-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mumble segfaults during recording. #2863
Comments
mkrautz
added a commit
to mkrautz/mumble
that referenced
this issue
Feb 22, 2017
…ushCheck(). @tatokis reported a voice recorder crash on IRC. (Also filed as mumble-voip#2863) The main culprit was missing error checking in flushCheck() for the values of iTarget and iPrevTarget. The problem is that iPrevTarget can be set to -1 in error situations, when using voice target shortcuts. (Whispers and shouts.) When that happens, the message type output by flushCheck() will be set to an invalid value (7), because iPrevTarget is -1. In flushCheck(), when the packet is a terminator, we set the packet's flags to the value of iPrevTarget. However, in some error states, iPrevTarget is -1. When flags is set to -1, all bits are high (say, 0xffffffff on 32-bit systems). Since all bits are high, our attempt to set the message type in the flags byte fail, because we attempt to splice it in there via binary OR. The result is a packet with an invalid message type of 7 gets into our audio subsystem and wreaks havoc. Due to mistakes in other code in AudioOutputSpeech, that invalid value could cause a crash. (The problem was that we expected that all packets that weren't Opus or CELT to be Speex. Even 'unknown' message types. This will be fixed in a separate commit.) Fixes mumble-voip#2863
Also of note: @tatokis mentioned that it is possible to trigger this crash by
in that case, g.iPrevTarget will be set to -1, which causes everything to break. |
mkrautz
added a commit
to mkrautz/mumble
that referenced
this issue
Feb 25, 2017
…ushCheck(). @tatokis reported a voice recorder crash on IRC. (Also filed as mumble-voip#2863) The main culprit was missing error checking in flushCheck() for the values of iTarget and iPrevTarget. The problem is that iPrevTarget can be set to -1 in error situations, when using voice target shortcuts. (Whispers and shouts.) When that happens, the message type output by flushCheck() will be set to an invalid value (7), because iPrevTarget is -1. In flushCheck(), when the packet is a terminator, we set the packet's flags to the value of iPrevTarget. However, in some error states, iPrevTarget is -1. When flags is set to -1, all bits are high (say, 0xffffffff on 32-bit systems). Since all bits are high, our attempt to set the message type in the flags byte fail, because we attempt to splice it in there via binary OR. The result is a packet with an invalid message type of 7 gets into our audio subsystem and wreaks havoc. Due to mistakes in other code in AudioOutputSpeech, that invalid value could cause a crash. (The problem was that we expected that all packets that weren't Opus or CELT to be Speex. Even 'unknown' message types. This will be fixed in a separate commit.) Fixes mumble-voip#2863
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Running Ubuntu 16.04 with the latest mumble from the unstable PPA (g289d0d4).
The way to reproduce the segfaults so far has been to just join a room with others and start a recording.
It seems to be happening on random occasions.
Attaching gdb and simulating conversation using push to talk with local clients revealed this backtrace.
With the mumble client in a frozen state due to gdb, I can see that during the segfault, only a local client was transmitting audio, with the instance of mumble that crashed just recording (and not transmitting anything).
The text was updated successfully, but these errors were encountered: