#166 faad2 SEGV on AAC raw payload

None
closed-out-of-date
nobody
None
5
2017-08-16
2010-06-10
No

We're using GStreamer faad plugin for decoding LOAS/LATM AAC audio that comes from a MPEG2-TS source. We noticed that faad2 did not handle LOAS/LATM AAC so we added a parser that extracts payloads and give them directly to faad (which is basically what GStreamer does, along with syncing).

This approach has worked and we were able to extract AAC raw payloads from a LOAS/LATM sample. Though, on one of our LOAS/LATM samples faad was SEGV'ing when decoding raw payloads. Here's valgrind backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb63d6b70 (LWP 13408)]
ifilter_bank (fb=0x8199f18, window_sequence=0 '\000', window_shape=0 '\000', window_shape_prev=0 '\000', freq_in=0xb63cf3f0, time_out=0x0, overlap=0x0, object_type=2 '\002',
frame_len=1024) at filtbank.c:223
223 time_out[i] = overlap[i] + MUL_F(transf_buf[i],window_long_prev[i]);

(gdb) bt
#0 ifilter_bank (fb=0x8199f18, window_sequence=0 '\000', window_shape=0 '\000', window_shape_prev=0 '\000', freq_in=0xb63cf3f0, time_out=0x0, overlap=0x0,
object_type=2 '\002', frame_len=1024) at filtbank.c:223
#1 0xb5b8e929 in reconstruct_single_channel (hDecoder=0x8213990, ics=0xb63d0c50, sce=0xb63d0c4a, spec_data=0xb63d044a) at specrec.c:1014
#2 0xb5b91373 in single_lfe_channel_element (hDecoder=<value optimized out>, ld=0xb63d5ef4, channel=48 '0', tag=0xb63d5e4f "") at syntax.c:631
#3 0xb5b914d2 in decode_sce_lfe (hDecoder=0x8213990, hInfo=0xb63d6014, ld=0xb63d5ef4, id_syn_ele=0 '\000') at syntax.c:351
#4 0xb5b91d4d in raw_data_block (hDecoder=0x8213990, hInfo=0xb63d6014, ld=0xb63d5ef4, pce=0x8214009, drc=0x81c4608) at syntax.c:458
#5 0xb5b835be in aac_frame_decode (hDecoder=<value optimized out>, hInfo=0x1, buffer=0xaf500570 "\001\064\064\034\314kJ\035\204\202\024\f6\245", buffer_size=158,
sample_buffer2=0x0, sample_buffer_size=0) at decoder.c:965
#6 0xb6c56b93 in gst_faad_chain (pad=0x820b0c8, buffer=0x81bce40) at gstfaad.c:1865

We investigated the issue and realized that decode_sce_lfe() was being called multiple times (exactly 48 times) and following the call chain, reconstruct_single_channel() was accessing an unallocated index of hDecoder->time_out and hDecoder->overlap, thus giving NULL to ifilter_bank().

We don't know if this is the correct approach, but we managed to circumvent the issue by making decode_sce_lfe() use the current channel element, instead of the total number of channels:

RCS file: /cvsroot/faac/faad2/libfaad/syntax.c,v
retrieving revision 1.93
diff -r1.93 syntax.c
329c329
< uint8_t channels = hDecoder->fr_channels;
---
> uint8_t channels = hDecoder->fr_ch_ele;

We'd gladly help fixing this issue. We're also thinking whether this LOAS/LATM support should be merged into faad instead of GStreamer. Your feedback on this matter will be appreciated.

I'm also attaching the payload that causes the issue.

Discussion

  • Krzysztof Nikiel

    Is it still an issue?
    It loks like there was some LATM patch commited in 2008.
    If you could send some more patches that would be great.

     
  • Krzysztof Nikiel

    • status: open --> closed-out-of-date
    • Group: -->
     

Log in to post a comment.