search

clementine-player / Clementine

:tangerine: Clementine Music Player
https://www.clementine-player.org/
GNU General Public License v3.0
3.72k stars 671 forks source link

Clementine often crashes when playing ogg files (Segmentation fault core dumped, qt5) #6078

Closed trougnouf closed 5 years ago

trougnouf commented 6 years ago

System information

Issue

Clementine often crashes while playing ogg files. Sometimes as many times as once per song. (I would play an album, such as https://www.jamendo.com/album/100284/fractal-universe , Clementine crashes, I start it back up and play so that the same song restarts, then it seems to crash on the next one.) I think this has been happening for a long time, I've part of using Clementine, but it seems more consistent now so maybe identifiable (I don't know if that's because I've been listening to a lot of ogg albums from https://www.jamendo.com/ or a regression)

Looking at the terminal output I thought it may have been the writing statistics to file bit or lastfm, but it still crashes without these. Here is some log (from $ clementine --verbose; date +"%T.%3N";), I don't know if it's relevant or the segfault occurs independently later. I will keep trying with different settings and types types of files and keep posting if I find anything.

I've uploaded the album I mentioned on https://drive.google.com/open?id=1_XjX5tJo010UF4YeCE1WvLr5AnCLpACL for easier access, it's under a CC by-nc-nd 3 license.

edit: running in gdb with the debug symbols installed and it doesn't crash, not helpful for debugging, happy I can run Clementine so reliably.

edit2: here is a backtrace with gdb and a successful crash on that album: pre-crash terminal + bt 200: https://pastebin.com/EC606t9u , bt full: https://pastebin.com/yjezTza7 , bt no-filters full: https://pastebin.com/JkD4xc8z , let me know if I should install any debug symbols or I need to get the backtraces differently.

Another one (2018-06-18): https://pastebin.com/nfLcwbx8 , slightly different one same day https://pastebin.com/UTxqTGLd , https://pastebin.com/BzZVpppq

orion40 commented 6 years ago

I also have similar issues, on a Debian Stretch. Here is the stack trace, after SIGSEGV: 0x00005576c09a87e4 in MoodbarBuilder::Init(int, int) () gdb-peda$ bt

0 0x00005576c09a87e4 in MoodbarBuilder::Init(int, int) ()

1 0x00005576c07fbb33 in MoodbarPipeline::NewPadCallback(_GstElement, _GstPad, void*) ()

2 0x00007f6d47c5f038 in ffi_call_unix64 ()

from /usr/lib/x86_64-linux-gnu/libffi.so.6

3 0x00007f6d47c5ea9a in ffi_call ()

from /usr/lib/x86_64-linux-gnu/libffi.so.6

4 0x00007f6d50e907ae in g_cclosure_marshal_generic ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

5 0x00007f6d50e8ff75 in g_closure_invoke ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

6 0x00007f6d50ea1f82 in ?? ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

7 0x00007f6d50eaabdc in g_signal_emit_valist ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

8 0x00007f6d50eaafbf in g_signal_emit ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

9 0x00007f6d5062e368 in gst_element_add_pad ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

10 0x00007f6d47c5f038 in ffi_call_unix64 ()

from /usr/lib/x86_64-linux-gnu/libffi.so.6

11 0x00007f6d47c5ea9a in ffi_call ()

from /usr/lib/x86_64-linux-gnu/libffi.so.6

12 0x00007f6d50e907ae in g_cclosure_marshal_generic ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

13 0x00007f6d50e8ff75 in g_closure_invoke ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

14 0x00007f6d50ea1f82 in ?? ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

15 0x00007f6d50eaabdc in g_signal_emit_valist ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

16 0x00007f6d50eaafbf in g_signal_emit ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

17 0x00007f6d5062e368 in gst_element_add_pad ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

18 0x00007f6ce474e71d in ?? ()

from /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstplayback.so

19 0x00007f6ce474f3c0 in ?? ()

from /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstplayback.so

20 0x00007f6d5064679a in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

21 0x00007f6d50ba6ea4 in g_hook_list_marshal ()

from /lib/x86_64-linux-gnu/libglib-2.0.so.0

22 0x00007f6d50644efb in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

23 0x00007f6d50647c2e in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

24 0x00007f6d50648110 in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

25 0x00007f6d50645cff in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

26 0x00007f6d50652061 in gst_pad_push_event ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

27 0x00007f6d510fa46a in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstaudio-1.0.so.0

28 0x00007f6d510ff2ab in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstaudio-1.0.so.0

29 0x00007f6d50647837 in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

30 0x00007f6d50647cfe in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

31 0x00007f6d50648110 in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

32 0x00007f6d50645cff in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

33 0x00007f6d50652061 in gst_pad_push_event ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

34 0x00007f6ce40f9a66 in ?? ()

from /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstcoreelements.so

35 0x00007f6d5067ca21 in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

36 0x00007f6d50bdedce in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0

37 0x00007f6d50bde3d5 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0

38 0x00007f6d5156a494 in start_thread (arg=0x7f6ccdf58700)

at pthread_create.c:333

39 0x00007f6d4ca1dacf in clone ()

at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

gdb-peda$

jonaski commented 6 years ago

Does it work if you disable moodbar? Right click on the progress bar and uncheck show moodbar.

trougnouf commented 6 years ago

Still segfaults with the moodbar disabled

orion40 commented 6 years ago

Still segfault, here's the backtrace:

0 0x0000555555b977e4 in MoodbarBuilder::Init(int, int) ()

1 0x00005555559eab33 in MoodbarPipeline::NewPadCallback(_GstElement, _GstPad, void*) ()

2 0x00007fffeb254038 in ffi_call_unix64 ()

from /usr/lib/x86_64-linux-gnu/libffi.so.6

3 0x00007fffeb253a9a in ffi_call ()

from /usr/lib/x86_64-linux-gnu/libffi.so.6

4 0x00007ffff44857ae in g_cclosure_marshal_generic ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

5 0x00007ffff4484f75 in g_closure_invoke ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

6 0x00007ffff4496f82 in ?? ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

7 0x00007ffff449fbdc in g_signal_emit_valist ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

8 0x00007ffff449ffbf in g_signal_emit ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

9 0x00007ffff3c23368 in gst_element_add_pad ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

10 0x00007fffeb254038 in ffi_call_unix64 ()

from /usr/lib/x86_64-linux-gnu/libffi.so.6

11 0x00007fffeb253a9a in ffi_call ()

from /usr/lib/x86_64-linux-gnu/libffi.so.6

12 0x00007ffff44857ae in g_cclosure_marshal_generic ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

13 0x00007ffff4484f75 in g_closure_invoke ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

14 0x00007ffff4496f82 in ?? ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

15 0x00007ffff449fbdc in g_signal_emit_valist ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

16 0x00007ffff449ffbf in g_signal_emit ()

from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0

17 0x00007ffff3c23368 in gst_element_add_pad ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

18 0x00007fff7bcf471d in ?? ()

from /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstplayback.so

19 0x00007fff7bcf53c0 in ?? ()

from /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstplayback.so

20 0x00007ffff3c3b79a in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

21 0x00007ffff419bea4 in g_hook_list_marshal ()

from /lib/x86_64-linux-gnu/libglib-2.0.so.0

22 0x00007ffff3c39efb in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

23 0x00007ffff3c3cc2e in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

24 0x00007ffff3c3d110 in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

25 0x00007ffff3c3acff in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

26 0x00007ffff3c47061 in gst_pad_push_event ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

27 0x00007ffff46ef46a in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstaudio-1.0.so.0

28 0x00007ffff46f42ab in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstaudio-1.0.so.0

29 0x00007ffff3c3c837 in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

30 0x00007ffff3c3ccfe in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

31 0x00007ffff3c3d110 in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

32 0x00007ffff3c3acff in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

33 0x00007ffff3c47061 in gst_pad_push_event ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

34 0x00007fff7b69fa66 in ?? ()

from /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstcoreelements.so

35 0x00007ffff3c71a21 in ?? ()

from /usr/lib/x86_64-linux-gnu/libgstreamer-1.0.so.0

36 0x00007ffff41d3dce in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0

37 0x00007ffff41d33d5 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0

38 0x00007ffff4b5f494 in start_thread (arg=0x7fff7a5d0700)

at pthread_create.c:333

39 0x00007ffff0012acf in clone ()

at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Here's a bit more info:

[----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x0 RCX: 0x7fff70029ef0 --> 0x60 ('') RDX: 0x0 RSI: 0x80 RDI: 0x0 RBP: 0x5555578d2680 --> 0x555556743588 --> 0x555555a38540 (<_ZNK15MoodbarPipeline10metaObjectEv>: ) RSP: 0x7fff7a5ce360 --> 0x0 RIP: 0x555555b977e4 (<_ZN14MoodbarBuilder4InitEii+20>: ) R8 : 0x7fff70021710 --> 0x7fff70029ef0 --> 0x60 ('') R9 : 0x0 R10: 0x73 ('s') R11: 0x0 R12: 0x5555578e53d0 --> 0x5555578e3000 --> 0x5555577f9800 --> 0x6 R13: 0x4 R14: 0x7fff7a5ce500 --> 0x7fffeb254300 --> 0x8 R15: 0x80 EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x555555b977dc <_ZN14MoodbarBuilder4InitEii+12>: push rbx 0x555555b977dd <_ZN14MoodbarBuilder4InitEii+13>: mov rbx,rdi 0x555555b977e0 <_ZN14MoodbarBuilder4InitEii+16>: sub rsp,0x8 => 0x555555b977e4 <_ZN14MoodbarBuilder4InitEii+20>: mov DWORD PTR [rdi+0x8],esi 0x555555b977e7 <_ZN14MoodbarBuilder4InitEii+23>: mov DWORD PTR [rdi+0xc],edx 0x555555b977ea <_ZN14MoodbarBuilder4InitEii+26>: lock inc DWORD PTR [rip+0xbd18cf] # 0x5555567690c0 <_ZN9QListData11shared_nullE> 0x555555b977f1 <_ZN14MoodbarBuilder4InitEii+33>: setne al 0x555555b977f4 <_ZN14MoodbarBuilder4InitEii+36>: lea rax,[rip+0xbd18c5] # 0x5555567690c0 <_ZN9QListData11shared_nullE> [------------------------------------stack-------------------------------------] 0000| 0x7fff7a5ce360 --> 0x0 0008| 0x7fff7a5ce368 --> 0x0 0016| 0x7fff7a5ce370 --> 0x5555578d2680 --> 0x555556743588 --> 0x555555a38540 (<_ZNK15MoodbarPipeline10metaObjectEv>: ) 0024| 0x7fff7a5ce378 --> 0x5555578e53d0 --> 0x5555578e3000 --> 0x5555577f9800 --> 0x6 0032| 0x7fff7a5ce380 --> 0x4 0040| 0x7fff7a5ce388 --> 0x7fff7a5ce500 --> 0x7fffeb254300 --> 0x8 0048| 0x7fff7a5ce390 --> 0x7fff7a5ce4d0 --> 0x7fff7a5ce7e8 --> 0x7fff90016070 --> 0x7fff90011be0 --> 0x7fff90011780 (- -> ...) 0056| 0x7fff7a5ce398 --> 0x5555559eab33 (<_ZN15MoodbarPipeline14NewPadCallbackEP11_GstElementP7_GstPadPv+163>: mov
rax,QWORD PTR [rsp+0x8]) [------------------------------------------------------------------------------] Stopped reason: SIGSEGV 0x0000555555b977e4 in MoodbarBuilder::Init(int, int) ()

MostafaSoliman commented 6 years ago

Hello, I was conducting a security testing against Clementine and i reached similar crash, so i will post the data here instead of opening a new issue. Clementine.exe has null pointer dereference vulnerability that crashes the application. The issue exists in this code line https://github.com/clementine-player/Clementine/blob/e5ab3e786f9adde12cec3cc90cfe8c1cc6b06320/src/moodbar/moodbarpipeline.cpp#L155.

void MoodbarPipeline::NewPadCallback(GstElement*, GstPad* pad, gpointer data) {
  MoodbarPipeline* self = reinterpret_cast<MoodbarPipeline*>(data);
  GstPad* const audiopad =
      gst_element_get_static_pad(self->convert_element_, "sink");

  if (GST_PAD_IS_LINKED(audiopad)) {
    qLog(Warning) << "audiopad is already linked, unlinking old pad";
    gst_pad_unlink(audiopad, GST_PAD_PEER(audiopad));
  }

  gst_pad_link(pad, audiopad);
  gst_object_unref(audiopad);

  int rate = 0;
  GstCaps* caps = gst_pad_get_current_caps(pad);
  GstStructure* structure = gst_caps_get_structure(caps, 0);
  gst_structure_get_int(structure, "rate", &rate);
  gst_caps_unref(caps);

  self->builder_->Init(kBands, rate);     ---> crash
}

and it can be triggered by opening a malformed mp3 file. The application cast gpointer data to MoodbarPipeline and then invoke the init call without checking if the builder_ pointer is valid or not (which is not in case of the malformed mp3 file) leading to a user mode write access violation.

The below is the crash dump i belive it is inside the MoodbarBuilder::Init method

 --- [ write Violation Detected at 0x00796637] ---
EAX=00000080  ECX=7ef07000 'p\xff\x86\n\x00\x00\x87\n' EDX=00000006
EBX=00000000  ESP=0a86f1f0 '\x1c\xf2\x86\n\xc4;\xf9\x08' EBP=0a86f278 '\xb8\xf2\x86\n\xb4_d\x00'
ESI=00000000  EDI=08f93bb8 '\x98\x95\xe5\x08\x02\x00\x00\x00' EIP=00796637 '\x89F\x04\x8bE\x0c\x89F'
0x00796608  nop
0x00796609  lea esi,[esi+0x0]
0x00796610  push ebp
0x00796611  mov ebp,esp
0x00796613  push edi
0x00796614  push esi
0x00796615  mov esi,ecx
0x00796617  push ebx
0x00796618  sub esp,0x7c
0x0079661b  lea eax,[ebp-0x5c]
0x0079661e  mov [esp],eax
0x00796621  mov dword [ebp-0x44],clementine!zn8projectm11key_handlere13projectmevent15projectmkeycode16projectmmodifier+0x18d68
0x00796628  mov dword [ebp-0x40],clementine!znk8projectm8settingsev+0x31c60
0x0079662f  call clementine!zn8projectm11key_handlere13projectmevent15projectmkeycode16projectmmodifier+0x1a270
0x00796634  mov eax,[ebp+0x8]
0x00796637  mov [esi+0x4],eax  <--- Crash
0x0079663a  mov eax,[ebp+0xc]
0x0079663d  mov [esi+0x8],eax
0x00796640  lock inc [qtcore4!zn9qlistdata11shared_nulle]
0x00796647  setnz al
0x0079664a  mov eax,[esi]
0x0079664c  mov dword [esi],qtcore4!zn9qlistdata11shared_nulle
0x00796652  lock dec [eax]
0x00796655  setnz dl
0x00796658  test dl,dl
0x0079665a  jnz clementine!start+0x39519b
0x0079665c  mov [esp],eax
0x0079665f  mov dword [ebp-0x58],0x0
0x00796666  call clementine!zn8projectm11key_handlere13projectmevent15projectmkeycode16projectmmodifier+0x21278
0x0079666b  mov eax,[ebp+0x8]
0x0079666e  lea edx,[eax+0x1]

The issue has been assigned the CVE-2018-14332 .

System Info OS: windows 7 64x Clementine Version: Clementine-PortableSetup-1.3.1-386-g62d1eb4.exe

Example of the crash mp3 file is attached 141.mp3.zip

orion40 commented 6 years ago

I can confirm that Clementine also crash on Debian 9.4, Clementine version 1.3.1, using the same mp3 file. However, it seems to be a bit different, as in VLC, the mp3 provided will have VLC output that there was an error; the ogg files that crash Clementine can be played properly in VLC.

plater commented 6 years ago

I also confirm that gst-play-1.0 and ffmpeg both handle 141.mp3 correctly but clementine segfaults

trougnouf commented 5 years ago

It's fixed! :) I can finally listen to whole albums without experiencing any crash, this is life changing. Thank you to whoever is responsible for this marvelous change! (Likely @jonaski who ported a lot of changes from strawberry which didn't have that issue)

JulianVolodia commented 4 years ago

@orion40 fix your comments with code block (best - spoilers). Thanks. Also you created false-positive cross issue references.