segfault in plugin_getsid

[HSchill]

Hi I had two segfaults in plugin_getsid.c but both hade same root cause. NULL pointer usage In function static int start(char *dmxdev... ) After macro "ll_find_elem(filt, ... "

There will be segfaults in function read_pmt() or when using filt-> 3 rows further down. if(ret < 0) { filt->parse_err++;

This simple patch solves the problem:

diff --git a/src/plugin_getsid.c b/src/plugin_getsid.c
index f157c02..9cd1e02 100644
--- a/src/plugin_getsid.c
+++ b/src/plugin_getsid.c
@@ -597,6 +597,8 @@ static int start(char *dmxdev, struct sid_data *sid_data, int timeout) {
           struct filter *filt;
           dprintf3("Read %d bytes\n", size);
           ll_find_elem(filt, pat.dmx_filter_ll, fd, pollfd[i].fd, struct filter);
+         if (!filt)
+           goto exit;
           int ret = read_pmt(pes, filt, sid_data, size);
           if(ret < 0) {
              filt->parse_err++;

Here is a back trace of a core dump.

Thread 31 "ffdecsawrapper" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7ead700 (LWP 14536)]
0x0000000000470329 in start (dmxdev=0x7ffff7eace00 "/dev/dvb/adapter3/demux0", sid_data=0x7b0730, timeout=200) at src/plugin_getsid.c:602
602                  filt->parse_err++;
(gdb) 
(gdb) bt full
#0  0x0000000000470329 in start (dmxdev=0x7ffff7eace00 "/dev/dvb/adapter3/demux0", sid_data=0x7b0730, timeout=200) at src/plugin_getsid.c:602
        filt = 0x0
        ret = -1
        count = 45
        num_filters = 45
        found = 13
        pes = "G\004)\324Ma\315ո\222\267L\255\a\r)\322\033\001\225\021쒊\202.-\303\377\065\233\032\203\310\002\222&\335\357#\375\221l\022\363\061\274\065\316զ\275PL\340\341\062\371\003\240\006 \301x\343s\224\313\\\355\266'(\037b\310}\177\201\366q\372e\366k\225\233\206\210\365\201\211\b\232\357_\307\303Bߔ\255\066\277F?\247\021\207Z\254\260f\317\342b'\254<\331>\271\177\242\275h\023\323\337\357\346\222N\320\004`\037\240\371l\301,)S\004\241A`\032\000I\000U\025\274\276\361)8:K\252\202\373\032ǭ\311\342uʖ\017fR\261WR\204\376\335\035yR\367\v\247\322G\004)\325\343Z\257\200d\270\236I\353\307\037\017\304\365^"...
        pfd = {fd = 7, events = 1, revents = 1}
        pollfd = {{fd = 5, events = 5, revents = 1}, {fd = 5, events = 5, revents = 1}, {fd = 5, events = 5, revents = 1}, {fd = 5, events = 5, revents = 1}, {fd = 5, events = 5, revents = 1}, {fd = 5, events = 5, revents = 1}, {fd = 5, events = 1, 
            revents = 1}, {fd = 69, events = 1, revents = 0}, {fd = 70, events = 1, revents = 0}, {fd = 71, events = 1, revents = 0}, {fd = 72, events = 1, revents = 0}, {fd = 73, events = 1, revents = 0}, {fd = 74, events = 1, revents = 0}, {fd = 75, 
            events = 1, revents = 0}, {fd = 76, events = 1, revents = 0}, {fd = 77, events = 1, revents = 0}, {fd = 78, events = 1, revents = 0}, {fd = 79, events = 1, revents = 0}, {fd = 80, events = 1, revents = 0}, {fd = 81, events = 1, revents = 0}, {
            fd = 82, events = 1, revents = 0}, {fd = 83, events = 1, revents = 0}, {fd = 84, events = 1, revents = 0}, {fd = 85, events = 1, revents = 0}, {fd = 86, events = 1, revents = 0}, {fd = 87, events = 1, revents = 0}, {fd = 88, events = 1, 
            revents = 0}, {fd = 89, events = 1, revents = 0}, {fd = 90, events = 1, revents = 0}, {fd = 91, events = 1, revents = 0}, {fd = 92, events = 1, revents = 0}, {fd = 93, events = 1, revents = 0}}
        pollretries = {5 <repeats 32 times>}
        pat_restart = 0
        done = 1
        size = 940
        i = 0
        ret = 0
        pat = {patfd = 7, version = 8, last_section = 0 '\000', section_seen = "\001\000\000\000", has_nit = 16, dmx_filter_ll = {next = 0x7fffa4009fe0, prev = 0x7fffb80008c0, priority = 4294967295}}
        lptr = 0x7ffff7eabb98
#1  0x0000000000470822 in read_sid (arg=0x7b0730) at src/plugin_getsid.c:710
        sid_data = 0x7b0730
        sid_ll = 0x0
        dmxcmd = 0x7fffbc1e8f00
        dmxdev = "/dev/dvb/adapter3/demux0", '\000' <repeats 231 times>
        ret = 0
#2  0x00007ffff75456fa in start_thread (arg=0x7ffff7ead700) at pthread_create.c:333
        __res = <optimized out>
        pd = 0x7ffff7ead700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140737352750848, -6612622759983783371, 0, 140737488342575, 140737352751552, 0, 6612640462249452085, 6612638894808293941}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, 
              cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#3  0x00007ffff69dab5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

[bas-t]

Can you please elaborate some more, I've never seen those segfaults. Like OS, kernel version and so on. How to reproduce?

[HSchill]

Sure, I'm running standalone backend using unbuntu 16.04 LTS (Mythbuntu 0.28) Kernel 4.4.0-43 x86_64 (lowlatency) with some additional modules. dvbloopback and sa716x (a quad dvb-s2 card TBS 6985) I'm just copy dvbloopback and required files for sa716x, and rebuilt the entire kernel The fault triggers when the eit crawler starts. Have not traced any deeper since it was quite obvious what it was.

[bas-t]

Ok. that's pretty much like my setup. Only obvious difference is that I maintain my own version of saa716x, supporting only my TBS 6285 And TBS 6281 cards. You don't use "official" TBS drivers, do you?

[HSchill]

Nope, I pull them from github and only use the selected drives for my card.

[bas-t]

OK, so did you recompile FFdecsa binary shortly? And did you set --sid-filt to any value? Leading thought: you are short of filters, but I recently upped the default value.

[bas-t]

BTW: shortage of filters should not cause segfaults anyway. So even though I can't reproduce yours, I guess it's a good idea to apply your patch. Should it break anything for me, I can revert it.

[HSchill]

Nope I didn't set --sid-filt, but as you say a NULL check doesn't hurt Thanks

[bas-t]

And thank you for your contribution.