Bug 441614

Summary: bad memory handling
Product: [Fedora] Fedora Reporter: Bill Nottingham <notting>
Component: swfdecAssignee: Brian Pepple <bdpepple>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: otte, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 0.6.4-3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-10 23:04:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bill Nottingham 2008-04-09 02:19:41 UTC 
Description of problem:

swfdec aborts running the gamecasts at http://sports.espn.go.com/mlb/scoreboard
as it's killed by glibc's memory handling code.

Version-Releas#0  0x0000003827432ef5 in raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003827434a63 in abort () at abort.c:88
#2  0x0000003827473dd8 in __libc_message (do_abort=<value optimized out>, 
    fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x0000003827479758 in malloc_printerr (action=<value optimized out>, 
    str=<value optimized out>, ptr=<value optimized out>) at malloc.c:5949
#4  0x000000382747bd96 in __libc_free (mem=<value optimized out>) at malloc.c:3625
#5  0x00007f5bcaae14dc in swfdec_buffer_unref (buffer=0x27f3700) at
swfdec_buffer.c:291
#6  0x00007f5bcaaf10c5 in swfdec_image_lossless_load (image=0xe38300)
    at swfdec_image.c:413
#7  0x00007f5bcaaf137d in swfdec_image_create_surface (image=0x621b)
    at swfdec_image.c:614
#8  0x00007f5bcab012d2 in swfdec_image_pattern_get_pattern (pat=0xfda7d0, 
    trans=0x7fffd3af5610) at swfdec_pattern.c:218
#9  0x00007f5bcab015c7 in swfdec_pattern_paint (draw=0xfda7d0, cr=0x27fb000, 
    trans=0x7fffd3af5610) at swfdec_pattern.c:51
#10 0x00007f5bcab0f5fd in swfdec_shape_render (graphic=<value optimized out>, 
    cr=0x27fb000, trans=0x7fffd3af5610, inval=0x7fffd3af5640) at swfdec_shape.c:63
#11 0x00007f5bcaaf74b2 in swfdec_movie_render (movie=0x1a32e90, cr=0x27fb000, 
    color_transform=0x7fffd3af57c0, inval=0x7fffd3af57f0) at swfdec_movie.c:926
#12 0x00007f5bcaaf92c5 in swfdec_movie_do_render (movie=<value optimized out>, 
    cr=0x27fb000, ctrans=0x7fffd3af57c0, inval=0x7fffd3af57f0) at
swfdec_movie.c:1343
#13 0x00007f5bcaaf74b2 in swfdec_movie_render (movie=0x1b940b0, cr=0x27fb000, 
    color_transform=0x7fffd3af5970, inval=0x7fffd3af59a0) at swfdec_movie.c:926
#14 0x00007f5bcaaf92c5 in swfdec_movie_do_render (movie=<value optimized out>, 
    cr=0x27fb000, ctrans=0x7fffd3af5970, inval=0x7fffd3af59a0) at
swfdec_movie.c:1343
#15 0x00007f5bcaaf74b2 in swfdec_movie_render (movie=0x1a35c30, cr=0x27fb000, 
    color_transform=0x7fffd3af5b20, inval=0x7fffd3af5b50) at swfdec_movie.c:926
#16 0x00007f5bcaaf92c5 in swfdec_movie_do_render (movie=<value optimized out>, 
    cr=0x27fb000, ctrans=0x7fffd3af5b20, inval=0x7fffd3af5b50) at
swfdec_movie.c:1343
#17 0x00007f5bcaaf74b2 in swfdec_movie_render (movie=0x1a34a40, cr=0x27fb000, 
---Type <return> to continue, or q <return> to quit---
    color_transform=0x7fffd3af5cd0, inval=0x7fffd3af5d00) at swfdec_movie.c:926
#18 0x00007f5bcaaf92c5 in swfdec_movie_do_render (movie=<value optimized out>, 
    cr=0x27fb000, ctrans=0x7fffd3af5cd0, inval=0x7fffd3af5d00) at
swfdec_movie.c:1343
#19 0x00007f5bcaaf74b2 in swfdec_movie_render (movie=0xa7c330, cr=0x27fb000, 
    color_transform=0x7f5bcab4e660, inval=0x7fffd3af5dd0) at swfdec_movie.c:926
#20 0x00007f5bcab02f0d in swfdec_player_render (player=0xa6a470, cr=0x27fb000,
x=960, 
    y=0, width=960, height=603) at swfdec_player.c:2576
#21 0x00007f5bcaf9d3f0 in swfmoz_player_render (player=0xa6a470, region=0x27f3640)
    at swfmoz_player.c:643
#22 0x00007f5bcaf9af94 in plugin_x11_handle_event (gdkxevent=0x7fffd3af6210, 
    unused=<value optimized out>, playerp=0xa6a470) at plugin_x11.c:53
#23 0x0000003a13a5418b in gdk_event_apply_filters (xevent=Could not find the
frame base for "gdk_event_apply_filters".
) at gdkevents-x11.c:345
#24 0x0000003a13a5527a in gdk_event_translate (display=Could not find the frame
base for "gdk_event_translate".
) at gdkevents-x11.c:984
#25 0x0000003a13a57a16 in _gdk_events_queue (display=Could not find the frame
base for "_gdk_events_queue".
) at gdkevents-x11.c:2285
#26 0x0000003a13a57bec in gdk_event_dispatch (source=Could not find the frame
base for "gdk_event_dispatch".
) at gdkevents-x11.c:2345
#27 0x00007f5bcb1e840a in IA__g_main_context_dispatch (context=0x992110) at
gmain.c:2009
#28 0x00007f5bcb1ebb10 in g_main_context_iterate (context=0x992110, block=1, 
    dispatch=1, self=<value optimized out>) at gmain.c:2642
#29 0x00007f5bcb1ebfdd in IA__g_main_loop_run (loop=0x9925e0) at gmain.c:2850
#30 0x0000003a13384870 in IA__gtk_main () at gtkmain.c:1163
#31 0x00000000004082e5 in g_free () at gmem.c:187
#32 0x000000382741e40a in __libc_start_main (main=<value optimized out>, 
    argc=<value optimized out>, ubp_av=<value optimized out>, 
    init=<value optimized out>, fini=<value optimized out>, 
    rtld_fini=<value optimized out>, stack_end=Could not find the frame base for
"__libc_start_main".
) at libc-start.c:220
#33 0x0000000000402929 in g_free () at gmem.c:187
#34 0x00007fffd3af6658 in ?? ()
#35 0x000000000000001c in ?? ()
#36 0x0000000000000005 in ?? ()
#37 0x00007fffd3af86db in ?? ()
#38 0x0000000000000000 in ?? ()
e number of selected component (if applicable):

swfdec-mozilla-0.6.0-1.fc9
Comment 1 Benjamin Otte 2008-04-10 20:47:50 UTC 
This is fixed in upstream git (the segfault that is, no clue if this Flash works
now).
Comment 2 Brian Pepple 2008-04-10 23:04:40 UTC 
Pulled Benjamin's patch from git, and tested it against this (since I don't have
a paid subscription): http://mlb.mlb.com/mlb/subscriptions/espn_premium.jsp
Comment 3 Bill Nottingham 2008-04-11 02:43:18 UTC 
Yeah, it doesn't crash now, but it doesn't render correctly, either. Will open a
new bug.