Skip to content
GitLab
Open
Issue created by Bugzilla Migration User@bugzilla-migration

theora_parse_chain segfaults on zero length buffer (gsttheoraparse.c)

Submitted by Cy

Link to original bug (#793500)

Description

I'm not sure why gst_pad_push_data is pushing an empty 0-length buffer to theora_parse_chain, but the latter fails to deal with it properly, segfaulting instead of ignoring it, or erroring out. theora_parse_chain calls gst_buffer_map without checking the return value, then tries to access map.data[0] without checking whether map.data is NULL.

gst_buffer_map itself returns FALSE when the buffer's length is zero (in g_return_val_if_fail) and then checks again for some reason, zeroing out the GstMapInfo structure if the buffer's length is zero, then returning TRUE. I'm not sure if the second code branch is ever reached under any circumstances, but it'd probably be good to check if mem.data is NULL, even if gst_buffer_map returns TRUE.

Version: 1.12.4