635643 – SIGSEGV within ucil_theora_encode_thread()

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 635643 - SIGSEGV within ucil_theora_encode_thread()

Summary: SIGSEGV within ucil_theora_encode_thread()

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	unicap
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Kamil Dudka
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:	595863
Blocks:
TreeView+	depends on / blocked

Reported:	2010-09-20 12:24 UTC by Kamil Dudka
Modified:	2011-06-28 12:29 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	595863
Environment:
Last Closed:	2011-06-28 12:29:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Kamil Dudka 2010-09-20 12:24:39 UTC

+++ This bug was initially created as a clone of Bug #595863 +++

Description of problem:
Ucview segfaults once I press "record".

Version-Release number of selected component (if applicable):
ucview-0.31-1.fc12.i686

How reproducible:
Everytime, just pressing "record".

Actual results:
(gdb) bt full
#0  0x04a855d1 in memcpy () from /lib/libc.so.6
No symbol table info available.
#1  0x00c593e1 in oc_img_plane_copy_pad (_dst=<value optimized out>, _src=<value optimized out>, _pic_x=<value optimized out>, _pic_y=<value optimized out>, 
    _pic_width=<value optimized out>, _pic_height=<value optimized out>) at /usr/include/bits/string3.h:52
        dst_data = 0xb4c4b378 "'**('*(''''('&&$\036\035\036!(('(( \026\026\026\026\026\035#! \036\026\021\r\r\016\v\v\t\v\v\r\r\r\v\v\v\r\016\016\020\016\020\020\021\023\025\025\025\025\025\026\030\033\033\033\033\032\032\030\026\025\023\025\023\021\020\020\016\r\v\t\t\v\t\v\v\t\006\004\006\006\004\006\b\b\004\003\004\004\004\004\003\004\003\004\003\004\003\003\004\003\003\001\001\001\003\004\001\003"
        src = <value optimized out>
        sstride = -640
        x = <value optimized out>
        dst = <value optimized out>
        dstride = 137353384
        frame_width = <value optimized out>
        frame_height = 480
        y = <value optimized out>
#2  0x00c5b8c7 in th_encode_ycbcr_in (_enc=<value optimized out>, _img=<value optimized out>) at encode.c:1514
        img = {{width = 640, height = 480, stride = -640, data = 0x408b183 <Address 0x408b183 out of bounds>}, {width = 320, height = 240, stride = -320, 
            data = 0x409dec3 <Address 0x409dec3 out of bounds>}, {width = 320, height = 240, stride = -320, data = 0x40b0ac3 <Address 0x40b0ac3 out of bounds>}}
        cpic_width = 480
        cpic_height = <value optimized out>
        hdec = 1
        vdec = 1
        pli = <value optimized out>
        refi = <value optimized out>
        drop = <value optimized out>
#3  0x00c5873c in theora_encode_YUVin (_te=<value optimized out>, _yuv=<value optimized out>) at encapiwrapper.c:96
        api = 0x82ffa98
        buf = {{width = 640, height = 480, stride = 640, data = 0x4040403 <Address 0x4040403 out of bounds>}, {width = 320, height = 240, stride = 320, 
            data = 0x408b403 <Address 0x408b403 out of bounds>}, {width = 320, height = 240, stride = 320, data = 0x409e003 <Address 0x409e003 out of bounds>}}
        ret = <value optimized out>
#4  0x00db1580 in ucil_theora_encode_thread (vobj=0x8299760) at ucil_theora.c:725
        last_data_buffer = 0xb436e008
        streampos = 0.13595499999999999
        data_buffer = 0x83503a8
        og = {header = 0x7cf513 "\211\307e\213\r\004", header_len = 1, body = 0x1b118b "\201\303i\036\001", body_len = 1847284}
        yuv = {y_width = 640, y_height = 480, y_stride = 640, uv_width = 320, uv_height = 240, uv_stride = 320, y = 0x4040403 <Address 0x4040403 out of bounds>, 
          u = 0x408b403 <Address 0x408b403 out of bounds>, v = 0x409e003 <Address 0x409e003 out of bounds>}
        videopos = <value optimized out>
        audiopos = <value optimized out>
        gotpage = 0
        ds_y_buffer = 0x0
        ds_u_buffer = 0x0
        ds_v_buffer = 0x0
#5  0x001b1ab5 in start_thread () from /lib/libpthread.so.0
No symbol table info available.
#6  0x04ae7dae in clone () from /lib/libc.so.6
No symbol table info available.
(gdb) 

Expected results:
Working :)

--- Additional comment from kdudka on 2010-05-25 21:52:58 CEST ---

Please get the bt once again with the following scratch build:

http://koji.fedoraproject.org/koji/taskinfo?taskID=2209154

Thanks in advance!

--- Additional comment from redhat-bugzilla on 2010-05-25 22:05:55 CEST ---

(gdb) bt full
#0  0x010045b6 in memcpy () from /lib/libc.so.6
No symbol table info available.
#1  0xb3849378 in ?? ()
No symbol table info available.
#2  0x00c593e1 in oc_img_plane_copy_pad (_dst=<value optimized out>, _src=<value optimized out>, _pic_x=<value optimized out>, _pic_y=<value optimized out>, 
    _pic_width=<value optimized out>, _pic_height=<value optimized out>) at /usr/include/bits/string3.h:52
        dst_data = 0xb3849378 ""
        src = <value optimized out>
        sstride = -640
        x = <value optimized out>
        dst = <value optimized out>
        dstride = 131573075
        frame_width = <value optimized out>
        frame_height = 480
        y = <value optimized out>
#3  0x00c5b8c7 in th_encode_ycbcr_in (_enc=<value optimized out>, _img=<value optimized out>) at encode.c:1514
        img = {{width = 640, height = 480, stride = -640, data = 0x4ad80 <Address 0x4ad80 out of bounds>}, {width = 320, height = 240, stride = -320, 
            data = 0x5dac0 <Address 0x5dac0 out of bounds>}, {width = 320, height = 240, stride = -320, data = 0x706c0 <Address 0x706c0 out of bounds>}}
        cpic_width = 480
        cpic_height = <value optimized out>
        hdec = 1
        vdec = 1
        pli = <value optimized out>
        refi = <value optimized out>
        drop = <value optimized out>
#4  0x00c5873c in theora_encode_YUVin (_te=<value optimized out>, _yuv=<value optimized out>) at encapiwrapper.c:96
        api = 0x8303018
        buf = {{width = 640, height = 480, stride = 640, data = 0x0}, {width = 320, height = 240, stride = 320, data = 0x4b000 <Address 0x4b000 out of bounds>}, {
            width = 320, height = 240, stride = 320, data = 0x5dc00 <Address 0x5dc00 out of bounds>}}
        ret = <value optimized out>
#5  0x00121235 in ucil_theora_encode_thread (vobj=0x825fa98) at ucil_theora.c:725
        last_data_buffer = 0xb2f6c008
        streampos = 0.13198499999999999
        streamtime = {tv_sec = 0, tv_usec = 131985}
        data_buffer = 0x8353928
        og = {header = 0x676ff4 "\264n\001", header_len = 10489856, body = 0x10634c6 "\211\323=\001\360\377\377s\001\303\350\023\067\004", body_len = 6705680}
        yuv = {y_width = 640, y_height = 480, y_stride = 640, uv_width = 320, uv_height = 240, uv_stride = 320, y = 0x0, 
          u = 0x4b000 <Address 0x4b000 out of bounds>, v = 0x5dc00 <Address 0x5dc00 out of bounds>}
        videopos = 0.033333000000000002
        audiopos = 0.15385487528344674
        gotpage = 0
        ds_y_buffer = 0x0
        ds_u_buffer = 0x0
        ds_v_buffer = 0x0
#6  0x00665ab5 in start_thread () from /lib/libpthread.so.0
No symbol table info available.
#7  0x01066dae in clone () from /lib/libc.so.6
No symbol table info available.
(gdb)

--- Additional comment from kdudka on 2010-05-25 22:24:06 CEST ---

I found following in <theora/theora.h>:

/**
 * Submit a YUV buffer to the theora encoder.
 * \param t A theora_state handle previously initialized for encoding.
 * \param yuv A buffer of YUV data to encode.  Note that both the yuv_buffer
 *            struct and the luma/chroma buffers within should be allocated by
 *            the user.
 * \retval OC_EINVAL Encoder is not ready, or is finished.
 * \retval -1 The size of the given frame differs from those previously input
 * \retval 0 Success
 */
extern int theora_encode_YUVin(theora_state *t, yuv_buffer *yuv);

> #4  0x00c5873c in theora_encode_YUVin (_te=<value optimized out>, _yuv=<value
> optimized out>) at encapiwrapper.c:96

...

>         yuv = {y_width = 640, y_height = 480, y_stride = 640, uv_width = 320,
> uv_height = 240, uv_stride = 320, y = 0x0, 
>           u = 0x4b000 <Address 0x4b000 out of bounds>, v = 0x5dc00 <Address
> 0x5dc00 out of bounds>}

However the buffers within 'yuv' do not seem to be properly allocated.

--- Additional comment from redhat-bugzilla on 2010-05-28 04:07:32 CEST ---

Okay, that means?

--- Additional comment from kdudka on 2010-06-01 16:43:56 CEST ---

Created attachment 418665 [details]
this should fix the reported SIGSEGV

--- Additional comment from redhat-bugzilla on 2010-06-02 00:09:30 CEST ---

*** Bug 570439 has been marked as a duplicate of this bug. ***

--- Additional comment from kdudka on 2010-06-02 12:01:45 CEST ---

Patch proposed upstream:

https://bugs.launchpad.net/unicap/+bug/588662

--- Additional comment from updates on 2010-06-02 18:06:26 CEST ---

libucil-0.9.8-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/libucil-0.9.8-2.fc12

--- Additional comment from updates on 2010-06-02 18:06:50 CEST ---

libucil-0.9.8-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/libucil-0.9.8-2.fc13

--- Additional comment from updates on 2010-06-03 20:07:52 CEST ---

libucil-0.9.8-2.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libucil'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/libucil-0.9.8-2.fc13

--- Additional comment from updates on 2010-06-03 20:14:28 CEST ---

libucil-0.9.8-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libucil'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/libucil-0.9.8-2.fc12

--- Additional comment from updates on 2010-06-21 23:37:15 CEST ---

libucil-0.9.8-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from updates on 2010-06-21 23:43:51 CEST ---

libucil-0.9.8-2.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from kdudka on 2010-09-20 14:17:37 CEST ---

follow-up: bug 627161

Comment 2 Suzanne Logcher 2011-02-15 21:42:53 UTC

This issue was proposed for RHEL 6.1 FasTrack but did not get resolved in time.
It has been moved to RHEL 6.2 FasTrack.

Comment 6 Kamil Dudka 2011-06-28 12:29:37 UTC

This family of bugs was introduced in libucil-0.9.8.  It does not affect RHEL-6 unicap.  Although the package contains the same error-prone code we were patching in Fedora/upstream, the old version of libucil/ucil_theora.h causes the code to work crashlessly.

Note You need to log in before you can comment on or make changes to this bug.