Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

double free corruption in revdelay-swh.lv2 #13

Closed
x42 opened this issue Feb 16, 2016 · 4 comments · Fixed by #18
Closed

double free corruption in revdelay-swh.lv2 #13

x42 opened this issue Feb 16, 2016 · 4 comments · Fixed by #18

Comments

@x42
Copy link
Contributor

x42 commented Feb 16, 2016

==28903== Invalid free() / delete / delete[] / realloc()
==28903==    at 0x4C2AEAB: free (vg_replace_malloc.c:530)
==28903==    by 0x4A03F8DC: ??? (in /usr/lib/lv2/revdelay-swh.lv2/plugin-linux.so)
==28903==    by 0xE912082: lilv_instance_free (in /usr/lib/liblilv-0.so.0.22.0)
==28903==    by 0x6972404: ARDOUR::LV2Plugin::cleanup() (lv2_plugin.cc:1927)
==28903==    by 0x696C210: ARDOUR::LV2Plugin::~LV2Plugin() (lv2_plugin.cc:721)
==28903==    by 0x696C563: ARDOUR::LV2Plugin::~LV2Plugin() (lv2_plugin.cc:752)

==28903== Conditional jump or move depends on uninitialised value(s)
==28903==    at 0x4C2AE61: free (vg_replace_malloc.c:530)
==28903==    by 0x4A03F8DC: ??? (in /usr/lib/lv2/revdelay-swh.lv2/plugin-linux.so)
==28903==    by 0xE912082: lilv_instance_free (in /usr/lib/liblilv-0.so.0.22.0)
==28903==    by 0x6972404: ARDOUR::LV2Plugin::cleanup() (lv2_plugin.cc:1927)
==28903==    by 0x696C210: ARDOUR::LV2Plugin::~LV2Plugin() (lv2_plugin.cc:721)
==28903==    by 0x696C563: ARDOUR::LV2Plugin::~LV2Plugin() (lv2_plugin.cc:752)

Sorry no debug-build, but this really smells like some uninitialized pointer variable.
If needed I can do with a debug build, but really just calloc allocate the instance or memset will solve this.

lowpass_iir-swh.lv2 has a similar issue (no crash), valgrind reports

==28903== Conditional jump or move depends on uninitialised value(s)
==28903==    at 0xF5352EF: __sin_avx (in /lib/x86_64-linux-gnu/libm-2.21.so)
==28903==    by 0xF4F01DA: sincos (in /lib/x86_64-linux-gnu/libm-2.21.so)
==28903==    by 0x50884EE5: chebyshev_stage (in /usr/lib/lv2/lowpass_iir-swh.lv2/plugin-linux.so)
==28903==    by 0x508856C9: chebyshev (in /usr/lib/lv2/lowpass_iir-swh.lv2/plugin-linux.so)
==28903==    by 0x69688EF: lilv_instance_activate (lilv.h:1648)
@x42
Copy link
Contributor Author

x42 commented Feb 23, 2016

and another crash:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  __GI___libc_free (mem=0x2) at malloc.c:2929
2929    malloc.c: No such file or directory.
(gdb) bt
Thread 1 (Thread 0x7fbca2190a00 (LWP 872)):
#0  __GI___libc_free (mem=0x2) at malloc.c:2929
#1  0x00007fbc3a37c8cd in cleanupRevdelay () from /usr/local/lib/lv2/revdelay-swh.lv2/plugin-Linux.so
#2  0x00007fbc9bf6d3f6 in lilv_instance_free (instance=0x226efbf0) at ../lilv/src/instance.c:120
#3  0x00007fbca129e08d in ARDOUR::LV2Plugin::cleanup() () from ./../build/libs/ardour/libardour.so.3
#4  0x00007fbca129faed in ARDOUR::LV2Plugin::~LV2Plugin() () from ./../build/libs/ardour/libardour.so.3
...

@swh
Copy link
Owner

swh commented Feb 24, 2016

Great, thanks.

I'm not ignoring you BTW, just crazy busy!

@x42
Copy link
Contributor Author

x42 commented Feb 24, 2016

No problem. It's similar here, otherwise I'd have added a patch.
Just as long as it's not forgotten long term.

@alex-tee
Copy link

similar issue here, crash during cleanup of highpass filter

backtrace

??? unknown
./util/iir.h (free_iirf_t:69)
plugins/highpass_iir-swh.lv2/plugin.c (cleanupHighpass_iir:23)
??? lilv_instance_free from /usr/lib/liblilv-0.so.0(+0x64d0)[0x5c2c000]
../src/plugins/lv2_plugin.c (lv2_plugin_cleanup:3239)

valgrind

==2590932== Use of uninitialised value of size 8
==2590932==    at 0x6B4DC143: free_iirf_t (iir.h:69)
==2590932==    by 0x6B4DC143: cleanupHighpass_iir (plugin.c:23)
==2590932==    by 0x5C324E3: lilv_instance_free (in /usr/lib/liblilv-0.so.0.24.12)
==2590932==    by 0xA672E7: lv2_plugin_cleanup (lv2_plugin.c:3239)
==2590932==    by 0xA6B85F: plugin_cleanup (plugin.c:1221)
==2590932==    by 0xA6D9DB: plugin_clone (plugin.c:2199)
==2590932==    by 0x9D56CA: do_or_undo_move_or_copy.lto_priv.0 (mixer_selections_action.c:806)
==2590932==    by 0x9D6715: do_or_undo.lto_priv.1 (mixer_selections_action.c:1058)
==2590932==    by 0x9D6783: mixer_selections_action_do (mixer_selections_action.c:1076)
==2590932==    by 0x9E0139: undoable_action_do (undoable_action.c:289)
==2590932==    by 0x9E158D: do_or_undo_action (undo_manager.c:99)
==2590932==    by 0x9E1E4C: undo_manager_perform (undo_manager.c:252)
==2590932==    by 0xB4E81C: on_drag_data_received.lto_priv.1 (channel_slot.c:304)
==2590932== 
==2590932== Invalid read of size 4
==2590932==    at 0x6B4DC143: free_iirf_t (iir.h:69)
==2590932==    by 0x6B4DC143: cleanupHighpass_iir (plugin.c:23)
==2590932==    by 0x5C324E3: lilv_instance_free (in /usr/lib/liblilv-0.so.0.24.12)
==2590932==    by 0xA672E7: lv2_plugin_cleanup (lv2_plugin.c:3239)
==2590932==    by 0xA6B85F: plugin_cleanup (plugin.c:1221)
==2590932==    by 0xA6D9DB: plugin_clone (plugin.c:2199)
==2590932==    by 0x9D56CA: do_or_undo_move_or_copy.lto_priv.0 (mixer_selections_action.c:806)
==2590932==    by 0x9D6715: do_or_undo.lto_priv.1 (mixer_selections_action.c:1058)
==2590932==    by 0x9D6783: mixer_selections_action_do (mixer_selections_action.c:1076)
==2590932==    by 0x9E0139: undoable_action_do (undoable_action.c:289)
==2590932==    by 0x9E158D: do_or_undo_action (undo_manager.c:99)
==2590932==    by 0x9E1E4C: undo_manager_perform (undo_manager.c:252)
==2590932==    by 0xB4E81C: on_drag_data_received.lto_priv.1 (channel_slot.c:304)
==2590932==  Address 0x8 is not stack'd, malloc'd or (recently) free'd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants