[vlc-devel] memory corruption / vlc in valgrind

Jean-Paul Saman jean-paul.saman at planet.nl
Sun Nov 11 15:26:42 CET 2007 

Gilles Sabourin wrote:
> Hello JP,
> 
> Anything new ? I have seen in vlc/timeline that you have enhanced subtitle 
> codec.
> 
> I discovered a filtering config file "valgrind.suppressions" in vlc/extras for 
> valgrind, and then I have modified valgrind launch as below :
> valgrind --tool=memcheck --leak-check=yes --trace-children=yes --suppressions=vlc-beta-0.9.0/extras/valgrind.suppressions --log-file=log /usr/bin/vlc
> 
> I have attached the log file.

It looks like an 32-bit vs 64-bit problem in RenderText 
(modules/misc/freetype.c), which corrupts the heap inside libfribidi.so. 
The code is doing pointer arithmic with 32bits assumptions in a while loop.

Could you try attached patch (patch -p0 < freetype-lib64-crash.patch) 
and see if it makes *any* difference.

> ------------------------------------------------------------------------
-- snip, snip --
> ==17506== 
> ==17506== Thread 16:
> ==17506== Invalid read of size 8
> ==17506==    at 0x834C878: (within /usr/lib64/libfribidi.so.0.0.0)
> ==17506==    by 0x834D1EE: fribidi_log2vis (in /usr/lib64/libfribidi.so.0.0.0)
> ==17506==    by 0x142AD12E: RenderText (freetype.c:1161)
> ==17506==    by 0x4EADA39: spu_RenderSubpictures (vout_subpictures.c:787)
> ==17506==    by 0x4EA9951: vout_RenderPicture (vout_pictures.c:320)
> ==17506==    by 0x4EA788C: RunThread (video_output.c:1064)
> ==17506==    by 0x578F09D: start_thread (in /lib64/libpthread-2.5.so)
> ==17506==    by 0x5C6968C: clone (in /lib64/libc-2.5.so)
> ==17506==  Address 0x14FD31D0 is 24 bytes inside a block of size 28 alloc'd
> ==17506==    at 0x4C22AC6: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
> ==17506==    by 0x142ACE63: RenderText (freetype.c:1088)
> ==17506==    by 0x4EADA39: spu_RenderSubpictures (vout_subpictures.c:787)
> ==17506==    by 0x4EA9951: vout_RenderPicture (vout_pictures.c:320)
> ==17506==    by 0x4EA788C: RunThread (video_output.c:1064)
> ==17506==    by 0x578F09D: start_thread (in /lib64/libpthread-2.5.so)
> ==17506==    by 0x5C6968C: clone (in /lib64/libc-2.5.so)
-- snip, snip --
> ==17506== Invalid write of size 8
> ==17506==    at 0x834D254: fribidi_log2vis (in /usr/lib64/libfribidi.so.0.0.0)
> ==17506==    by 0x142AD12E: RenderText (freetype.c:1161)
> ==17506==    by 0x4EADA39: spu_RenderSubpictures (vout_subpictures.c:787)
> ==17506==    by 0x4EA9951: vout_RenderPicture (vout_pictures.c:320)
> ==17506==    by 0x4EA788C: RunThread (video_output.c:1064)
> ==17506==    by 0x578F09D: start_thread (in /lib64/libpthread-2.5.so)
> ==17506==    by 0x5C6968C: clone (in /lib64/libc-2.5.so)
> ==17506==  Address 0x14F028D0 is not stack'd, malloc'd or (recently) free'd
> ==17506== 
-- snip, snip --
> ==17506== Thread 16:
> ==17506== Conditional jump or move depends on uninitialised value(s)
> ==17506==    at 0x834D99C: fribidi_get_type_internal (in /usr/lib64/libfribidi.so.0.0.0)
> ==17506==    by 0x834C880: (within /usr/lib64/libfribidi.so.0.0.0)
> ==17506==    by 0x834D1EE: fribidi_log2vis (in /usr/lib64/libfribidi.so.0.0.0)
> ==17506==    by 0x142AD12E: RenderText (freetype.c:1161)
> ==17506==    by 0x4EADA39: spu_RenderSubpictures (vout_subpictures.c:787)
> ==17506==    by 0x4EA9951: vout_RenderPicture (vout_pictures.c:320)
> ==17506==    by 0x4EA788C: RunThread (video_output.c:1064)
> ==17506==    by 0x578F09D: start_thread (in /lib64/libpthread-2.5.so)
> ==17506==    by 0x5C6968C: clone (in /lib64/libc-2.5.so)
> ==17506== 
> ==17506== Conditional jump or move depends on uninitialised value(s)
> ==17506==    at 0x834D99C: fribidi_get_type_internal (in /usr/lib64/libfribidi.so.0.0.0)
> ==17506==    by 0x834D00D: (within /usr/lib64/libfribidi.so.0.0.0)
> ==17506==    by 0x834D1EE: fribidi_log2vis (in /usr/lib64/libfribidi.so.0.0.0)
> ==17506==    by 0x142AD12E: RenderText (freetype.c:1161)
> ==17506==    by 0x4EADA39: spu_RenderSubpictures (vout_subpictures.c:787)
> ==17506==    by 0x4EA9951: vout_RenderPicture (vout_pictures.c:320)
> ==17506==    by 0x4EA788C: RunThread (video_output.c:1064)
> ==17506==    by 0x578F09D: start_thread (in /lib64/libpthread-2.5.so)
> ==17506==    by 0x5C6968C: clone (in /lib64/libc-2.5.so)
> 
> valgrind: m_mallocfree.c:194 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
> valgrind: Heap block lo/hi size mismatch: lo = 104, hi = 0.
> Probably caused by overrunning/underrunning a heap block's bounds.
> 
> ==17506==    at 0x38017803: (within /usr/lib64/valgrind/amd64-linux/memcheck)
> ==17506==    by 0x38017B66: (within /usr/lib64/valgrind/amd64-linux/memcheck)
> ==17506==    by 0x38020484: (within /usr/lib64/valgrind/amd64-linux/memcheck)
> ==17506==    by 0x380358D0: (within /usr/lib64/valgrind/amd64-linux/memcheck)
> ==17506==    by 0x38001819: (within /usr/lib64/valgrind/amd64-linux/memcheck)
> ==17506==    by 0x38035F77: (within /usr/lib64/valgrind/amd64-linux/memcheck)
> ==17506==    by 0x38037662: (within /usr/lib64/valgrind/amd64-linux/memcheck)
> ==17506==    by 0x38052FC9: (within /usr/lib64/valgrind/amd64-linux/memcheck)
> ==17506==    by 0x380531AB: (within /usr/lib64/valgrind/amd64-linux/memcheck)
> ==17506==    by 0x380550BD: (within /usr/lib64/valgrind/amd64-linux/memcheck)
> ==17506==    by 0x7: ???


Gtz,
Jean-Paul Saman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freetype-lib64-crash.patch
Type: text/x-patch
Size: 2290 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20071111/2c765a5f/attachment.bin>

More information about the vlc-devel mailing list