Bug#821321: libvorbisfile: ov_pcm_seek wrongly returns OV_EOF or segfaults sometimes

Frank Heckenbach f.heckenbach at fh-soft.de
Sun Apr 17 16:56:40 UTC 2016 

Package: libvorbisfile3
Version: 1.3.4-2
Severity: important

ov_pcm_seek wrongly returns OV_EOF or segfaults sometimes. I've
observed it in some situations, below is a very simple one to
reproduce. It's an important problem to me, because (unless fixed or
you can tell me exactly when seeking will work), I'd have to treat
all Ogg/Vorbis files as unseekable in my code, which would be a huge
performance penalty (decoding sequentially and buffering all in
memory).

% cat test.c
#include <stdio.h>
#include <vorbis/vorbisfile.h>

int main ()
{
  OggVorbis_File vf;
  fprintf (stderr, "%i\n", ov_fopen ("foo.ogg", &vf));
  fprintf (stderr, "%i\n", ov_pcm_seek (&vf, 0));
  fprintf (stderr, "%i\n", ov_pcm_seek (&vf, 0));
  return 0;
}
% head -c 100000 /dev/zero|oggenc -Q -r - -o foo.ogg&& gcc -g test.c -lvorbisfile && ./a.out

On i386:
0
0
-2

On amd64:
0
0
Segmentation fault

I tried to debug it and found: The 2nd time ov_pcm_seek_is_called
(from the 2nd ov_pcm_seek call), at line 1461

      if(bisect!=vf->offset){
        result=_seek_helper(vf,bisect);
        if(result) goto seek_error;
      }

begin == 3997 and vf->offset == 3997, so the call to _seek_helper is
skipped. However, ftell((FILE*)vf->datasource) == 4076, so it goes
on with a wrong file position, so _get_next_page fails and og
remains unintialized and ogg_page_serialno(&og) (line 1554) results
in UB.

I don't really understand the code: Telling from this line,
vf->offset should reflect the actual position of the data source.
But if so, I'd expect it to be adjusted after each successfull call
of seek_func (that's correctly done) and read_func. read_func is
only called from _get_data, but it doesn't adjust vf->offset.
Instead it puts the data into an internal buffer AFAIUI, so the
users of the data from the buffer are probably responsible for
adjusting vf->offset, but apparently something goes wrong there.

If I just set vf->offset to 4076 before line 1461 (2nd time), it
continues correctly. That's of course, not a fix, just an indication
that the wrong value of vf->offset is the real problem here.

Maybe vf->offset just needs to be revalidated before line 1461, but
it's used in many places, and I don't know how many of them might be
affected too.

-- System Information:
Debian Release: 8.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libvorbisfile3:amd64 depends on:
ii  libc6              2.19-18+deb8u4
ii  libogg0            1.3.2-1
ii  libvorbis0a        1.3.4-2
ii  multiarch-support  2.19-18+deb8u4

libvorbisfile3:amd64 recommends no packages.

libvorbisfile3:amd64 suggests no packages.

-- no debconf information

More information about the pkg-xiph-maint mailing list