time_seek (vf=0x48641d8, seconds=0) at
/home/shadowm/src/debian/4/libvorbis-1.3.4/lib/vorbisfile.c:1796
#4  0x00007ffff66d9c62 in OGG_jump_to_time (music=0x48641c0, time=0) at
/home/shadowm/src/debian/4/sdl-mixer1.2-1.2.12/music_ogg.c:230
#5  0x00007ffff66c2fcc in music_internal_position (position=0) at
/home/shadowm/src/debian/4/sdl-mixer1.2-1.2.12/music.c:1057
#6  0x00007ffff66c2dc2 in music_internal_play (music=0x44174c0, position=0) at
/home/shadowm/src/debian/4/sdl-mixer1.2-1.2.12/music.c:977
#7  0x00007ffff66c2ee3 in Mix_FadeInMusicPos (music=0x44174c0, loops=0, ms=0,
position=0) at /home/shadowm/src/debian/4/sdl-mixer1.2-1.2.12/music.c:1025
#8  0x00007ffff66c2f1a in Mix_FadeInMusic (music=0x44174c0, loops=1, ms=0) at
/home/shadowm/src/debian/4/sdl-mixer1.2-1.2.12/music.c:1032
#9  0x0000000000f55d8f in sound::music_thinker::process(events::pump_info&)
()
#10 0x0000000000ec784a in events::pump() ()
#11 0x00000000005d73b7 in mp::run_lobby_loop(display&, mp::ui&) ()
#12 0x00000000005dc288 in mp::start_client(game_display&, config const&,
saved_game&, std::string const&) ()
#13 0x00000000004d9459 in game_launcher::play_multiplayer() ()
#14 0x000000000044fedf in do_gameloop(std::vector<std::string,
std::allocator<std::string> > const&) ()
#15 0x000000000044e55e in main ()


With the test program:


#0  0x00007ffff1393cd3 in ogg_page_serialno (og=0x7fffefe4fab0) at
/home/shadowm/src/debian/4/libogg-1.3.2/src/framing.c:60
#1  0x00007fffeed8b9c6 in ov_pcm_seek_page (vf=0x6c69e8, pos=0) at
/home/shadowm/src/debian/4/libvorbis-1.3.4/lib/vorbisfile.c:1554
#2  0x00007fffeed8bead in ov_pcm_seek (vf=0x6c69e8, pos=0) at
/home/shadowm/src/debian/4/libvorbis-1.3.4/lib/vorbisfile.c:1674
#3  0x00007fffeed8c550 in ov_time_seek (vf=0x6c69e8, seconds=0) at
/home/shadowm/src/debian/4/libvorbis-1.3.4/lib/vorbisfile.c:1796
#4  0x00007ffff7ba4c62 in OGG_jump_to_time (music=0x6c69d0, time=0) at
/home/shadowm/src/debian/4/sdl-mixer1.2-1.2.12/music_ogg.c:230
#5  0x00007ffff7b8dfcc in music_internal_position (position=0) at
/home/shadowm/src/debian/4/sdl-mixer1.2-1.2.12/music.c:1057
#6  0x00007ffff7b8ddc2 in music_internal_play (music=0x6c47c0, position=0) at
/home/shadowm/src/debian/4/sdl-mixer1.2-1.2.12/music.c:977
#7  0x00007ffff7b8cb87 in music_halt_or_loop () at
/home/shadowm/src/debian/4/sdl-mixer1.2-1.2.12/music.c:215
#8  0x00007ffff7b8ce32 in music_mixer (udata=0x0, stream=0x6acbe0 "",
len=3760) at /home/shadowm/src/debian/4/sdl-mixer1.2-1.2.12/music.c:342
#9  0x00007ffff7b89925 in mix_channels (udata=0x0, stream=0x6acbe0 "",
len=3760) at /home/shadowm/src/debian/4/sdl-mixer1.2-1.2.12/mixer.c:304
#10 0x00007ffff78eeae9 in SDL_RunAudio (audiop=audiop@entry=0x69e4e0) at
/tmp/buildd/libsdl1.2-1.2.15/./src/audio/SDL_audio.c:198
#11 0x00007ffff78f72f8 in SDL_RunThread (data=0x670a80) at
/tmp/buildd/libsdl1.2-1.2.15/./src/thread/SDL_thread.c:204
#12 0x00007ffff7939e99 in RunThread (data=<optimized out>) at
/tmp/buildd/libsdl1.2-1.2.15/./src/thread/pthread/SDL_systhread.c:47
#13 0x00007ffff580b0a4 in start_thread (arg=0x7fffefe50700) at
/build/glibc-Ir_s5K/glibc-2.19/nptl/pthread_create.c:309
#14 0x00007ffff762004d in clone () at
/build/glibc-Ir_s5K/glibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111


All sound files smaller than sounds/explosion.ogg (68.9 KiB) appear to trigger
this bug when used for music. I haven't been able to reproduce the other
aforementioned bugs except for bug #23599 / Debian bug #780853.

From a cursory glance at the crashing code in libogg, the culprit might be the
vorbisfile library since the data structure participating in the crash
originates from it (and not SDL_mixer or Wesnoth), but I can't say for sure
that it's not a bug in the ogg library itself since I don't really understand
how either component works.

Testing environment details:

* Current Debian testing stretch, though this also happened with jessie from
October 30 2014.
* Clang 3.4, GCC 4.9.2, GCC 5.1.1
* libogg 1.3.2 (1.3.2-1); both the Debian build and a custom -O0 build
* libvorbis, libvorbisfile 1.3.4 (1.3.4-2); both the Debian build and a custom
-O0 build
* SDL_mixer 1.2.12 (1.2.12-11+b1); both the Debian build and a custom -O0
build
* SDL 1.2.15 (1.2.15-11)
* GNU libc 2.19 (2.19-18)

Verified affected Wesnoth releases:

* 1.11.18+dev
* 1.12.2
* 1.12.2+dev
* 1.13.0-dev
* 1.13.0
* 1.13.0+dev




    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Wed 03 Jun 2015 02:42:23 AM CLT  Name: mix_test_sdl_music_only.c  Size:
2kB   By: shadowmaster

<http://gna.org/bugs/download.php?file_id=24554>

    _______________________________________________________

Reply to this item at:

  <http://gna.org/bugs/?23633>

_______________________________________________
  Message sent via/by Gna!
  http://gna.org/


_______________________________________________
Wesnoth-bugs mailing list
[email protected]
https://mail.gna.org/listinfo/wesnoth-bugs

[Wesnoth-bugs] [bug #23633] Short silence.ogg causes invalid memory access in libogg

Reply via email to