Menu
▾
▴
[xine-bugs] [ xine-Bugs-923843 ] UI crashes with unencrypted DVD
|
From: SourceForge.net <no...@so...> - 2004-07-12 20:08:08
|
Bugs item #923843, was opened at 2004-03-26 13:10 Message generated for change (Comment added) made by mroi You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=109655&aid=923843&group_id=9655 Category: DVD related problem Group: None Status: Open Resolution: None Priority: 5 Submitted By: Andres Garcia Garcia (fandom) Assigned to: Michael Roitzsch (mroi) Summary: UI crashes with unencrypted DVD Initial Comment: I have a Philips dvd recorder that can record tv shows in dvd+rw. When I try to play them with Xine, the latest version offered by plf in Mandrake, the ui crashes, but I can watch them using Totem, which I think uses the same libraries, so it is likely to be an UI problem. If you need it, I can send you a recorded dvd for testing. ---------------------------------------------------------------------- >Comment By: Michael Roitzsch (mroi) Date: 2004-07-12 22:08 Message: Logged In: YES user_id=552060 The bounds check is actually not a real fix, but only a workaround. The real bug might be hidden somewhere else, since the memory buffer should be large enough to never overrun, even without the extra check. Therefore I attached a new patch, which will print some debug output to console. Could you please revert the previous patches, apply the debug patch, rebuild and post the output here? Thanks. ---------------------------------------------------------------------- Comment By: Darren Salt (dsalt) Date: 2004-07-11 19:48 Message: Logged In: YES user_id=294680 The bounds check patch appears to stop the segfaults :-) The field size patch doesn't seem to make any difference here on any of the DVD+RWs which I've tried (I put in a printf; no output from it), although I'd probably apply it anyway just in case. ---------------------------------------------------------------------- Comment By: Andres Garcia Garcia (fandom) Date: 2004-07-11 18:45 Message: Logged In: YES user_id=316500 Works for me, thank you very much. ---------------------------------------------------------------------- Comment By: Michael Roitzsch (mroi) Date: 2004-07-11 13:53 Message: Logged In: YES user_id=552060 Problem seen and understood. Somehow the subpicture decoding is overrunning the allocated space for the overlay's RLE elements. The DVD recorder seems to record rather odd subpictures. I attached two patches, could you try them both and tell us, which one works (maybe even both work)? ---------------------------------------------------------------------- Comment By: Darren Salt (dsalt) Date: 2004-07-05 00:08 Message: Logged In: YES user_id=294680 Malloc-related crashes are fun. ;-) My build of libxine is patched for vdr-xine 0.4.1 and correct CD/DVD drive accessibility checking. valgrind output is below (mutter, grumble, no attachment option). Not sure that it's of much help, though :-| -- Memcheck, a memory error detector for x86-linux. Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward. Using valgrind-2.1.1, a program supervision framework for x86-linux. Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward. My PID = 18009, parent PID = 14001. Prog and args are: ./src/gxine dvd:/ For more details, rerun with: -v warning: Valgrind's pthread_getschedparam is incomplete your program may misbehave as a result Syscall param write(buf) contains uninitialised or unaddressable byte(s) at 0x3C000C02: (within /lib/ld-2.3.2.so) by 0x3C792E0F: (within /usr/X11R6/lib/libX11.so.6.2) by 0x3C7939FE: _X11TransWrite (in /usr/X11R6/lib/libX11.so.6.2) by 0x3C773261: (within /usr/X11R6/lib/libX11.so.6.2) Address 0x3C929A60 is 128 bytes inside a block of size 2048 alloc'd at 0x3C01FC03: calloc (vg_replace_malloc.c:141) by 0x3C76509C: XOpenDisplay (in /usr/X11R6/lib/libX11.so.6.2) by 0x3C45BF81: gdk_display_open (in /usr/lib/libgdk-x11-2.0.so.0.400.3) by 0x3C43BB55: gdk_display_open_default_libgtk_only (in /usr/lib/libgdk-x11-2.0.so.0.400.3) Syscall param writev(vector[...]) contains uninitialised or unaddressable byte(s) at 0x3C000C02: (within /lib/ld-2.3.2.so) Address 0x3C929A62 is 130 bytes inside a block of size 2048 alloc'd at 0x3C01FC03: calloc (vg_replace_malloc.c:141) by 0x3C76509C: XOpenDisplay (in /usr/X11R6/lib/libX11.so.6.2) by 0x3C45BF81: gdk_display_open (in /usr/lib/libgdk-x11-2.0.so.0.400.3) by 0x3C43BB55: gdk_display_open_default_libgtk_only (in /usr/lib/libgdk-x11-2.0.so.0.400.3) Syscall param sigaction(act) contains uninitialised or unaddressable byte(s) at 0x3C000C02: (within /lib/ld-2.3.2.so) by 0xFFF: ??? Address 0x4FFFDDAC is on thread 1's stack Syscall param sigaction(act) contains uninitialised or unaddressable byte(s) at 0x3C000C02: (within /lib/ld-2.3.2.so) by 0x7: ??? Address 0x4FFFE2BC is on thread 1's stack pthread_mutex_lock/trylock: mutex has invalid owner at 0x3C127DBF: pthread_mutex_lock (vg_libpthread.c:1160) by 0x3C12CF87: _IO_flockfile (vg_libpthread.c:3181) by 0x3C52354A: pango_read_line (in /usr/lib/libpango-1.0.so.0.399.1) by 0x3C5122A1: (within /usr/lib/libpango-1.0.so.0.399.1) warning: Valgrind's pthread_attr_destroy does nothing your program may misbehave as a result warning: Valgrind's pthread_attr_destroy does nothing your program may misbehave as a result warning: Valgrind's pthread_attr_getschedparam is incomplete your program may misbehave as a result warning: Valgrind's pthread_attr_setschedparam does nothing (scheduling not changeable) your program may misbehave as a result warning: Valgrind's pthread_attr_destroy does nothing your program may misbehave as a result warning: Valgrind's pthread_attr_getschedparam is incomplete your program may misbehave as a result warning: Valgrind's pthread_attr_setschedparam does nothing (scheduling not changeable) your program may misbehave as a result pthread_mutex_lock/trylock: mutex has invalid owner at 0x3C127DBF: pthread_mutex_lock (vg_libpthread.c:1160) by 0x3C12CF87: _IO_flockfile (vg_libpthread.c:3181) by 0x3C52354A: pango_read_line (in /usr/lib/libpango-1.0.so.0.399.1) by 0x3C24F27E: (within /usr/lib/libgtk-x11-2.0.so.0.400.3) Thread 11: Syscall param socketcall.accept(addrlen_in) contains uninitialised or unaddressable byte(s) at 0x3C000C02: (within /lib/ld-2.3.2.so) by 0x806ED56: socket_listener (server.c:162) by 0x3C127110: thread_wrapper (vg_libpthread.c:837) by 0xB800FACC: do__quit (vg_scheduler.c:1792) Address 0x3F657A98 is on thread 11's stack Thread 10: Conditional jump or move depends on uninitialised value(s) at 0x3C5C6E9C: g_utf8_validate (in /usr/lib/libglib-2.0.so.0.400.2) by 0x3C51A855: pango_layout_set_text (in /usr/lib/libpango-1.0.so.0.399.1) by 0x80655E2: paint_bar (infobar.c:57) by 0x80656E1: infobar_line1 (infobar.c:93) Thread 10: Conditional jump or move depends on uninitialised value(s) at 0x3C5C6FB5: g_utf8_validate (in /usr/lib/libglib-2.0.so.0.400.2) by 0x3C51A855: pango_layout_set_text (in /usr/lib/libpango-1.0.so.0.399.1) by 0x80655E2: paint_bar (infobar.c:57) by 0x80656E1: infobar_line1 (infobar.c:93) Warning: noted but unhandled ioctl 0x5390 with no size/direction hints This could cause spurious value errors to appear. See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper. Thread 5: Use of uninitialised value of size 16 at 0x3C05B4D7: sse_memcpy (memcpy.c:209) by 0x3F7840ED: spudec_decode_nav (spu.c:224) by 0x3F7852B5: spudec_decode_data (xine_decoder.c:117) by 0x3C046DD2: video_decoder_loop (video_decoder.c:412) Thread 5: Use of uninitialised value of size 16 at 0x3C05B4DB: sse_memcpy (memcpy.c:209) by 0x3F7840ED: spudec_decode_nav (spu.c:224) by 0x3F7852B5: spudec_decode_data (xine_decoder.c:117) by 0x3C046DD2: video_decoder_loop (video_decoder.c:412) Thread 5: Use of uninitialised value of size 16 at 0x3C05B4DF: sse_memcpy (memcpy.c:209) by 0x3F7840ED: spudec_decode_nav (spu.c:224) by 0x3F7852B5: spudec_decode_data (xine_decoder.c:117) by 0x3C046DD2: video_decoder_loop (video_decoder.c:412) Thread 5: Use of uninitialised value of size 16 at 0x3C05B4D4: sse_memcpy (memcpy.c:209) by 0x3F7840ED: spudec_decode_nav (spu.c:224) by 0x3F7852B5: spudec_decode_data (xine_decoder.c:117) by 0x3C046DD2: video_decoder_loop (video_decoder.c:412) Thread 5: Invalid write of size 2 at 0x3F784D82: spudec_draw_picture (spu.c:821) by 0x3F78471B: spudec_process (spu.c:484) by 0x3F7853C3: spudec_decode_data (xine_decoder.c:150) by 0x3C046DD2: video_decoder_loop (video_decoder.c:412) Address 0x3DBD1200 is 0 bytes after a block of size 13328 alloc'd at 0x3C01F40D: malloc (vg_replace_malloc.c:105) by 0x3F784D00: spudec_draw_picture (spu.c:792) by 0x3F78471B: spudec_process (spu.c:484) by 0x3F7853C3: spudec_decode_data (xine_decoder.c:150) Thread 5: Invalid write of size 2 at 0x3F784D8A: spudec_draw_picture (spu.c:822) by 0x3F78471B: spudec_process (spu.c:484) by 0x3F7853C3: spudec_decode_data (xine_decoder.c:150) by 0x3C046DD2: video_decoder_loop (video_decoder.c:412) Address 0x3DBD1202 is 2 bytes after a block of size 13328 alloc'd at 0x3C01F40D: malloc (vg_replace_malloc.c:105) by 0x3F784D00: spudec_draw_picture (spu.c:792) by 0x3F78471B: spudec_process (spu.c:484) by 0x3F7853C3: spudec_decode_data (xine_decoder.c:150) --18009-- INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting --18009-- si_code=1 Fault EIP: 0xB802AE0E; Faulting address: 0x2F valgrind: the `impossible' happened: Killed by fatal signal Basic block ctr is approximately 96850000 at 0xB802FB60: vgPlain_core_panic (vg_mylibc.c:1230) by 0xB802FB5F: panic (vg_mylibc.c:1226) by 0xB802FB80: vgPlain_core_panic (vg_mylibc.c:1231) by 0xB803653A: vg_sync_signalhandler (vg_signals.c:1756) sched status: Thread 1: status = WaitSys, associated_mx = 0x0, associated_cv = 0x0 at 0x3C000C02: (within /lib/ld-2.3.2.so) by 0x3C5A5CEF: (within /usr/lib/libglib-2.0.so.0.400.2) by 0x3C5A63B2: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.400.2) by 0x3C26AE82: gtk_main (in /usr/lib/libgtk-x11-2.0.so.0.400.3) Thread 2: status = WaitCV, associated_mx = 0x3D2C039C, associated_cv = 0x3D2C03B4 at 0x3C128410: pthread_cond_timedwait (vg_libpthread.c:1350) by 0x3C03F48D: metronom_sync_loop (metronom.c:873) by 0x3C127110: thread_wrapper (vg_libpthread.c:837) by 0xB800FACC: do__quit (vg_scheduler.c:1792) Thread 3: status = WaitSys, associated_mx = 0x0, associated_cv = 0x0 at 0x3C000C02: (within /lib/ld-2.3.2.so) by 0x3C05C124: xine_usec_sleep (utils.c:408) by 0x3C049558: video_out_loop (video_out.c:1091) by 0x3C127110: thread_wrapper (vg_libpthread.c:837) Thread 4: status = WaitCV, associated_mx = 0x3DA9D38C, associated_cv = 0x3DA9D3A4 at 0x3C1281DF: pthread_cond_wait (vg_libpthread.c:1314) by 0x3C04A4DF: fifo_remove_int (audio_out.c:337) by 0x3C04A597: fifo_remove (audio_out.c:374) by 0x3C04B527: ao_loop (audio_out.c:929) Thread 5: status = Runnable, associated_mx = 0x0, associated_cv = 0x0 at 0x3C01FC03: calloc (vg_replace_malloc.c:141) by 0x3C05BEEF: xine_xmalloc (utils.c:237) by 0x3C04E839: video_overlay_add_event (video_overlay.c:291) by 0x3F784875: spudec_process (spu.c:534) Thread 6: status = Runnable, associated_mx = 0x0, associated_cv = 0x0 at 0x3C1281DF: pthread_cond_wait (vg_libpthread.c:1314) by 0x3C041AC7: fifo_buffer_get (buffer.c:233) by 0x3C04733A: audio_decoder_loop (audio_decoder.c:68) by 0x3C127110: thread_wrapper (vg_libpthread.c:837) Thread 7: status = WaitSys, associated_mx = 0x0, associated_cv = 0x0 at 0x3C000C02: (within /lib/ld-2.3.2.so) by 0x3C773E00: _XRead (in /usr/X11R6/lib/libX11.so.6.2) by 0x3C773A53: _XReadEvents (in /usr/X11R6/lib/libX11.so.6.2) by 0x3C764D1F: XNextEvent (in /usr/X11R6/lib/libX11.so.6.2) Thread 8: status = WaitCV, associated_mx = 0x3F0F18BC, associated_cv = 0x3F0F18D4 at 0x3C1281DF: pthread_cond_wait (vg_libpthread.c:1314) by 0x3C04DD4F: xine_event_wait (events.c:56) by 0x3C04E132: listener_loop (events.c:198) by 0x3C127110: thread_wrapper (vg_libpthread.c:837) Thread 9: status = WaitJoiner, associated_mx = 0x0, associated_cv = 0x0 at 0x3C126F42: thread_exit_wrapper (vg_libpthread.c:731) by 0x3C12765D: pthread_exit (vg_libpthread.c:952) by 0x80735C9: lirc_run (lirc.c:66) by 0x3C127110: thread_wrapper (vg_libpthread.c:837) Thread 11: status = WaitSys, associated_mx = 0x0, associated_cv = 0x0 at 0x3C000C02: (within /lib/ld-2.3.2.so) by 0x806ED56: socket_listener (server.c:162) by 0x3C127110: thread_wrapper (vg_libpthread.c:837) by 0xB800FACC: do__quit (vg_scheduler.c:1792) Thread 12: status = WaitSys, associated_mx = 0x0, associated_cv = 0x0 at 0x3C000C02: (within /lib/ld-2.3.2.so) by 0x3C05C124: xine_usec_sleep (utils.c:408) by 0x3D36A6A2: dvd_plugin_read_block (input_dvd.c:740) by 0x3D4B6E57: demux_mpeg_block_parse_pack (demux_mpeg_block.c:191) Note: see also the FAQ.txt in the source distribution. It contains workarounds to several common problems. If that doesn't help, please report this bug to: valgrind.kde.org In the bug report, send all the above text, the valgrind version, and what Linux distro you are using. Thanks. ---------------------------------------------------------------------- Comment By: Miguel Freitas (miguelfreitas) Date: 2004-07-04 20:04 Message: Logged In: YES user_id=148691 malloc crash is almost surely a heap corruption indication. may you try running xine with valgrind? http://valgrind.kde.org/ in case you experience trouble using valgrind, you can post a image of a DVD generated by philips recorder and we will be able to debug it. ---------------------------------------------------------------------- Comment By: Darren Salt (dsalt) Date: 2004-07-03 18:11 Message: Logged In: YES user_id=294680 I'm seeing the same here, also with DVD+RWs with recordings made by a Philips DVD recorder. I'm using xine-lib 1-rc5 (locally packaged since it's not yet hit Debian unstable) and gxine 0.3.3, although AFAICS the front end shouldn't matter for this. Sending XINE_EVENT_INPUT_MENU2 causes a segfault, as does trying to move past the last recording on the first page (recordings beyond this *are* playable, but I have to skip through some preceding recordings). With the MENU2 event, I've been able to get the following backtrace: #0 0x40671d45 in mallopt () from /lib/libc.so.6 #1 0x40671703 in calloc () from /lib/libc.so.6 #2 0x4004def0 in xine_xmalloc (size=140) at utils.c:237 #3 0x4004083a in video_overlay_add_event (this_gen=0x41601008, event_gen=0x40a7da2c) at video_overlay.c:291 #4 0x40a78876 in spudec_process (this=0x40a7c008, stream_id=0) at spu.c:534 #5 0x40a793c4 in spudec_decode_data (this_gen=0x40a7c008, buf=0x40a7c008) at xine_decoder.c:150 #6 0x40038dd3 in video_decoder_loop (stream_gen=0x86b6e68) at video_decoder.c:412 #7 0x40111e51 in pthread_start_thread () from /lib/libpthread.so.0 #8 0x40111ecf in pthread_start_thread_event () from /lib/libpthread.so.0 #9 0x406d769a in clone () from /lib/libc.so.6 ---------------------------------------------------------------------- Comment By: Miguel Freitas (miguelfreitas) Date: 2004-06-03 14:07 Message: Logged In: YES user_id=148691 Please rebuild xine with debug information, this will help us identifying where and why it crashed. to rebuild xine-lib and xine-ui with debug information, unpack the tarbal and execute the following commands: $ ./configure $ make clean $ make debug $ make install-debug then run xine from gdb: $ gdb xine try to reproduce the crash. Program received signal SIGSEGV, Segmentation fault. [....] type: (gdb) thread apply all bt it will print the stack trace for all threads. paste it into the bug entry. ---------------------------------------------------------------------- Comment By: Miguel Freitas (miguelfreitas) Date: 2004-06-03 14:07 Message: Logged In: YES user_id=148691 the libdvdread message looks interesting, but it might be unrelated. can you get a backtrace? (see canned response) ---------------------------------------------------------------------- Comment By: Andres Garcia Garcia (fandom) Date: 2004-06-03 01:10 Message: Logged In: YES user_id=316500 I tried with the daily rpm you make available and it still crashes, in the console I get the following messages: Esto es xine (gui X11) - un reproductor de vídeo libre v0.99.1. (c) 2000-2004 The xine Team. libdvdnav: Using dvdnav version 1-rc4a from http://xine.sf.net libdvdread: Using libdvdcss version 1.2.8 for DVD access libdvdnav: DVD Title: libdvdnav: DVD Serial Number: libdvdnav: DVD Title (Alternative): *Philips DVD Video libdvdnav: Unable to find map file '/home/andres/.dvdnav/.map' libdvdnav: DVD disk reports itself with Region mask 0x00000000. Regions: 1 2 3 4 5 6 7 8 libdvdread: Attempting to retrieve all CSS keys libdvdread: This can take a _long_ time, please be patient libdvdread: Get key for /VIDEO_TS/VIDEO_TS.VOB at 0x00002000 libdvdread: Elapsed time 0 libdvdread: Get key for /VIDEO_TS/VTS_01_1.VOB at 0x00004000 libdvdread: Elapsed time 0 libdvdread: Found 1 VTS's libdvdread: Elapsed time 0 libdvdnav: Language 'en' not found, using 'ÿÿ' instead libdvdnav: Menu Languages available: ÿÿ *** libdvdread: CHECK_VALUE failed in nav_read.c:356 *** *** for dsi->dsi_gi.zero1 == 0 *** *** libdvdread: CHECK_VALUE failed in nav_read.c:356 *** *** for dsi->dsi_gi.zero1 == 0 *** ---------------------------------------------------------------------- Comment By: Miguel Freitas (miguelfreitas) Date: 2004-06-01 23:44 Message: Logged In: YES user_id=148691 please try the lastest xine-lib and xine-ui versions. they can be downloaded from: http://xinehq.de/index.php/releases ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=109655&aid=923843&group_id=9655 |