ogg123 segfaults, backtrace hints to libvorbis (#479) · Issues · Xiph.Org / Vorbis

ogg123 segfaults, backtrace hints to libvorbis

After a while of listening to a Vorbis stream, ogg123 became "sick" and the 
input buffer was hovering around 0.5-1%. A little later, during a song change, 
it segfaulted. Here's the backtrace:

#0  0xdbae358 in decode_packed_entry_number (book=0x3c0ce3c8, b=0x3c076a48)
    at /usr/ports/mystuff/audio/libvorbis/w-libvorbis-1.0.1-debug/libvorbis-1.0.
1/lib/codebook.c:345
345         if(book->dec_codelengths[lo]<=read){
#1  0xdbae128 in vorbis_book_decodevv_add (book=0x3c0ce3c8, a=0xcfbfcc0c,
    offset=416, ch=2, b=0x3c076a48, n=32)
    at /usr/ports/mystuff/audio/libvorbis/w-libvorbis-1.0.1-debug/libvorbis-1.0.
1/lib/codebook.c:460
460         entry = decode_packed_entry_number(book,b);
#2  0xdbaaa31 in res2_inverse (vb=0x3c076a44, vl=0x3c013a40, in=0xcfbfcc0c,
    nonzero=0xcfbfcbfc, ch=2)
    at /usr/ports/mystuff/audio/libvorbis/w-libvorbis-1.0.1-debug/libvorbis-1.0.
1/lib/res0.c:859
859                 if(vorbis_book_decodevv_add(stagebook,in,
#3  0xdbac7d8 in mapping0_inverse (vb=0x3c076a44, l=0x3c09b000)
    at /usr/ports/mystuff/audio/libvorbis/w-libvorbis-1.0.1-debug/libvorbis-1.0.
1/lib/mapping0.c:702
#4  0xdb9d706 in vorbis_synthesis (vb=0x3c076a44, op=0xcfbfcd24)
    at /usr/ports/mystuff/audio/libvorbis/w-libvorbis-1.0.1-debug/libvorbis-1.0.
1/lib/synthesis.c:76
#5  0xa53eb8f in _fetch_and_process_packet (vf=0x3c076800, op_in=0x0, readp=1,
    spanp=1)
    at /usr/ports/mystuff/audio/libvorbis/w-libvorbis-1.0.1-debug/libvorbis-1.0.
1/lib/vorbisfile.c:484
#6  0xa541a1f in ov_read (vf=0x3c076800, buffer=0x3c005fa0 "¡", length=3072,
    bigendianp=0, word=2, sgned=1, bitstream=0x3c076ac8)
    at /usr/ports/mystuff/audio/libvorbis/w-libvorbis-1.0.1-debug/libvorbis-1.0.
1/lib/vorbisfile.c:1545
#7  0x1c007417 in ovf_read (decoder=0x3c013540, ptr=0x3c005fa0, nbytes=3072,
    eos=0xcfbfce8c, audio_fmt=0xcfbfcea0) at oggvorbis_format.c:139
#8  0x1c006ec2 in play (
    source_string=0x3c013480 "http://pandora.hrz.tu-chemnitz.de:8000/kolaradio.
ogg") at ogg123.c:525
#9  0x1c006b81 in main (argc=2, argv=0xcfbfcfb4) at ogg123.c:389
#10 0x1c0035a1 in ___start ()
#11 0x1c003517 in __start ()
#12 0xcfbfd100 in ?? ()

The icecast server in charge was -kh10 from Karl Heyes, which also had problems 
(something about NULL pointers, I think we/he could find the problem and fix it)
... so it is possible that the server sent some junk to ogg123, however, I 
believe that this is no valid reason for ogg123 or the vorbis libs to segfault.

The issue might be quite subtle since I compiled everything with certain 
malloc() settings in malloc.conf for testing. The options I use are 'AGZ'. From 
malloc.conf(3):

<snip>
     A       ``Abort''.  malloc() will coredump the process, rather than tol-
             erate failure.  This is a very handy debugging aid, since the
             core file will represent the time of failure, rather than when
             the null pointer was accessed.
[...]
     G       Enable guard pages and chunk randomization.  Each page size or
             larger allocation is followed by a guard page that will cause a
             segmentation fault upon any access.  Smaller than page size
             chunks are returned in a random order.
(this is unique to OpenBSD, as far as I know)
[...]
     Z       ``Zero''.  Fill some junk into the area allocated (see J), except
             for the exact length the user asked for, which is zeroed.
[...]
     The J and Z flags are mostly for testing and debugging.  If a program
     changes behavior if either of these options are used, it is buggy.

     The default cache size is 16 pages.
</snip>

Please let me know if I can help with further gdb output. The OS I am using is a 
very recent version of OpenBSD 3.4-current on i386.


Moritz

```
After a while of listening to a Vorbis stream, ogg123 became "sick" and the 
input buffer was hovering around 0.5-1%. A little later, during a song change, 
it segfaulted. Here's the backtrace:

#0  0xdbae358 in decode_packed_entry_number (book=0x3c0ce3c8, b=0x3c076a48)
    at /usr/ports/mystuff/audio/libvorbis/w-libvorbis-1.0.1-debug/libvorbis-1.0.
1/lib/codebook.c:345
345         if(book->dec_codelengths[lo]<=read){
#1  0xdbae128 in vorbis_book_decodevv_add (book=0x3c0ce3c8, a=0xcfbfcc0c,
    offset=416, ch=2, b=0x3c076a48, n=32)
    at /usr/ports/mystuff/audio/libvorbis/w-libvorbis-1.0.1-debug/libvorbis-1.0.
1/lib/codebook.c:460
460         entry = decode_packed_entry_number(book,b);
#2  0xdbaaa31 in res2_inverse (vb=0x3c076a44, vl=0x3c013a40, in=0xcfbfcc0c,
    nonzero=0xcfbfcbfc, ch=2)
    at /usr/ports/mystuff/audio/libvorbis/w-libvorbis-1.0.1-debug/libvorbis-1.0.
1/lib/res0.c:859
859                 if(vorbis_book_decodevv_add(stagebook,in,
#3  0xdbac7d8 in mapping0_inverse (vb=0x3c076a44, l=0x3c09b000)
    at /usr/ports/mystuff/audio/libvorbis/w-libvorbis-1.0.1-debug/libvorbis-1.0.
1/lib/mapping0.c:702
#4  0xdb9d706 in vorbis_synthesis (vb=0x3c076a44, op=0xcfbfcd24)
    at /usr/ports/mystuff/audio/libvorbis/w-libvorbis-1.0.1-debug/libvorbis-1.0.
1/lib/synthesis.c:76
#5  0xa53eb8f in _fetch_and_process_packet (vf=0x3c076800, op_in=0x0, readp=1,
    spanp=1)
    at /usr/ports/mystuff/audio/libvorbis/w-libvorbis-1.0.1-debug/libvorbis-1.0.
1/lib/vorbisfile.c:484
#6  0xa541a1f in ov_read (vf=0x3c076800, buffer=0x3c005fa0 "¡", length=3072,
    bigendianp=0, word=2, sgned=1, bitstream=0x3c076ac8)
    at /usr/ports/mystuff/audio/libvorbis/w-libvorbis-1.0.1-debug/libvorbis-1.0.
1/lib/vorbisfile.c:1545
#7  0x1c007417 in ovf_read (decoder=0x3c013540, ptr=0x3c005fa0, nbytes=3072,
    eos=0xcfbfce8c, audio_fmt=0xcfbfcea0) at oggvorbis_format.c:139
#8  0x1c006ec2 in play (
    source_string=0x3c013480 "http://pandora.hrz.tu-chemnitz.de:8000/kolaradio.
ogg") at ogg123.c:525
#9  0x1c006b81 in main (argc=2, argv=0xcfbfcfb4) at ogg123.c:389
#10 0x1c0035a1 in ___start ()
#11 0x1c003517 in __start ()
#12 0xcfbfd100 in ?? ()

The icecast server in charge was -kh10 from Karl Heyes, which also had problems 
(something about NULL pointers, I think we/he could find the problem and fix it)
... so it is possible that the server sent some junk to ogg123, however, I 
believe that this is no valid reason for ogg123 or the vorbis libs to segfault.

The issue might be quite subtle since I compiled everything with certain 
malloc() settings in malloc.conf for testing. The options I use are 'AGZ'. From 
malloc.conf(3):

<snip>
     A       ``Abort''.  malloc() will coredump the process, rather than tol-
             erate failure.  This is a very handy debugging aid, since the
             core file will represent the time of failure, rather than when
             the null pointer was accessed.
[...]
     G       Enable guard pages and chunk randomization.  Each page size or
             larger allocation is followed by a guard page that will cause a
             segmentation fault upon any access.  Smaller than page size
             chunks are returned in a random order.
(this is unique to OpenBSD, as far as I know)
[...]
     Z       ``Zero''.  Fill some junk into the area allocated (see J), except
             for the exact length the user asked for, which is zeroed.
[...]
     The J and Z flags are mostly for testing and debugging.  If a program
     changes behavior if either of these options are used, it is buggy.

The default cache size is 16 pages.
</snip>

Please let me know if I can help with further gdb output. The OS I am using is a 
very recent version of OpenBSD 3.4-current on i386.

Moritz
```