wavparse: Fix crash that occurs in push mode when header chunks are corrupted

in certain ways. In the case that a test is provided for, the size of the `fmt ` chunk is changed from 16 bytes to 18 bytes (bytes 17 - 20 below): ``` $ hexdump -C corruptheadertestsrc.wav 00000000 52 49 46 46 e4 fd 00 00 57 41 56 45 66 6d 74 20 |RIFF....WAVEfmt | 00000010 12 00 00 00 01 00 01 00 80 3e 00 00 00 7d 00 00 |.........>...}..| 00000020 02 00 10 00 64 61 74 61 |....data| 00000028 ``` (Note that the original file is much larger. This was the smallest sub-file I could find that would generate the crash.) Note that, while the same issue doesn't cause a crash in pull mode, there's a different issue in that the file is processed successfully as if it was a .wav file with zero samples. Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/3173>
2024-12-18 06:16:36 +00:00 · 2022-10-13 00:20:45 +00:00 · 2022-10-13 00:20:45 +00:00 · 4e03c5f885
commit 4e03c5f885
parent 11436be268
3 changed files with 59 additions and 13 deletions
--- a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
+++ b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
@ -2498,20 +2498,32 @@ gst_wavparse_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
      break;
    }
    case GST_EVENT_EOS:
-      if (wav->state == GST_WAVPARSE_START || !wav->caps) {
+      if (!wav->caps) {
        GST_ELEMENT_ERROR (wav, STREAM, WRONG_TYPE, (NULL),
            ("No valid input found before end of stream"));
      } else {
-        /* add pad if needed so EOS is seen downstream */
-        if (G_UNLIKELY (wav->first)) {
-          wav->first = FALSE;
-          gst_wavparse_add_src_pad (wav, NULL);
+        switch (wav->state) {
+          case GST_WAVPARSE_START:
+            GST_ELEMENT_ERROR (wav, STREAM, WRONG_TYPE, (NULL),
+                ("No valid input found before end of stream"));
+            break;
+          case GST_WAVPARSE_HEADER:
+            GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL),
+                ("No audio data chunk found before end of stream"));
+            break;
+          case GST_WAVPARSE_DATA:
+            /* add pad if needed so EOS is seen downstream */
+            if (G_UNLIKELY (wav->first)) {
+              wav->first = FALSE;
+              gst_wavparse_add_src_pad (wav, NULL);
+            }
+            /* stream leftover data in current segment */
+            gst_wavparse_flush_data (wav);
+            break;
+          default:
+            g_assert_not_reached ();
        }
-
-        /* stream leftover data in current segment */
-        gst_wavparse_flush_data (wav);
      }
-
      /* fall-through */
    case GST_EVENT_FLUSH_STOP:
    {
--- a/subprojects/gst-plugins-good/tests/check/elements/wavparse.c
+++ b/subprojects/gst-plugins-good/tests/check/elements/wavparse.c
@ -21,10 +21,12 @@

 #include <gst/check/gstcheck.h>

+#define CORRUPT_HEADER_WAV_PATH GST_TEST_FILES_PATH G_DIR_SEPARATOR_S \
+    "corruptheadertestsrc.wav"
 #define SIMPLE_WAV_PATH GST_TEST_FILES_PATH G_DIR_SEPARATOR_S "audiotestsrc.wav"

 static GstElement *
-create_pipeline (GstPadMode mode)
+create_file_pipeline (const char *path, GstPadMode mode)
 {
  GstElement *pipeline;
  GstElement *src, *q = NULL;
@ -43,7 +45,7 @@ create_pipeline (GstPadMode mode)

  gst_bin_add_many (GST_BIN (pipeline), src, wavparse, fakesink, q, NULL);

-  g_object_set (src, "location", SIMPLE_WAV_PATH, NULL);
+  g_object_set (src, "location", path, NULL);

  if (mode == GST_PAD_MODE_PUSH)
    fail_unless (gst_element_link_many (src, q, wavparse, fakesink, NULL));
@ -60,7 +62,7 @@ do_test_simple_file (GstPadMode mode)
  GstElement *pipeline;
  GstMessage *msg;

-  pipeline = create_pipeline (mode);
+  pipeline = create_file_pipeline (SIMPLE_WAV_PATH, mode);

  ret = gst_element_set_state (pipeline, GST_STATE_PLAYING);
  fail_unless_equals_int (ret, GST_STATE_CHANGE_ASYNC);
@ -92,6 +94,37 @@ GST_START_TEST (test_simple_file_push)

 GST_END_TEST;

+static void
+do_test_corrupt_header_file (GstPadMode mode)
+{
+  GstStateChangeReturn ret;
+  GstElement *pipeline;
+  GstMessage *msg;
+
+  pipeline = create_file_pipeline (CORRUPT_HEADER_WAV_PATH, mode);
+
+  ret = gst_element_set_state (pipeline, GST_STATE_PLAYING);
+  fail_unless_equals_int (ret, GST_STATE_CHANGE_ASYNC);
+
+  ret = gst_element_get_state (pipeline, NULL, NULL, GST_CLOCK_TIME_NONE);
+  fail_unless_equals_int (ret, GST_STATE_CHANGE_FAILURE);
+
+  msg = gst_bus_timed_pop_filtered (GST_ELEMENT_BUS (pipeline),
+      GST_CLOCK_TIME_NONE, GST_MESSAGE_EOS | GST_MESSAGE_ERROR);
+  fail_unless_equals_int (GST_MESSAGE_TYPE (msg), GST_MESSAGE_ERROR);
+
+  gst_message_unref (msg);
+  gst_element_set_state (pipeline, GST_STATE_NULL);
+  gst_object_unref (pipeline);
+}
+
+GST_START_TEST (test_corrupt_header_file_push)
+{
+  do_test_corrupt_header_file (GST_PAD_MODE_PUSH);
+}
+
+GST_END_TEST;
+
 static void
 do_test_empty_file (gboolean can_activate_pull)
 {
@ -166,7 +199,7 @@ GST_START_TEST (test_seek)
  GstClockTime seek_position = (20 * GST_MSECOND);
  GstClockTime first_ts = GST_CLOCK_TIME_NONE;

-  pipeline = create_pipeline (GST_PAD_MODE_PULL);
+  pipeline = create_file_pipeline (SIMPLE_WAV_PATH, GST_PAD_MODE_PULL);
  wavparse = gst_bin_get_by_name (GST_BIN (pipeline), "wavparse");
  fail_unless (wavparse);
  fakesink = gst_bin_get_by_name (GST_BIN (pipeline), "fakesink");
@ -248,6 +281,7 @@ wavparse_suite (void)
  suite_add_tcase (s, tc_chain);
  tcase_add_test (tc_chain, test_empty_file_pull);
  tcase_add_test (tc_chain, test_empty_file_push);
+  tcase_add_test (tc_chain, test_corrupt_header_file_push);
  tcase_add_test (tc_chain, test_simple_file_pull);
  tcase_add_test (tc_chain, test_simple_file_push);
  tcase_add_test (tc_chain, test_seek);
--- a/subprojects/gst-plugins-good/tests/files/corruptheadertestsrc.wav
+++ b/subprojects/gst-plugins-good/tests/files/corruptheadertestsrc.wav