search

MusicPlayerDaemon / MPD

Music Player Daemon
https://www.musicpd.org/
GNU General Public License v2.0
2.17k stars 352 forks source link

Segmentation fault when playing an MP3 file #1712

Closed naglis closed 1 year ago

naglis commented 1 year ago

Bug report

Describe the bug

MPD crashes with segmentation fault when playing this MP3 file.

Expected Behavior

MPD does not crash.

Actual Behavior

MPD crashes.

Version

Music Player Daemon 0.23.11 (v0.23.11)
Copyright 2003-2007 Warren Dukes <warren.dukes@gmail.com>
Copyright 2008-2021 Max Kellermann <max.kellermann@gmail.com>
This is free software; see the source for copying conditions.  There is NO
warranty; not even MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Database plugins:
 simple proxy upnp

Storage plugins:
 local udisks nfs curl

Neighbor plugins:
 upnp udisks

Decoders plugins:
 [mad] mp3 mp2
 [mpg123] mp3
 [vorbis] ogg oga
 [oggflac] ogg oga
 [flac] flac
 [opus] opus ogg oga
 [sndfile] wav aiff aif au snd paf iff svx sf voc w64 pvf xi htk caf sd2
 [audiofile] wav au aiff aif
 [dsdiff] dff
 [dsf] dsf
 [hybrid_dsd] m4a
 [faad] aac
 [mpcdec] mpc
 [wavpack] wv
 [openmpt] mptm mod s3m xm it 669 amf ams c67 dbm digi dmf dsm dtm far imf ice j2b m15 mdl med mms mt2 mtm nst okt plm psm pt36 ptm sfx sfx2 st26 stk stm stp ult wow gdm mo3 oxm umx xpk ppm mmcmp
 [modplug] 669 amf ams dbm dfm dsm far it med mdl mod mtm mt2 okt s3m stm ult umx xm
 [mikmod] amf dsm far gdm imf it med mod mtm s3m stm stx ult uni xm
 [sidplay] sid mus str prg P00
 [wildmidi] mid
 [fluidsynth] mid
 [ffmpeg] 16sv 3g2 3gp 4xm 8svx aa3 aac ac3 adx afc aif aifc aiff al alaw amr anim apc ape asf atrac au aud avi avm2 avs bap bfi c93 cak cin cmv cpk daud dct divx dts dv dvd dxa eac3 film flac flc fli fll flx flv g726 gsm gxf iss m1v m2v m2t m2ts m4a m4b m4v mad mj2 mjpeg mjpg mka mkv mlp mm mmf mov mp+ mp1 mp2 mp3 mp4 mpc mpeg mpg mpga mpp mpu mve mvi mxf nc nsv nut nuv oga ogm ogv ogx oma ogg omg opus psp pva qcp qt r3d ra ram rl2 rm rmvb roq rpl rvc shn smk snd sol son spx str swf tak tgi tgq tgv thp ts tsp tta xa xvid uv uv2 vb vid vob voc vp6 vmd wav webm wma wmv wsaud wsvga wv wve rtp:// rtsp:// rtsps://
 [gme] ay gbs gym hes kss nsf nsfe rsn sap spc vgm vgz
 [pcm]

Filters:
 libsamplerate soxr

Tag plugins:
 id3tag

Output plugins:
 shout null fifo sndio pipe alsa ao openal pipewire pulse jack httpd snapcast recorder

Encoder plugins:
 null vorbis opus lame twolame wave flac

Archive plugins:
 [bz2] bz2
 [zzip] zip
 [iso] iso

Input plugins:
 file io_uring archive alsa qobuz curl ffmpeg nfs mms cdio_paranoia

Playlist plugins:
 extm3u m3u pls xspf asx rss soundcloud flac cue embcue

Protocols:
 file:// alsa:// cdda:// ftp:// ftps:// gopher:// hls+http:// hls+https:// http:// https:// mms:// mmsh:// mmst:// mmsu:// nfs:// qobuz:// rtmp:// rtmpe:// rtmps:// rtmpt:// rtmpte:// rtmpts:// rtp:// rtsp:// rtsps:// scp:// sftp:// smb:// srtp://

Other features:
 avahi dbus udisks epoll icu inotify ipv6 systemd tcp un

Configuration

bind_to_address "/tmp/mpd_crash_test/mpd.socket"
music_directory "/tmp/mpd_crash_test/mutagen/tests/data"

audio_output {
    type "null"
    name "null"
}

Log

config_file: loading file /tmp/mpd_crash_test/mpd.conf
libsamplerate: libsamplerate converter 'Fastest Sinc Interpolator'
vorbis: Xiph.Org libVorbis 1.3.7
opus: libopus 1.3.1
sndfile: libsndfile-1.1.0
hybrid_dsd: The Hybrid DSD decoder is disabled because it was not explicitly enabled
decoder: Decoder plugin 'wildmidi' is unavailable: configuration file does not exist: /etc/timidity/timidity.cfg
simple_db: reading DB
input: Input plugin 'qobuz' is not configured: No Qobuz app_id configured
curl: version 7.87.0
curl: with OpenSSL/3.0.7
event: RTIOThread could not get realtime scheduling, continuing anyway: sched_setscheduler failed: Operation not permitted
client: [0] opened from local
client: [0] process command list
client: process command "add "lame397v9short.mp3""
client: command returned 0
client: [0] process command list returned 0
client: [0] closed
client: [1] opened from local
client: [1] process command "play"
playlist: play 0:"lame397v9short.mp3"
client: [1] command returned 0
client: [1] process command list
client: process command "status"
decoder_thread: probing plugin mad
client: command returned 0
client: process command "currentsong"
client: command returned 0
client: [1] process command list returned 0
mad: detected LAME version 3.97 ("LAME3.97 ")
mad: LAME peak found: 0
mad: LAME track gain found: 14.4
mad: encoder delay is 576, encoder padding is 1452
decoder: audio_format=24000:24:2, seekable=true
output: OutputThread could not get realtime scheduling, continuing anyway: sched_setscheduler failed: Operation not permitted
output: opened "null" (null) audio_format=24000:24:2
client: [1] closed

Thread 5 "decoder:mad" received signal SIGSEGV, Segmentation fault.

Backtrace

#0  0x00007ffff2b6ca35 in  () at /usr/lib/libc.so.6
#1  0x00005555555ad611 in DecoderBridge::SubmitData(InputStream*, void const*, unsigned long, unsigned short) (this=0x7fffdbffe320, is=0x7fffc8000be0, data=0x7fffdc020fd0, length=18446744073709396608, kbit_rate=64) at ../../src/decoder/Bridge.cxx:552
#2  0x00005555556ff40a in DecoderClient::SubmitData(InputStream&, void const*, unsigned long, unsigned short) (this=0x7fffdbffe320, is=..., data=0x7fffdbffbbb0, length=18446744073709549216, kbit_rate=64) at ../../src/decoder/plugins/../Client.hxx:138
#3  0x0000555555711973 in MadDecoder::SubmitPCM(unsigned long, unsigned long) (this=0x7fffdbfec2d0, i=529, pcm_length=229) at ../../src/decoder/plugins/MadDecoderPlugin.cxx:808
#4  0x0000555555712a70 in MadDecoder::SynthAndSubmit() (this=0x7fffdbfec2d0) at ../../src/decoder/plugins/MadDecoderPlugin.cxx:852
#5  0x0000555555712b6e in MadDecoder::HandleCurrentFrame() (this=0x7fffdbfec2d0) at ../../src/decoder/plugins/MadDecoderPlugin.cxx:878
#6  0x0000555555712e5a in MadDecoder::Read() (this=0x7fffdbfec2d0) at ../../src/decoder/plugins/MadDecoderPlugin.cxx:934
#7  0x000055555571302f in MadDecoder::RunDecoder() (this=0x7fffdbfec2d0) at ../../src/decoder/plugins/MadDecoderPlugin.cxx:962
#8  0x00005555557119cc in mad_decode(DecoderClient&, InputStream&) (client=..., input_stream=...) at ../../src/decoder/plugins/MadDecoderPlugin.cxx:969
#9  0x00005555555a91ea in DecoderPlugin::StreamDecode(DecoderClient&, InputStream&) const (this=0x5555558d61c0 <mad_decoder_plugin>, client=..., is=...) at ../../src/decoder/DecoderPlugin.hxx:202
#10 0x00005555555a6f5f in decoder_stream_decode(DecoderPlugin const&, DecoderBridge&, InputStream&, std::unique_lock<std::mutex>&) (plugin=..., bridge=..., input_stream=..., lock=...) at ../../src/decoder/Thread.cxx:119
#11 0x00005555555a7b5d in TryDecoderFile(DecoderBridge&, Path, std::string_view, InputStream&, DecoderPlugin const&) (bridge=..., path_fs=..., suffix="mp3", input_stream=..., plugin=...) at ../../src/decoder/Thread.cxx:349
#12 0x00005555555a7db6 in operator()(DecoderPlugin const&) const (__closure=0x7fffdbffe170, plugin=...) at ../../src/decoder/Thread.cxx:430
#13 0x00005555555a8b38 in decoder_plugins_try<decoder_run_file(DecoderBridge&, char const*, Path)::<lambda(const DecoderPlugin&)> >(struct {...}) (f=...) at ../../src/decoder/DecoderList.hxx:72
#14 0x00005555555a7f20 in decoder_run_file(DecoderBridge&, char const*, Path) (bridge=..., uri_utf8=0x7fffd0000e80 "/tmp/mpd_crash_test/mutagen/tests/data/lame397v9short.mp3", path_fs=...) at ../../src/decoder/Thread.cxx:428
#15 0x00005555555a8037 in DecoderUnlockedRunUri(DecoderBridge&, char const*, Path) (bridge=..., real_uri=0x7fffd0000e80 "/tmp/mpd_crash_test/mutagen/tests/data/lame397v9short.mp3", path_fs=...) at ../../src/decoder/Thread.cxx:448
#16 0x00005555555a8329 in decoder_run_song(DecoderControl&, DetachedSong const&, char const*, Path) (dc=..., song=..., uri=0x7fffd0000e80 "/tmp/mpd_crash_test/mutagen/tests/data/lame397v9short.mp3", path_fs=...) at ../../src/decoder/Thread.cxx:510
#17 0x00005555555a85e8 in decoder_run(DecoderControl&) (dc=...) at ../../src/decoder/Thread.cxx:551
#18 0x00005555555a8784 in DecoderControl::RunThread() (this=0x7fffe0dfc370) at ../../src/decoder/Thread.cxx:576
#19 0x00005555555ab213 in BindMethodDetail::WrapperGenerator<void (DecoderControl::*)() noexcept, &DecoderControl::RunThread>::Invoke(void*) (_instance=0x7fffe0dfc370) at ../../src/util/BindMethod.hxx:130
#20 0x000055555563a780 in BoundMethod<void () noexcept>::operator()() const (this=0x7fffe0dfc378) at ../../src/util/BindMethod.hxx:78
#21 0x00005555556485f4 in Thread::Run() (this=0x7fffe0dfc378) at ../../src/thread/Thread.cxx:63
#22 0x00005555556485d5 in Thread::ThreadProc(void*) (ctx=0x7fffe0dfc378) at ../../src/thread/Thread.cxx:92
#23 0x00007ffff2a9f8fd in  () at /usr/lib/libc.so.6
#24 0x00007ffff2b21a60 in  () at /usr/lib/libc.so.6
zaidhaan commented 1 year ago

I looked into this, it seems to be an underflow issue that occurs here on line 801, with i being 529 and pcm_length being 229: https://github.com/MusicPlayerDaemon/MPD/blob/8a7b7dffec76d3652995274edb0e0a89acdcf684/src/decoder/plugins/MadDecoderPlugin.cxx#L798-L805

The calling function MadDecoder::SynthAndSubmit() sets i to drop_start_samples which had the value of 529. pcm_length was initially 576 but after subtracting the drop_end_samples (347) it then became 229. Now i is greater than pcm_length which leads to the size_t underflow in MadDecoder::SubmitPCM().

I don't really know anything about MAD so I'm not sure what course of action should be taken, but I guess if (i > pcm_length) then DecoderCommand::STOP?

MaxKellermann commented 1 year ago

Thanks @zaidhaan, your analysis was correct; the problem was that drop_start_samples and drop_end_samples could overlap, and thus the mistake was in the drop_end_samples >= pcm_length check which didn't account for drop_start_samples (= i).