search

obsproject / obs-studio

OBS Studio - Free and open source software for live streaming and screen recording
https://obsproject.com
GNU General Public License v2.0
58.82k stars 7.83k forks source link

Crash when creating a new scene collection with USB mic not plugged in #9322

Open hannob opened 1 year ago

hannob commented 1 year ago

Operating System Info

Other

Other OS

Gentoo Linux

OBS Studio Version

29.1.3

OBS Studio Version (Other)

No response

OBS Studio Log URL

https://obsproject.com/logs/PLkykBUTVKSQlqU6

OBS Studio Crash Log URL

No response

Expected Behavior

obs-studio should not crash.

Current Behavior

I am seeing regular crashes in obs.

Playing around, it appears they are related to whether or not I have my USB mic plugged in.

This leads to a crash. I recompiled obs-studio with address sanitizer to get a stack trace, and it looks like a use after free bug in the function _alsa_open in alsa-input.c. I'll attach the full asan log below, I hope this helps analyzing the issue.

Steps to Reproduce

  1. Start obs-studio without USB mic plugged in.
  2. Create a new Scene Collection.
  3. Switch to that new Scene Collection and wait a few seconds.

Anything else we should know?

Full asan log:

=================================================================
==11548==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060004f3c60 at pc 0x7f46d7f54bc2 bp 0x7f469a5b1810 sp 0x7f469a5b0fb8
READ of size 6 at 0x6060004f3c60 thread T25
    #0 0x7f46d7f54bc1  (/usr/lib/gcc/x86_64-pc-linux-gnu/13/libasan.so.8+0x6cbc1)
    #1 0x7f469f1b38f9 in snd_config_search_definition (/usr/lib64/libasound.so.2+0x378f9)
    #2 0x7f469f1ce815  (/usr/lib64/libasound.so.2+0x52815)
    #3 0x7f469f1d0787 in snd_pcm_open (/usr/lib64/libasound.so.2+0x54787)
    #4 0x7f469f26f8f9 in _alsa_open /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/plugins/linux-alsa/alsa-input.c:356
    #5 0x7f469f26fbc7 in _alsa_reopen /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/plugins/linux-alsa/alsa-input.c:611
    #6 0x7f46d4cd4698 in start_thread /var/tmp/portage/sys-libs/glibc-2.37-r3/work/glibc-2.37/nptl/pthread_create.c:444
    #7 0x7f46d4d5581b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x6060004f3c60 is located 32 bytes inside of 55-byte region [0x6060004f3c40,0x6060004f3c77)
freed by thread T11 here:
    #0 0x7f46d7fc2aa0  (/usr/lib/gcc/x86_64-pc-linux-gnu/13/libasan.so.8+0xdaaa0)
    #1 0x7f469f270230 in alsa_destroy /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/plugins/linux-alsa/alsa-input.c:160
    #2 0x7f46d5d854e8 in obs_source_destroy_defer /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/libobs/obs-source.c:691
    #3 0x7f46d5e50ec0 in tiny_tubular_task_thread /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/libobs/util/task.c:161
    #4 0x7f46d4cd4698 in start_thread /var/tmp/portage/sys-libs/glibc-2.37-r3/work/glibc-2.37/nptl/pthread_create.c:444
    #5 0x7f46d4d5581b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

previously allocated by thread T0 here:
    #0 0x7f46d7fc3f4f in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/13/libasan.so.8+0xdbf4f)
    #1 0x7f46d5e283b1 in a_malloc /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/libobs/util/bmem.c:55
    #2 0x7f46d5e283b1 in bmalloc /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/libobs/util/bmem.c:111
    #3 0x7f46d5e285e3 in bmemdup /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/libobs/util/bmem.c:167
    #4 0x7f469f2708be in bstrdup_n /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/libobs/util/bmem.h:60
    #5 0x7f469f2708be in bstrdup /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/libobs/util/bmem.h:83
    #6 0x7f469f2708be in alsa_create /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/plugins/linux-alsa/alsa-input.c:131
    #7 0x7f46d5d9312e in obs_source_create_internal /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/libobs/obs-source.c:402
    #8 0x7f46d5cda458 in obs_load_source_type /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/libobs/obs.c:2324
    #9 0x7f46d5ce3e9f in obs_load_sources /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/libobs/obs.c:2458
    #10 0x55a0807c4f06 in OBSBasic::LoadData(obs_data*, char const*) /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/UI/window-basic-main.cpp:1143
    #11 0x55a080802a53 in OBSBasic::OBSInit() /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/UI/window-basic-main.cpp:2033
    #12 0x55a080533bf1 in OBSApp::OBSInit() /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/UI/obs-app.cpp:1731
    #13 0x55a0804d306e in run_program /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/UI/obs-app.cpp:2519
    #14 0x55a0804d306e in main /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/UI/obs-app.cpp:3435
    #15 0x7f46d4c7398b in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #16 0x7f46d4c73a44 in __libc_start_main_impl ../csu/libc-start.c:360
    #17 0x55a0804d79e0 in _start (/usr/bin/obs+0x1639e0)

Thread T25 created by T0 here:
    #0 0x7f46d7f2fe81 in pthread_create (/usr/lib/gcc/x86_64-pc-linux-gnu/13/libasan.so.8+0x47e81)
    #1 0x7f469f270402 in _alsa_start_reopen /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/plugins/linux-alsa/alsa-input.c:531
    #2 0x7f469f270402 in _alsa_try_open /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/plugins/linux-alsa/alsa-input.c:346

Thread T11 created by T0 here:
    #0 0x7f46d7f2fe81 in pthread_create (/usr/lib/gcc/x86_64-pc-linux-gnu/13/libasan.so.8+0x47e81)
    #1 0x7f46d5e51a81 in os_task_queue_create /var/tmp/portage/media-video/obs-studio-29.1.3/work/obs-studio-29.1.3/libobs/util/task.c:41

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/gcc/x86_64-pc-linux-gnu/13/libasan.so.8+0x6cbc1) 
Shadow bytes around the buggy address:
  0x6060004f3980: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x6060004f3a00: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x6060004f3a80: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x6060004f3b00: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x6060004f3b80: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
=>0x6060004f3c00: fd fd fd fa fa fa fa fa fd fd fd fd[fd]fd fd fa
  0x6060004f3c80: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x6060004f3d00: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x6060004f3d80: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 04 fa
  0x6060004f3e00: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x6060004f3e80: 00 00 00 00 00 00 00 01 fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11548==ABORTING
nick2432 commented 11 months ago

can i work on this?