audiovisualizer: shader: Fix dframe out of bound write (!1751) · Merge requests · GStreamer / gstreamer

Sebastian Gross requested to merge s3b.gr0ss/gstreamer:Fix-gstaudiovisualizer-OOB-write into main Feb 20, 2022

shader_fade_and_move_horiz_out writes a complete stride at the end of its size.

For the pipeline

  gst-launch-1.0 \
	audiotestsrc num-buffers=1 '!' spectrascope shader=6 '!' fakesink

this led to SIGSEGV since the stride reached into sframe->map[0]->memory which could not be umpapped.

gdb output of the dest pointer "d" after last iteration

  (gdb) p dframe->map[0]->data + dframe->map[0]->size
  $3 = (guint8 *) 0x7ffff004c160 ""

  (gdb) p sframe->map[0]->memory
  $9 = (GstMemory *) 0x7ffff004c4b0

  (gdb) p d
  $11 = (guint8 *) 0x7ffff004c160 "\364\364", <incomplete sequence \364>

  (gdb) x/16w 0x7ffff004c4b0
  0x7ffff004c4b0: 16119285    16119285    16119285    16119285
  0x7ffff004c4c0: 16119285    16119285    16119285    16119285
  0x7ffff004c4d0: 16119285    16119285    16119285    16119285
  0x7ffff004c4e0: 16119285    16119285    16119285    16119285

This is due to d is increased twice. Once at the end of the upper loop and at the start of the lower loop. The corresponding dframe stride is therefore skipped.

Rewind d and start at the correct position.

Signed-off-by: Sebastian Groß s3b.gr0ss@gmail.com

Edited Feb 20, 2022 by Sebastian Gross

Admin message

audiovisualizer: shader: Fix dframe out of bound write

Merge request reports