search

swh / lv2

SWH Plugins in LV2 format
http://plugin.org.uk/
GNU General Public License v3.0
93 stars 20 forks source link

double free corruption in revdelay-swh.lv2 #13

Closed x42 closed 2 years ago

x42 commented 8 years ago 
==28903== Invalid free() / delete / delete[] / realloc()
==28903==    at 0x4C2AEAB: free (vg_replace_malloc.c:530)
==28903==    by 0x4A03F8DC: ??? (in /usr/lib/lv2/revdelay-swh.lv2/plugin-linux.so)
==28903==    by 0xE912082: lilv_instance_free (in /usr/lib/liblilv-0.so.0.22.0)
==28903==    by 0x6972404: ARDOUR::LV2Plugin::cleanup() (lv2_plugin.cc:1927)
==28903==    by 0x696C210: ARDOUR::LV2Plugin::~LV2Plugin() (lv2_plugin.cc:721)
==28903==    by 0x696C563: ARDOUR::LV2Plugin::~LV2Plugin() (lv2_plugin.cc:752)
==28903== Conditional jump or move depends on uninitialised value(s)
==28903==    at 0x4C2AE61: free (vg_replace_malloc.c:530)
==28903==    by 0x4A03F8DC: ??? (in /usr/lib/lv2/revdelay-swh.lv2/plugin-linux.so)
==28903==    by 0xE912082: lilv_instance_free (in /usr/lib/liblilv-0.so.0.22.0)
==28903==    by 0x6972404: ARDOUR::LV2Plugin::cleanup() (lv2_plugin.cc:1927)
==28903==    by 0x696C210: ARDOUR::LV2Plugin::~LV2Plugin() (lv2_plugin.cc:721)
==28903==    by 0x696C563: ARDOUR::LV2Plugin::~LV2Plugin() (lv2_plugin.cc:752)

Sorry no debug-build, but this really smells like some uninitialized pointer variable. If needed I can do with a debug build, but really just calloc allocate the instance or memset will solve this.

lowpass_iir-swh.lv2 has a similar issue (no crash), valgrind reports 

==28903== Conditional jump or move depends on uninitialised value(s)
==28903==    at 0xF5352EF: __sin_avx (in /lib/x86_64-linux-gnu/libm-2.21.so)
==28903==    by 0xF4F01DA: sincos (in /lib/x86_64-linux-gnu/libm-2.21.so)
==28903==    by 0x50884EE5: chebyshev_stage (in /usr/lib/lv2/lowpass_iir-swh.lv2/plugin-linux.so)
==28903==    by 0x508856C9: chebyshev (in /usr/lib/lv2/lowpass_iir-swh.lv2/plugin-linux.so)
==28903==    by 0x69688EF: lilv_instance_activate (lilv.h:1648)
x42 commented 8 years ago

and another crash:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  __GI___libc_free (mem=0x2) at malloc.c:2929
2929    malloc.c: No such file or directory.
(gdb) bt
Thread 1 (Thread 0x7fbca2190a00 (LWP 872)):
#0  __GI___libc_free (mem=0x2) at malloc.c:2929
#1  0x00007fbc3a37c8cd in cleanupRevdelay () from /usr/local/lib/lv2/revdelay-swh.lv2/plugin-Linux.so
#2  0x00007fbc9bf6d3f6 in lilv_instance_free (instance=0x226efbf0) at ../lilv/src/instance.c:120
#3  0x00007fbca129e08d in ARDOUR::LV2Plugin::cleanup() () from ./../build/libs/ardour/libardour.so.3
#4  0x00007fbca129faed in ARDOUR::LV2Plugin::~LV2Plugin() () from ./../build/libs/ardour/libardour.so.3
...
swh commented 8 years ago

Great, thanks.

I'm not ignoring you BTW, just crazy busy!

x42 commented 8 years ago

No problem. It's similar here, otherwise I'd have added a patch. Just as long as it's not forgotten long term.

alex-tee commented 3 years ago

similar issue here, crash during cleanup of highpass filter

backtrace

??? unknown
./util/iir.h (free_iirf_t:69)
plugins/highpass_iir-swh.lv2/plugin.c (cleanupHighpass_iir:23)
??? lilv_instance_free from /usr/lib/liblilv-0.so.0(+0x64d0)[0x5c2c000]
../src/plugins/lv2_plugin.c (lv2_plugin_cleanup:3239)

valgrind

==2590932== Use of uninitialised value of size 8
==2590932==    at 0x6B4DC143: free_iirf_t (iir.h:69)
==2590932==    by 0x6B4DC143: cleanupHighpass_iir (plugin.c:23)
==2590932==    by 0x5C324E3: lilv_instance_free (in /usr/lib/liblilv-0.so.0.24.12)
==2590932==    by 0xA672E7: lv2_plugin_cleanup (lv2_plugin.c:3239)
==2590932==    by 0xA6B85F: plugin_cleanup (plugin.c:1221)
==2590932==    by 0xA6D9DB: plugin_clone (plugin.c:2199)
==2590932==    by 0x9D56CA: do_or_undo_move_or_copy.lto_priv.0 (mixer_selections_action.c:806)
==2590932==    by 0x9D6715: do_or_undo.lto_priv.1 (mixer_selections_action.c:1058)
==2590932==    by 0x9D6783: mixer_selections_action_do (mixer_selections_action.c:1076)
==2590932==    by 0x9E0139: undoable_action_do (undoable_action.c:289)
==2590932==    by 0x9E158D: do_or_undo_action (undo_manager.c:99)
==2590932==    by 0x9E1E4C: undo_manager_perform (undo_manager.c:252)
==2590932==    by 0xB4E81C: on_drag_data_received.lto_priv.1 (channel_slot.c:304)
==2590932== 
==2590932== Invalid read of size 4
==2590932==    at 0x6B4DC143: free_iirf_t (iir.h:69)
==2590932==    by 0x6B4DC143: cleanupHighpass_iir (plugin.c:23)
==2590932==    by 0x5C324E3: lilv_instance_free (in /usr/lib/liblilv-0.so.0.24.12)
==2590932==    by 0xA672E7: lv2_plugin_cleanup (lv2_plugin.c:3239)
==2590932==    by 0xA6B85F: plugin_cleanup (plugin.c:1221)
==2590932==    by 0xA6D9DB: plugin_clone (plugin.c:2199)
==2590932==    by 0x9D56CA: do_or_undo_move_or_copy.lto_priv.0 (mixer_selections_action.c:806)
==2590932==    by 0x9D6715: do_or_undo.lto_priv.1 (mixer_selections_action.c:1058)
==2590932==    by 0x9D6783: mixer_selections_action_do (mixer_selections_action.c:1076)
==2590932==    by 0x9E0139: undoable_action_do (undoable_action.c:289)
==2590932==    by 0x9E158D: do_or_undo_action (undo_manager.c:99)
==2590932==    by 0x9E1E4C: undo_manager_perform (undo_manager.c:252)
==2590932==    by 0xB4E81C: on_drag_data_received.lto_priv.1 (channel_slot.c:304)
==2590932==  Address 0x8 is not stack'd, malloc'd or (recently) free'd