Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clementine often crashes when playing ogg files (Segmentation fault core dumped, qt5) #6078

Closed
trougnouf opened this issue Jun 6, 2018 · 9 comments

Comments

@trougnouf
Copy link
Contributor

trougnouf commented Jun 6, 2018

System information

  • Operating System: Arch Linux
  • Clementine version: clementine-qt5-git

Issue

Clementine often crashes while playing ogg files. Sometimes as many times as once per song. (I would play an album, such as https://www.jamendo.com/album/100284/fractal-universe , Clementine crashes, I start it back up and play so that the same song restarts, then it seems to crash on the next one.) I think this has been happening for a long time, I've part of using Clementine, but it seems more consistent now so maybe identifiable (I don't know if that's because I've been listening to a lot of ogg albums from https://www.jamendo.com/ or a regression)

Looking at the terminal output I thought it may have been the writing statistics to file bit or lastfm, but it still crashes without these. Here is some log (from $ clementine --verbose; date +"%T.%3N";), I don't know if it's relevant or the segfault occurs independently later. I will keep trying with different settings and types types of files and keep posting if I find anything.

I've uploaded the album I mentioned on https://drive.google.com/open?id=1_XjX5tJo010UF4YeCE1WvLr5AnCLpACL for easier access, it's under a CC by-nc-nd 3 license.

edit: running in gdb with the debug symbols installed and it doesn't crash, not helpful for debugging, happy I can run Clementine so reliably.

edit2: here is a backtrace with gdb and a successful crash on that album: pre-crash terminal + bt 200: https://pastebin.com/EC606t9u , bt full: https://pastebin.com/yjezTza7 , bt no-filters full: https://pastebin.com/JkD4xc8z , let me know if I should install any debug symbols or I need to get the backtraces differently.

Another one (2018-06-18): https://pastebin.com/nfLcwbx8 , slightly different one same day https://pastebin.com/UTxqTGLd , https://pastebin.com/BzZVpppq

@orion40
Copy link

orion40 commented Jun 14, 2018

I also have similar issues, on a Debian Stretch. Here is the stack trace, after SIGSEGV:
0x00005576c09a87e4 in MoodbarBuilder::Init(int, int) ()
gdb-peda$ bt
#0 0x00005576c09a87e4 in MoodbarBuilder::Init(int, int) ()
#1 0x00005576c07fbb33 in MoodbarPipeline::NewPadCallback(_GstElement*, _GstPad*, void*) ()
#2 0x00007f6d47c5f038 in ffi_call_unix64 ()
from /usr/lib/x86_64-linux-gnu/libffi.so.6
#3 0x00007f6d47c5ea9a in ffi_call ()
from /usr/lib/x86_64-linux-gnu/libffi.so.6
#4 0x00007f6d50e907ae in g_cclosure_marshal_generic ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#5 0x00007f6d50e8ff75 in g_closure_invoke ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#6 0x00007f6d50ea1f82 in ?? ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#7 0x00007f6d50eaabdc in g_signal_emit_valist ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#8 0x00007f6d50eaafbf in g_signal_emit ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#9 0x00007f6d5062e368 in gst_element_add_pad ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#10 0x00007f6d47c5f038 in ffi_call_unix64 ()
from /usr/lib/x86_64-linux-gnu/libffi.so.6
#11 0x00007f6d47c5ea9a in ffi_call ()
from /usr/lib/x86_64-linux-gnu/libffi.so.6
#12 0x00007f6d50e907ae in g_cclosure_marshal_generic ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#13 0x00007f6d50e8ff75 in g_closure_invoke ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#14 0x00007f6d50ea1f82 in ?? ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#15 0x00007f6d50eaabdc in g_signal_emit_valist ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#16 0x00007f6d50eaafbf in g_signal_emit ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#17 0x00007f6d5062e368 in gst_element_add_pad ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#18 0x00007f6ce474e71d in ?? ()
from /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstplayback.so
#19 0x00007f6ce474f3c0 in ?? ()
from /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstplayback.so
#20 0x00007f6d5064679a in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#21 0x00007f6d50ba6ea4 in g_hook_list_marshal ()
from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#22 0x00007f6d50644efb in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#23 0x00007f6d50647c2e in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#24 0x00007f6d50648110 in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#25 0x00007f6d50645cff in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#26 0x00007f6d50652061 in gst_pad_push_event ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#27 0x00007f6d510fa46a in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstaudio-1.0.so.0
#28 0x00007f6d510ff2ab in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstaudio-1.0.so.0
#29 0x00007f6d50647837 in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#30 0x00007f6d50647cfe in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#31 0x00007f6d50648110 in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#32 0x00007f6d50645cff in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#33 0x00007f6d50652061 in gst_pad_push_event ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#34 0x00007f6ce40f9a66 in ?? ()
from /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstcoreelements.so
#35 0x00007f6d5067ca21 in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#36 0x00007f6d50bdedce in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#37 0x00007f6d50bde3d5 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#38 0x00007f6d5156a494 in start_thread (arg=0x7f6ccdf58700)
at pthread_create.c:333
#39 0x00007f6d4ca1dacf in clone ()
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
gdb-peda$

@jonaski
Copy link
Contributor

jonaski commented Jun 14, 2018

Does it work if you disable moodbar? Right click on the progress bar and uncheck show moodbar.

@trougnouf
Copy link
Contributor Author

Still segfaults with the moodbar disabled

@orion40
Copy link

orion40 commented Jun 15, 2018

Still segfault, here's the backtrace:
#0 0x0000555555b977e4 in MoodbarBuilder::Init(int, int) ()
#1 0x00005555559eab33 in MoodbarPipeline::NewPadCallback(_GstElement*, _GstPad*, void*) ()
#2 0x00007fffeb254038 in ffi_call_unix64 ()
from /usr/lib/x86_64-linux-gnu/libffi.so.6
#3 0x00007fffeb253a9a in ffi_call ()
from /usr/lib/x86_64-linux-gnu/libffi.so.6
#4 0x00007ffff44857ae in g_cclosure_marshal_generic ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#5 0x00007ffff4484f75 in g_closure_invoke ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#6 0x00007ffff4496f82 in ?? ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#7 0x00007ffff449fbdc in g_signal_emit_valist ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#8 0x00007ffff449ffbf in g_signal_emit ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#9 0x00007ffff3c23368 in gst_element_add_pad ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#10 0x00007fffeb254038 in ffi_call_unix64 ()
from /usr/lib/x86_64-linux-gnu/libffi.so.6
#11 0x00007fffeb253a9a in ffi_call ()
from /usr/lib/x86_64-linux-gnu/libffi.so.6
#12 0x00007ffff44857ae in g_cclosure_marshal_generic ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#13 0x00007ffff4484f75 in g_closure_invoke ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#14 0x00007ffff4496f82 in ?? ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#15 0x00007ffff449fbdc in g_signal_emit_valist ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#16 0x00007ffff449ffbf in g_signal_emit ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#17 0x00007ffff3c23368 in gst_element_add_pad ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#18 0x00007fff7bcf471d in ?? ()
from /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstplayback.so
#19 0x00007fff7bcf53c0 in ?? ()
from /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstplayback.so
#20 0x00007ffff3c3b79a in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#21 0x00007ffff419bea4 in g_hook_list_marshal ()
from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#22 0x00007ffff3c39efb in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#23 0x00007ffff3c3cc2e in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#24 0x00007ffff3c3d110 in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#25 0x00007ffff3c3acff in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#26 0x00007ffff3c47061 in gst_pad_push_event ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#27 0x00007ffff46ef46a in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstaudio-1.0.so.0
#28 0x00007ffff46f42ab in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstaudio-1.0.so.0
#29 0x00007ffff3c3c837 in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#30 0x00007ffff3c3ccfe in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#31 0x00007ffff3c3d110 in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#32 0x00007ffff3c3acff in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#33 0x00007ffff3c47061 in gst_pad_push_event ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#34 0x00007fff7b69fa66 in ?? ()
from /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstcoreelements.so
#35 0x00007ffff3c71a21 in ?? ()
from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0
#36 0x00007ffff41d3dce in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#37 0x00007ffff41d33d5 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#38 0x00007ffff4b5f494 in start_thread (arg=0x7fff7a5d0700)
at pthread_create.c:333
#39 0x00007ffff0012acf in clone ()
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Here's a bit more info:

[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x0
RCX: 0x7fff70029ef0 --> 0x60 ('') RDX: 0x0 RSI: 0x80 RDI: 0x0 RBP: 0x5555578d2680 --> 0x555556743588 --> 0x555555a38540 (<_ZNK15MoodbarPipeline10metaObjectEv>: ) RSP: 0x7fff7a5ce360 --> 0x0 RIP: 0x555555b977e4 (<_ZN14MoodbarBuilder4InitEii+20>: ) R8 : 0x7fff70021710 --> 0x7fff70029ef0 --> 0x60 ('')
R9 : 0x0
R10: 0x73 ('s')
R11: 0x0
R12: 0x5555578e53d0 --> 0x5555578e3000 --> 0x5555577f9800 --> 0x6
R13: 0x4
R14: 0x7fff7a5ce500 --> 0x7fffeb254300 --> 0x8
R15: 0x80
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x555555b977dc <_ZN14MoodbarBuilder4InitEii+12>: push rbx
0x555555b977dd <_ZN14MoodbarBuilder4InitEii+13>: mov rbx,rdi
0x555555b977e0 <_ZN14MoodbarBuilder4InitEii+16>: sub rsp,0x8
=> 0x555555b977e4 <_ZN14MoodbarBuilder4InitEii+20>:
mov DWORD PTR [rdi+0x8],esi
0x555555b977e7 <_ZN14MoodbarBuilder4InitEii+23>:
mov DWORD PTR [rdi+0xc],edx
0x555555b977ea <_ZN14MoodbarBuilder4InitEii+26>:
lock inc DWORD PTR [rip+0xbd18cf] # 0x5555567690c0 <_ZN9QListData11shared_nullE>
0x555555b977f1 <_ZN14MoodbarBuilder4InitEii+33>: setne al
0x555555b977f4 <_ZN14MoodbarBuilder4InitEii+36>:
lea rax,[rip+0xbd18c5] # 0x5555567690c0 <_ZN9QListData11shared_nullE>
[------------------------------------stack-------------------------------------]
0000| 0x7fff7a5ce360 --> 0x0
0008| 0x7fff7a5ce368 --> 0x0
0016| 0x7fff7a5ce370 --> 0x5555578d2680 --> 0x555556743588 --> 0x555555a38540 (<_ZNK15MoodbarPipeline10metaObjectEv>:
)
0024| 0x7fff7a5ce378 --> 0x5555578e53d0 --> 0x5555578e3000 --> 0x5555577f9800 --> 0x6
0032| 0x7fff7a5ce380 --> 0x4
0040| 0x7fff7a5ce388 --> 0x7fff7a5ce500 --> 0x7fffeb254300 --> 0x8
0048| 0x7fff7a5ce390 --> 0x7fff7a5ce4d0 --> 0x7fff7a5ce7e8 --> 0x7fff90016070 --> 0x7fff90011be0 --> 0x7fff90011780 (-
-> ...)
0056| 0x7fff7a5ce398 --> 0x5555559eab33 (<_ZN15MoodbarPipeline14NewPadCallbackEP11_GstElementP7_GstPadPv+163>: mov
rax,QWORD PTR [rsp+0x8])
[------------------------------------------------------------------------------]
Stopped reason: SIGSEGV
0x0000555555b977e4 in MoodbarBuilder::Init(int, int) ()

@MostafaSoliman
Copy link

Hello,
I was conducting a security testing against Clementine and i reached similar crash, so i will post the data here instead of opening a new issue.
Clementine.exe has null pointer dereference vulnerability that crashes the application. The issue exists in this code line

self->builder_->Init(kBands, rate);
.

void MoodbarPipeline::NewPadCallback(GstElement*, GstPad* pad, gpointer data) {
  MoodbarPipeline* self = reinterpret_cast<MoodbarPipeline*>(data);
  GstPad* const audiopad =
      gst_element_get_static_pad(self->convert_element_, "sink");

  if (GST_PAD_IS_LINKED(audiopad)) {
    qLog(Warning) << "audiopad is already linked, unlinking old pad";
    gst_pad_unlink(audiopad, GST_PAD_PEER(audiopad));
  }

  gst_pad_link(pad, audiopad);
  gst_object_unref(audiopad);

  int rate = 0;
  GstCaps* caps = gst_pad_get_current_caps(pad);
  GstStructure* structure = gst_caps_get_structure(caps, 0);
  gst_structure_get_int(structure, "rate", &rate);
  gst_caps_unref(caps);

  self->builder_->Init(kBands, rate);     ---> crash
}

and it can be triggered by opening a malformed mp3 file.
The application cast gpointer data to MoodbarPipeline and then invoke the init call without checking if the builder_ pointer is valid or not (which is not in case of the malformed mp3 file) leading to a user mode write access violation.

The below is the crash dump i belive it is inside the MoodbarBuilder::Init method

 --- [ write Violation Detected at 0x00796637] ---
EAX=00000080  ECX=7ef07000 'p\xff\x86\n\x00\x00\x87\n' EDX=00000006
EBX=00000000  ESP=0a86f1f0 '\x1c\xf2\x86\n\xc4;\xf9\x08' EBP=0a86f278 '\xb8\xf2\x86\n\xb4_d\x00'
ESI=00000000  EDI=08f93bb8 '\x98\x95\xe5\x08\x02\x00\x00\x00' EIP=00796637 '\x89F\x04\x8bE\x0c\x89F'
0x00796608  nop
0x00796609  lea esi,[esi+0x0]
0x00796610  push ebp
0x00796611  mov ebp,esp
0x00796613  push edi
0x00796614  push esi
0x00796615  mov esi,ecx
0x00796617  push ebx
0x00796618  sub esp,0x7c
0x0079661b  lea eax,[ebp-0x5c]
0x0079661e  mov [esp],eax
0x00796621  mov dword [ebp-0x44],clementine!zn8projectm11key_handlere13projectmevent15projectmkeycode16projectmmodifier+0x18d68
0x00796628  mov dword [ebp-0x40],clementine!znk8projectm8settingsev+0x31c60
0x0079662f  call clementine!zn8projectm11key_handlere13projectmevent15projectmkeycode16projectmmodifier+0x1a270
0x00796634  mov eax,[ebp+0x8]
0x00796637  mov [esi+0x4],eax  <--- Crash
0x0079663a  mov eax,[ebp+0xc]
0x0079663d  mov [esi+0x8],eax
0x00796640  lock inc [qtcore4!zn9qlistdata11shared_nulle]
0x00796647  setnz al
0x0079664a  mov eax,[esi]
0x0079664c  mov dword [esi],qtcore4!zn9qlistdata11shared_nulle
0x00796652  lock dec [eax]
0x00796655  setnz dl
0x00796658  test dl,dl
0x0079665a  jnz clementine!start+0x39519b
0x0079665c  mov [esp],eax
0x0079665f  mov dword [ebp-0x58],0x0
0x00796666  call clementine!zn8projectm11key_handlere13projectmevent15projectmkeycode16projectmmodifier+0x21278
0x0079666b  mov eax,[ebp+0x8]
0x0079666e  lea edx,[eax+0x1]

The issue has been assigned the CVE-2018-14332 .

System Info
OS: windows 7 64x
Clementine Version: Clementine-PortableSetup-1.3.1-386-g62d1eb4.exe

Example of the crash mp3 file is attached
141.mp3.zip

@orion40
Copy link

orion40 commented Jul 18, 2018

I can confirm that Clementine also crash on Debian 9.4, Clementine version 1.3.1, using the same mp3 file. However, it seems to be a bit different, as in VLC, the mp3 provided will have VLC output that there was an error; the ogg files that crash Clementine can be played properly in VLC.

@plater
Copy link

plater commented Aug 1, 2018

I also confirm that gst-play-1.0 and ffmpeg both handle 141.mp3 correctly but clementine segfaults

@trougnouf
Copy link
Contributor Author

trougnouf commented Feb 5, 2019

It's fixed! :) I can finally listen to whole albums without experiencing any crash, this is life changing. Thank you to whoever is responsible for this marvelous change! (Likely @jonaski who ported a lot of changes from strawberry which didn't have that issue)

@JulianVolodia
Copy link
Contributor

@orion40 fix your comments with code block (best - spoilers). Thanks. Also you created false-positive cross issue references.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants