Segfault in `libde265` in `gst-discoverer-1.0`

[PJungkamp]

Describe the bug

Running gst-discoverer-1.0 Dune_trunc.h265 causes a segfault in libde265.so. Dune_trunc.h265 contains the first 10 seconds of the 4K h265 bitstream for the movie Dune. Running dec265 didn't have any problems with this file.

This only happens on my two Intel based NixOS hosts, both in the host OS and in containers (debian:bookworm & debian:bullseye). My AMD based Arch Linux desktop does not show the crash.

Dune_trunc.zip

Reproduction Steps

NixOS

I used this nix expression to build a shell environment:

nix develop --impure --expr '
let
 nixpkgs = builtins.getFlake "nixpkgs";
 pkgs = import nixpkgs {
  system = "x86_64-linux";
  overlays = [(final: prev: {
   libde265 = prev.libde265.overrideAttrs (finalAttrs: prevAttrs: {
    separateDebugInfo = true;
   });
  })];
 };
in pkgs.mkShell {
 shellHook = \'\'[ -z "$PS1" ] || exec "$SHELL"\'\'; 
 packages =
   (with pkgs; [
     ffmpeg_6-full
     libde265
   ]) ++ (with pkgs.gst_all_1; [
    gstreamer
    gst-plugins-base
    gst-plugins-good
    gst-plugins-bad
   ]);
}'

This is the segfault:

$ gst-discoverer-1.0 Dune_trunc.h265
Analyzing file:///home/pjungkamp/libde265-segfault/Dune_trunc.h265
fish: Job 1, 'gst-discoverer-1.0 Dune_trunc.h…' terminated by signal SIGSEGV (Address boundary error)

kernel log

``` Nov 13 00:28:39 kernel: traps: h265parse0:sink[45789] general protection fault ip:7ffff524e9d2 sp:7fffdd7e9e60 error:0 Nov 13 00:28:39 kernel: traps: h265parse0:sink[45772] general protection fault ip:7ffff524e9d2 sp:7fffe5ffae60 error:0 Nov 13 00:28:39 kernel: traps: h265parse0:sink[45785] general protection fault ip:7ffff524e9d2 sp:7fffdf7ede60 error:0 in libde265.so.0.1.5[7ffff5222000+4f000] Nov 13 00:28:39 kernel: in libde265.so.0.1.5[7ffff5222000+4f000] Nov 13 00:28:39 kernel: in libde265.so.0.1.5[7ffff5222000+4f000] Nov 13 00:28:39 kernel: traps: h265parse0:sink[45796] general protection fault ip:7ffff524e9d2 sp:7fffd9fe2e60 error:0 Nov 13 00:28:39 kernel: Nov 13 00:28:39 kernel: Nov 13 00:28:39 kernel: Nov 13 00:28:39 kernel: in libde265.so.0.1.5[7ffff5222000+4f000] Nov 13 00:28:39 systemd[1]: Started Process Core Dump (PID 45800/UID 0). Nov 13 00:28:39 systemd-coredump[45801]: Process 45763 (gst-discoverer-) of user 1000 dumped core. Module libstdc++.so.6 without build-id. Module libgstde265.so without build-id. Module libgstcodecparsers-1.0.so.0 without build-id. Module libgstvideoparsersbad.so without build-id. Module libgstsubparse.so without build-id. Module libpcre.so.1 without build-id. Module libselinux.so.1 without build-id. Module libgsttypefindfunctions.so without build-id. Module libgstcoreelements.so without build-id. Module libgstplayback.so without build-id. Module libbz2.so.1 without build-id. Module libzstd.so.1 without build-id. Module liblzma.so.5 without build-id. Module libgcc_s.so.1 without build-id. Module libz.so.1 without build-id. Module libpcre2-8.so.0 without build-id. Module libffi.so.8 without build-id. Module libunwind.so.8 without build-id. Module liborc-0.4.so.0 without build-id. Module libgstbase-1.0.so.0 without build-id. Module libgsttag-1.0.so.0 without build-id. Module libgstvideo-1.0.so.0 without build-id. Module libgstreamer-1.0.so.0 without build-id. Module libgstaudio-1.0.so.0 without build-id. Module libgstpbutils-1.0.so.0 without build-id. Module gst-discoverer-1.0 without build-id. Stack trace of thread 45798: #0 0x00007ffff524e9d2 _ZN15thread_task_sao4workEv (libde265.so.0 + 0x469d2) #1 0x00007ffff525cf7e _ZL13worker_threadPv (libde265.so.0 + 0x54f7e) #2 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #3 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45764: #0 0x00007ffff7b1f58d syscall (libc.so.6 + 0x10b58d) #1 0x00007ffff7cb5b80 g_cond_wait (libglib-2.0.so.0 + 0xb7b80) #2 0x00007ffff7c260fb g_async_queue_pop_intern_unlocked (libglib-2.0.so.0 + 0x280fb) #3 0x00007ffff7c88d62 g_thread_pool_spawn_thread (libglib-2.0.so.0 + 0x8ad62) #4 0x00007ffff7c8871d g_thread_proxy (libglib-2.0.so.0 + 0x8a71d) #5 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #6 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45763: #0 0x00007ffff7b14236 ppoll (libc.so.6 + 0x100236) #1 0x00007ffff7e4cd7f gst_poll_wait (libgstreamer-1.0.so.0 + 0xa5d7f) #2 0x00007ffff7dfe9a2 gst_bus_timed_pop_filtered (libgstreamer-1.0.so.0 + 0x579a2) #3 0x00007ffff7faae26 start_discovering (libgstpbutils-1.0.so.0 + 0x2be26) #4 0x00007ffff7fab419 gst_discoverer_discover_uri (libgstpbutils-1.0.so.0 + 0x2c419) #5 0x0000000000404d77 process_file (gst-discoverer-1.0 + 0x4d77) #6 0x0000000000405146 real_main (gst-discoverer-1.0 + 0x5146) #7 0x00007ffff7a3bfce __libc_start_call_main (libc.so.6 + 0x27fce) #8 0x00007ffff7a3c089 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x28089) #9 0x00000000004037f5 _start (gst-discoverer-1.0 + 0x37f5) Stack trace of thread 45766: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff523d3fb _ZN11de265_image19wait_for_completionEv (libde265.so.0 + 0x353fb) #3 0x00007ffff524f288 _Z13add_sao_tasksP10image_uniti (libde265.so.0 + 0x47288) #4 0x00007ffff5231145 _ZN15decoder_context35run_postprocessing_filters_parallelEP10image_unit (libde265.so.0 + 0x29145) #5 0x00007ffff5233bc1 _ZN15decoder_context11decode_someEPb (libde265.so.0 + 0x2bbc1) #6 0x00007ffff5235ab0 _ZN15decoder_context14read_slice_NALER9bitreaderP8NAL_unitR10nal_header (libde265.so.0 + 0x2dab0) #7 0x00007ffff5235c91 _ZN15decoder_context10decode_NALEP8NAL_unit (libde265.so.0 + 0x2dc91) #8 0x00007ffff5235f8c _ZN15decoder_context6decodeEPi (libde265.so.0 + 0x2df8c) #9 0x00007ffff5c2bf43 gst_libde265_dec_handle_frame (libgstde265.so + 0x3f43) #10 0x00007ffff7987ce2 gst_video_decoder_decode_frame (libgstvideo-1.0.so.0 + 0x46ce2) #11 0x00007ffff798816a gst_video_decoder_chain_forward (libgstvideo-1.0.so.0 + 0x4716a) #12 0x00007ffff798ad5a gst_video_decoder_chain (libgstvideo-1.0.so.0 + 0x49d5a) #13 0x00007ffff7e33ee9 gst_pad_chain_data_unchecked (libgstreamer-1.0.so.0 + 0x8cee9) #14 0x00007ffff7e363f1 gst_pad_push_data (libgstreamer-1.0.so.0 + 0x8f3f1) #15 0x00007ffff7e3d76b gst_pad_push (libgstreamer-1.0.so.0 + 0x9676b) #16 0x00007ffff78c5d40 gst_base_transform_chain (libgstbase-1.0.so.0 + 0x4ad40) #17 0x00007ffff7e33ee9 gst_pad_chain_data_unchecked (libgstreamer-1.0.so.0 + 0x8cee9) #18 0x00007ffff7e363f1 gst_pad_push_data (libgstreamer-1.0.so.0 + 0x8f3f1) #19 0x00007ffff7e3d76b gst_pad_push (libgstreamer-1.0.so.0 + 0x9676b) #20 0x00007ffff78a65f8 gst_base_parse_push_frame (libgstbase-1.0.so.0 + 0x2b5f8) #21 0x00007ffff5bcbf6c gst_h265_parse_handle_frame (libgstvideoparsersbad.so + 0x28f6c) #22 0x00007ffff78a13b9 gst_base_parse_handle_buffer (libgstbase-1.0.so.0 + 0x263b9) #23 0x00007ffff78a1bb7 gst_base_parse_scan_frame (libgstbase-1.0.so.0 + 0x26bb7) #24 0x00007ffff78a504e gst_base_parse_loop (libgstbase-1.0.so.0 + 0x2a04e) #25 0x00007ffff7e6d911 gst_task_func (libgstreamer-1.0.so.0 + 0xc6911) #26 0x00007ffff7c8906a g_thread_pool_thread_proxy (libglib-2.0.so.0 + 0x8b06a) #27 0x00007ffff7c8871d g_thread_proxy (libglib-2.0.so.0 + 0x8a71d) #28 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #29 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45768: #0 0x00007ffff7a9becf __GI___lll_lock_wait (libc.so.6 + 0x87ecf) #1 0x00007ffff7aa15e3 __pthread_mutex_cond_lock (libc.so.6 + 0x8d5e3) #2 0x00007ffff7a9e384 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a384) #3 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #4 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #5 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45765: #0 0x00007ffff7b1f58d syscall (libc.so.6 + 0x10b58d) #1 0x00007ffff7cb5b80 g_cond_wait (libglib-2.0.so.0 + 0xb7b80) #2 0x00007ffff7e6dafc gst_task_func (libgstreamer-1.0.so.0 + 0xc6afc) #3 0x00007ffff7c8906a g_thread_pool_thread_proxy (libglib-2.0.so.0 + 0x8b06a) #4 0x00007ffff7c8871d g_thread_proxy (libglib-2.0.so.0 + 0x8a71d) #5 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #6 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45774: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45782: #0 0x00007ffff7b6d207 __memcpy_avx_unaligned_erms (libc.so.6 + 0x159207) #1 0x00007ffff523cf08 _ZN11de265_image15copy_lines_fromEPKS_ii (libde265.so.0 + 0x34f08) #2 0x00007ffff524e996 _ZN15thread_task_sao4workEv (libde265.so.0 + 0x46996) #3 0x00007ffff525cf7e _ZL13worker_threadPv (libde265.so.0 + 0x54f7e) #4 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #5 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45783: #0 0x00007ffff7b6d207 __memcpy_avx_unaligned_erms (libc.so.6 + 0x159207) #1 0x00007ffff523cf93 _ZN11de265_image15copy_lines_fromEPKS_ii (libde265.so.0 + 0x34f93) #2 0x00007ffff524e996 _ZN15thread_task_sao4workEv (libde265.so.0 + 0x46996) #3 0x00007ffff525cf7e _ZL13worker_threadPv (libde265.so.0 + 0x54f7e) #4 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #5 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45771: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45794: #0 0x00007ffff7b6d207 __memcpy_avx_unaligned_erms (libc.so.6 + 0x159207) #1 0x00007ffff523cf08 _ZN11de265_image15copy_lines_fromEPKS_ii (libde265.so.0 + 0x34f08) #2 0x00007ffff524e996 _ZN15thread_task_sao4workEv (libde265.so.0 + 0x46996) #3 0x00007ffff525cf7e _ZL13worker_threadPv (libde265.so.0 + 0x54f7e) #4 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #5 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45784: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45789: #0 0x00007ffff524e9d2 _ZN15thread_task_sao4workEv (libde265.so.0 + 0x469d2) #1 0x00007ffff525cf7e _ZL13worker_threadPv (libde265.so.0 + 0x54f7e) #2 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #3 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45785: #0 0x00007ffff524e9d2 _ZN15thread_task_sao4workEv (libde265.so.0 + 0x469d2) #1 0x00007ffff525cf7e _ZL13worker_threadPv (libde265.so.0 + 0x54f7e) #2 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #3 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45772: #0 0x00007ffff524e9d2 _ZN15thread_task_sao4workEv (libde265.so.0 + 0x469d2) #1 0x00007ffff525cf7e _ZL13worker_threadPv (libde265.so.0 + 0x54f7e) #2 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #3 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45796: #0 0x00007ffff524e9d2 _ZN15thread_task_sao4workEv (libde265.so.0 + 0x469d2) #1 0x00007ffff525cf7e _ZL13worker_threadPv (libde265.so.0 + 0x54f7e) #2 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #3 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45778: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45773: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45793: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45797: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45788: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45776: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45779: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45795: #0 0x00007ffff7b6d207 __memcpy_avx_unaligned_erms (libc.so.6 + 0x159207) #1 0x00007ffff523cf08 _ZN11de265_image15copy_lines_fromEPKS_ii (libde265.so.0 + 0x34f08) #2 0x00007ffff524e996 _ZN15thread_task_sao4workEv (libde265.so.0 + 0x46996) #3 0x00007ffff525cf7e _ZL13worker_threadPv (libde265.so.0 + 0x54f7e) #4 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #5 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45770: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45786: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45777: #0 0x00007ffff7a9becf __GI___lll_lock_wait (libc.so.6 + 0x87ecf) #1 0x00007ffff7aa2362 __pthread_mutex_lock@GLIBC_2.2.5 (libc.so.6 + 0x8e362) #2 0x00007ffff525cf86 _ZL13worker_threadPv (libde265.so.0 + 0x54f86) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45780: #0 0x00007ffff7a9becf __GI___lll_lock_wait (libc.so.6 + 0x87ecf) #1 0x00007ffff7aa2362 __pthread_mutex_lock@GLIBC_2.2.5 (libc.so.6 + 0x8e362) #2 0x00007ffff525cf86 _ZL13worker_threadPv (libde265.so.0 + 0x54f86) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45769: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45775: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45767: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45799: #0 0x00007ffff7b1f58d syscall (libc.so.6 + 0x10b58d) #1 0x00007ffff7cb5b80 g_cond_wait (libglib-2.0.so.0 + 0xb7b80) #2 0x00007ffff6fd8cfe gst_queue_loop (libgstcoreelements.so + 0x45cfe) #3 0x00007ffff7e6d911 gst_task_func (libgstreamer-1.0.so.0 + 0xc6911) #4 0x00007ffff7c8906a g_thread_pool_thread_proxy (libglib-2.0.so.0 + 0x8b06a) #5 0x00007ffff7c8871d g_thread_proxy (libglib-2.0.so.0 + 0x8a71d) #6 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #7 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45790: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45781: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45791: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45792: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) Stack trace of thread 45787: #0 0x00007ffff7a9bc96 __futex_abstimed_wait_common (libc.so.6 + 0x87c96) #1 0x00007ffff7a9e488 pthread_cond_wait@@GLIBC_2.3.2 (libc.so.6 + 0x8a488) #2 0x00007ffff525cfbb _ZL13worker_threadPv (libde265.so.0 + 0x54fbb) #3 0x00007ffff7a9f084 start_thread (libc.so.6 + 0x8b084) #4 0x00007ffff7b2155c __clone3 (libc.so.6 + 0x10d55c) ELF object binary architecture: AMD x86-64 Nov 13 00:28:39 yoga9 systemd[1]: systemd-coredump@3-45800-0.service: Deactivated successfully. ```

Debian Containers

I started off from the official dockerhub debian:buster and debian:bookworm containers. E.g.

docker run --rm -it debian:bookworm

Then I installed gstreamer using:

apt update && apt install gstreamer1.0-{tools,plugins-base,plugins-base-apps,plugins-good,plugins-bad}

Here's the buster segfault:

root@308ac31fa206:/# gst-discoverer-1.0 /mnt/Dune_trunc.h265 
Analyzing file:///mnt/Dune_trunc.h265
Segmentation fault (core dumped)
root@308ac31fa206:/# gst-discoverer-1.0 --gst-version        
GStreamer Core Library version 1.14.4

Here's the bookworm segfault:

root@aaa749e91f5f:/# gst-discoverer-1.0 /mnt/Dune_trunc.h265 
Analyzing file:///mnt/Dune_trunc.h265
Segmentation fault (core dumped)
root@aaa749e91f5f:/# gst-discoverer-1.0 --gst-version        
GStreamer Core Library version 1.22.0

The coredumps in my host's log suggest it's the same kind of crash (at least it's in libde265):

Nov 08 22:32:08 kernel: traps: h265parse0:sink[791363] general protection fault ip:7fd53873e6a2 sp:7fd525ff2e60 error:0 in libde265.so.0.1.4[7fd538711000+51000]
Nov 08 22:32:08 kernel: traps: h265parse0:sink[791358] general protection fault ip:7fd53873e6a2 sp:7fd5287f7e60 error:0 in libde265.so.0.1.4[7fd538711000+51000]
Nov 08 22:32:08 systemd[1]: Started Process Core Dump (PID 791377/UID 0).
Nov 08 22:32:08 systemd-coredump[791378]: [🡕] Process 791336 (gst-discoverer-) of user 0 dumped core.

                                                Stack trace of thread 7728:
                                                #0  0x00007fd53873e6a2 n/a (/usr/lib/x86_64-linux-gnu/libde265.so.0.1.4 + 0x346a2)
                                                #1  0x0001000000000002 n/a (n/a + 0x0)
                                                ELF object binary architecture: AMD x86-64

All these tests have been made on my x86_64-linux laptop (Intel Core i5 1240P, integrated graphics). I also reproduced the crash on a server running NixOS (Intel Xeon E5-2680 v3, headless).

Expected behavior

gst-discoverer-1.0 Dune_trunc.h265 
Analyzing file:///home/pjungkamp/Dune_trunc.h265
Done discovering file:///home/pjungkamp/Dune_trunc.h265

Properties:
  Duration: 0:00:00.000000000
  Seekable: yes
  Live: no
  video #0: H.265 (Main 10 Profile)
    Stream ID: 3eab9ccfcebb0e0fbd197b50b018c8c210f8c18cb0cfda46bd80a57a4e97c24c
    Width: 3840
    Height: 2160
    Depth: 30
    Frame rate: 24000/1001
    Pixel aspect ratio: 1/1
    Interlaced: false
    Bitrate: 0
    Max bitrate: 0

Additional context

I first decided to post an issue on libde265 because I think that the issue boils down to a double free in libde265. See https://github.com/strukturag/libde265/issues/425 But it turns out that I can only reproduce on my NixOS machines.

gdb backtrace

``` Thread 4 "h265parse0:sink" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff5a8e6c0 (LWP 1370002)] 0x00007ffff5230aa4 in image_unit::~image_unit (this=0x7fffec779580, __in_chrg=) at decctx.cc:194 194 delete tasks[i]; (gdb) bt #0 0x00007ffff5230aa4 in image_unit::~image_unit (this=0x7fffec779580, __in_chrg=) at decctx.cc:194 #1 0x00007ffff5233c3e in decoder_context::decode_some (this=this@entry=0x7fffec034aa0, did_work=did_work@entry=0x7ffff5a8d460) at decctx.cc:796 #2 0x00007ffff5235ab0 in decoder_context::read_slice_NAL (this=this@entry=0x7fffec034aa0, reader=..., nal=nal@entry=0x7fffec016670, nal_hdr=...) at decctx.cc:698 #3 0x00007ffff5235c91 in decoder_context::decode_NAL (this=this@entry=0x7fffec034aa0, nal=0x7fffec016670) at decctx.cc:1240 #4 0x00007ffff5235f8c in decoder_context::decode (this=0x7fffec034aa0, more=0x7ffff5a8d56c) at decctx.cc:1328 #5 0x00007ffff5c2bf43 in gst_libde265_dec_handle_frame () from /nix/store/m986c3np2pll6s48kvbw59bi9rmb80qm-gst-plugins-bad-1.22.5/lib/gstreamer-1.0/libgstde265.so #6 0x00007ffff7989ce2 in gst_video_decoder_decode_frame () from /nix/store/4k1pg5wr83dk829qzfispkskdwr2x038-gst-plugins-base-1.22.5/lib/libgstvideo-1.0.so.0 #7 0x00007ffff798a16a in gst_video_decoder_chain_forward () from /nix/store/4k1pg5wr83dk829qzfispkskdwr2x038-gst-plugins-base-1.22.5/lib/libgstvideo-1.0.so.0 #8 0x00007ffff798cd5a in gst_video_decoder_chain () from /nix/store/4k1pg5wr83dk829qzfispkskdwr2x038-gst-plugins-base-1.22.5/lib/libgstvideo-1.0.so.0 #9 0x00007ffff7e33ee9 in gst_pad_chain_data_unchecked () from /nix/store/z964cncjvwsiic8bphinlkb5z99rr25f-gstreamer-1.22.5/lib/libgstreamer-1.0.so.0 #10 0x00007ffff7e363f1 in gst_pad_push_data () from /nix/store/z964cncjvwsiic8bphinlkb5z99rr25f-gstreamer-1.22.5/lib/libgstreamer-1.0.so.0 #11 0x00007ffff7e3d76b in gst_pad_push () from /nix/store/z964cncjvwsiic8bphinlkb5z99rr25f-gstreamer-1.22.5/lib/libgstreamer-1.0.so.0 #12 0x00007ffff78c7d40 in gst_base_transform_chain () from /nix/store/z964cncjvwsiic8bphinlkb5z99rr25f-gstreamer-1.22.5/lib/libgstbase-1.0.so.0 #13 0x00007ffff7e33ee9 in gst_pad_chain_data_unchecked () from /nix/store/z964cncjvwsiic8bphinlkb5z99rr25f-gstreamer-1.22.5/lib/libgstreamer-1.0.so.0 #14 0x00007ffff7e363f1 in gst_pad_push_data () from /nix/store/z964cncjvwsiic8bphinlkb5z99rr25f-gstreamer-1.22.5/lib/libgstreamer-1.0.so.0 #15 0x00007ffff7e3d76b in gst_pad_push () from /nix/store/z964cncjvwsiic8bphinlkb5z99rr25f-gstreamer-1.22.5/lib/libgstreamer-1.0.so.0 #16 0x00007ffff78a85f8 in gst_base_parse_push_frame () from /nix/store/z964cncjvwsiic8bphinlkb5z99rr25f-gstreamer-1.22.5/lib/libgstbase-1.0.so.0 #17 0x00007ffff5bcbe6c in gst_h265_parse_handle_frame () from /nix/store/m986c3np2pll6s48kvbw59bi9rmb80qm-gst-plugins-bad-1.22.5/lib/gstreamer-1.0/libgstvideoparsersbad.so #18 0x00007ffff78a33b9 in gst_base_parse_handle_buffer () from /nix/store/z964cncjvwsiic8bphinlkb5z99rr25f-gstreamer-1.22.5/lib/libgstbase-1.0.so.0 #19 0x00007ffff78a3bb7 in gst_base_parse_scan_frame () from /nix/store/z964cncjvwsiic8bphinlkb5z99rr25f-gstreamer-1.22.5/lib/libgstbase-1.0.so.0 #20 0x00007ffff78a704e in gst_base_parse_loop () from /nix/store/z964cncjvwsiic8bphinlkb5z99rr25f-gstreamer-1.22.5/lib/libgstbase-1.0.so.0 #21 0x00007ffff7e6d911 in gst_task_func () from /nix/store/z964cncjvwsiic8bphinlkb5z99rr25f-gstreamer-1.22.5/lib/libgstreamer-1.0.so.0 #22 0x00007ffff7c8911a in g_thread_pool_thread_proxy (data=) at ../glib/gthreadpool.c:350 #23 0x00007ffff7c887cd in g_thread_proxy (data=0x7ffff0000d40) at ../glib/gthread.c:831 #24 0x00007ffff7a9bdd4 in start_thread (arg=) at pthread_create.c:444 #25 0x00007ffff7b1d9b0 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 ```

Here is the actual frame where a delete seems to cause the segfault.

(gdb) frame
#0  0x00007ffff5230aa4 in image_unit::~image_unit (this=0x7fffec779580, __in_chrg=<optimized out>) at decctx.cc:194
194     delete tasks[i];
(gdb) print this->tasks[i]
$5 = (thread_task *) 0x7fffef3a4520

Notify maintainers

• gst-plugins-bad
  • @matthewbauer
  • @lilyinstarlight
• libde265
  • @gebner

Metadata

• system: "x86_64-linux"
• host os: Linux 6.5.6, NixOS, 23.11 (Tapir), 23.11.20231009.f99e5f0
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.17.1

$ gst-discoverer-1.0 --gst-version
GStreamer Core Library version 1.22.5

$ dec265 --help
 dec265  v1.0.12

$ uname -a
Linux yoga9 6.5.6 #1-NixOS SMP PREEMPT_DYNAMIC Fri Oct  6 11:16:31 UTC 2023 x86_64 GNU/Linux

$ cat /etc/os-release
BUG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues"
BUILD_ID="23.11.20231009.f99e5f0"
DOCUMENTATION_URL="https://nixos.org/learn.html"
HOME_URL="https://nixos.org/"
ID=nixos
LOGO="nix-snowflake"
NAME=NixOS
PRETTY_NAME="NixOS 23.11 (Tapir)"
SUPPORT_URL="https://nixos.org/community.html"
VERSION="23.11 (Tapir)"
VERSION_CODENAME=tapir
VERSION_ID="23.11"

[kirillrdy]

@PJungkamp have you tried rebuilding dec265 with hardeningDisable = [ "fortify3" ];

it's possible it's still a bug in dec265