Segmentation fault in resampler
- PipeWire version (
pipewire --version
):
pipewire
Compiled with libpipewire 0.3.43
Linked with libpipewire 0.3.43
(git d33779cd) - Distribution and distribution version (
PRETTY_NAME
from/etc/os-release
): Manjaro Linux - Desktop Environment: Xfce
- Kernel version (
uname -r
): 5.15.12-1-MANJARO
Description of Problem:
An application (specifically the Looking Glass client) is occasionally crashing on resample.c:909 (memcpy(dst_datas[i], src_datas[i], len * sizeof(float));
) with a segmentation fault. It's possible this is an application fault, but the crash occurs in a PipeWire thread, so I'm taking a punt and assuming this is a PipeWire problem.
The crash traces back to line 895 (out_len = (maxsize - outport->offset) / sizeof(float);
). maxsize
is 4096 and outport->offset
is 19200. This results in out_len
underflowing and the memcpy
tries to write out of bounds.
I can make the crash go away by setting out_len
to 0 if the value would underflow, I don't know whether this is an appropriate fix though.
How Reproducible:
I can reproduce it quite readily, although the conditions are quite obscure.
Steps to Reproduce:
- Play some audio inside the Looking Glass client. (FYI Looking Glass is an application which provides a view into a virtual machine. Looking Glass captures audio from the VM and plays it back via PipeWire.)
- Play and pause something several times in Spotify desktop app (running on the host, not the virtual machine). Looking Glass will eventually crash with the following stack trace when Spotify is paused:
#0 0x00007ffff7569576 in __memmove_avx_unaligned_erms () from /usr/lib/libc.so.6
#1 0x00007fffd8073df0 in impl_node_process (object=0x7fffc87d9130) at ../spa/plugins/audioconvert/resample.c:909
#2 0x00007fffd8042b3f in impl_node_process (object=<optimized out>) at ../spa/plugins/audioconvert/audioconvert.c:1210
#3 impl_node_process (object=0x7fffc87b0418) at ../spa/plugins/audioconvert/audioconvert.c:1196
#4 0x00007fffd803699f in impl_node_process (object=0x7fffc87b0038) at ../spa/plugins/audioconvert/audioadapter.c:1289
#5 0x00007ffff7a3f621 in process_node (data=0x7fffec05d470) at ../src/pipewire/impl-node.c:1063
#6 0x00007ffff7a3dd88 in node_on_fd_events (source=<optimized out>) at ../src/pipewire/impl-node.c:1121
#7 0x00007ffff1ab457b in loop_iterate (object=0x7fffec04c698, timeout=<optimized out>) at ../spa/plugins/support/loop.c:337
#8 0x00007ffff7a1c0bb in do_loop (user_data=0x7fffec043180) at ../src/pipewire/data-loop.c:81
#9 0x00007ffff79a7259 in start_thread () from /usr/lib/libpthread.so.0
#10 0x00007ffff75045e3 in clone () from /usr/lib/libc.so.6