From 4e03c5f88548295589cb358fd047838ef5d5c6ec Mon Sep 17 00:00:00 2001 From: Devin Anderson Date: Thu, 13 Oct 2022 00:20:45 +0000 Subject: [PATCH] wavparse: Fix crash that occurs in push mode when header chunks are corrupted in certain ways. In the case that a test is provided for, the size of the `fmt ` chunk is changed from 16 bytes to 18 bytes (bytes 17 - 20 below): ``` $ hexdump -C corruptheadertestsrc.wav 00000000 52 49 46 46 e4 fd 00 00 57 41 56 45 66 6d 74 20 |RIFF....WAVEfmt | 00000010 12 00 00 00 01 00 01 00 80 3e 00 00 00 7d 00 00 |.........>...}..| 00000020 02 00 10 00 64 61 74 61 |....data| 00000028 ``` (Note that the original file is much larger. This was the smallest sub-file I could find that would generate the crash.) Note that, while the same issue doesn't cause a crash in pull mode, there's a different issue in that the file is processed successfully as if it was a .wav file with zero samples. Part-of: --- .../gst/wavparse/gstwavparse.c | 30 +++++++++---- .../tests/check/elements/wavparse.c | 42 ++++++++++++++++-- .../tests/files/corruptheadertestsrc.wav | Bin 0 -> 40 bytes 3 files changed, 59 insertions(+), 13 deletions(-) create mode 100755 subprojects/gst-plugins-good/tests/files/corruptheadertestsrc.wav diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c index 3c171e2d0b..3f3e1926c3 100644 --- a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c +++ b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c @@ -2498,20 +2498,32 @@ gst_wavparse_sink_event (GstPad * pad, GstObject * parent, GstEvent * event) break; } case GST_EVENT_EOS: - if (wav->state == GST_WAVPARSE_START || !wav->caps) { + if (!wav->caps) { GST_ELEMENT_ERROR (wav, STREAM, WRONG_TYPE, (NULL), ("No valid input found before end of stream")); } else { - /* add pad if needed so EOS is seen downstream */ - if (G_UNLIKELY (wav->first)) { - wav->first = FALSE; - gst_wavparse_add_src_pad (wav, NULL); + switch (wav->state) { + case GST_WAVPARSE_START: + GST_ELEMENT_ERROR (wav, STREAM, WRONG_TYPE, (NULL), + ("No valid input found before end of stream")); + break; + case GST_WAVPARSE_HEADER: + GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL), + ("No audio data chunk found before end of stream")); + break; + case GST_WAVPARSE_DATA: + /* add pad if needed so EOS is seen downstream */ + if (G_UNLIKELY (wav->first)) { + wav->first = FALSE; + gst_wavparse_add_src_pad (wav, NULL); + } + /* stream leftover data in current segment */ + gst_wavparse_flush_data (wav); + break; + default: + g_assert_not_reached (); } - - /* stream leftover data in current segment */ - gst_wavparse_flush_data (wav); } - /* fall-through */ case GST_EVENT_FLUSH_STOP: { diff --git a/subprojects/gst-plugins-good/tests/check/elements/wavparse.c b/subprojects/gst-plugins-good/tests/check/elements/wavparse.c index 89e988b1e2..153fb5e09f 100644 --- a/subprojects/gst-plugins-good/tests/check/elements/wavparse.c +++ b/subprojects/gst-plugins-good/tests/check/elements/wavparse.c @@ -21,10 +21,12 @@ #include +#define CORRUPT_HEADER_WAV_PATH GST_TEST_FILES_PATH G_DIR_SEPARATOR_S \ + "corruptheadertestsrc.wav" #define SIMPLE_WAV_PATH GST_TEST_FILES_PATH G_DIR_SEPARATOR_S "audiotestsrc.wav" static GstElement * -create_pipeline (GstPadMode mode) +create_file_pipeline (const char *path, GstPadMode mode) { GstElement *pipeline; GstElement *src, *q = NULL; @@ -43,7 +45,7 @@ create_pipeline (GstPadMode mode) gst_bin_add_many (GST_BIN (pipeline), src, wavparse, fakesink, q, NULL); - g_object_set (src, "location", SIMPLE_WAV_PATH, NULL); + g_object_set (src, "location", path, NULL); if (mode == GST_PAD_MODE_PUSH) fail_unless (gst_element_link_many (src, q, wavparse, fakesink, NULL)); @@ -60,7 +62,7 @@ do_test_simple_file (GstPadMode mode) GstElement *pipeline; GstMessage *msg; - pipeline = create_pipeline (mode); + pipeline = create_file_pipeline (SIMPLE_WAV_PATH, mode); ret = gst_element_set_state (pipeline, GST_STATE_PLAYING); fail_unless_equals_int (ret, GST_STATE_CHANGE_ASYNC); @@ -92,6 +94,37 @@ GST_START_TEST (test_simple_file_push) GST_END_TEST; +static void +do_test_corrupt_header_file (GstPadMode mode) +{ + GstStateChangeReturn ret; + GstElement *pipeline; + GstMessage *msg; + + pipeline = create_file_pipeline (CORRUPT_HEADER_WAV_PATH, mode); + + ret = gst_element_set_state (pipeline, GST_STATE_PLAYING); + fail_unless_equals_int (ret, GST_STATE_CHANGE_ASYNC); + + ret = gst_element_get_state (pipeline, NULL, NULL, GST_CLOCK_TIME_NONE); + fail_unless_equals_int (ret, GST_STATE_CHANGE_FAILURE); + + msg = gst_bus_timed_pop_filtered (GST_ELEMENT_BUS (pipeline), + GST_CLOCK_TIME_NONE, GST_MESSAGE_EOS | GST_MESSAGE_ERROR); + fail_unless_equals_int (GST_MESSAGE_TYPE (msg), GST_MESSAGE_ERROR); + + gst_message_unref (msg); + gst_element_set_state (pipeline, GST_STATE_NULL); + gst_object_unref (pipeline); +} + +GST_START_TEST (test_corrupt_header_file_push) +{ + do_test_corrupt_header_file (GST_PAD_MODE_PUSH); +} + +GST_END_TEST; + static void do_test_empty_file (gboolean can_activate_pull) { @@ -166,7 +199,7 @@ GST_START_TEST (test_seek) GstClockTime seek_position = (20 * GST_MSECOND); GstClockTime first_ts = GST_CLOCK_TIME_NONE; - pipeline = create_pipeline (GST_PAD_MODE_PULL); + pipeline = create_file_pipeline (SIMPLE_WAV_PATH, GST_PAD_MODE_PULL); wavparse = gst_bin_get_by_name (GST_BIN (pipeline), "wavparse"); fail_unless (wavparse); fakesink = gst_bin_get_by_name (GST_BIN (pipeline), "fakesink"); @@ -248,6 +281,7 @@ wavparse_suite (void) suite_add_tcase (s, tc_chain); tcase_add_test (tc_chain, test_empty_file_pull); tcase_add_test (tc_chain, test_empty_file_push); + tcase_add_test (tc_chain, test_corrupt_header_file_push); tcase_add_test (tc_chain, test_simple_file_pull); tcase_add_test (tc_chain, test_simple_file_push); tcase_add_test (tc_chain, test_seek); diff --git a/subprojects/gst-plugins-good/tests/files/corruptheadertestsrc.wav b/subprojects/gst-plugins-good/tests/files/corruptheadertestsrc.wav new file mode 100755 index 0000000000000000000000000000000000000000..f8aa22c96d8df324ae58430ef30d5b22049ac7b0 GIT binary patch literal 40 scmWIYbaQ+1mw_SNG0ZhBw?sjRfq{V$2pjBxj9LZ;CI$h9l*E!m0MNDwo&W#< literal 0 HcmV?d00001