vlc crashed with SIGSEGV in dvdnav_describe_title_chapters()

StacktraceTop:
 dvdnav_describe_title_chapters (this=0x7fb944001360, title=title@entry=1, times=times@entry=0x7fb9704e2fd8, duration=duration@entry=0x7fb9704e2fd0) at searching.c:653
 DemuxTitles (p_demux=0x7fb9440010d8) at dvdnav.c:1011
 Open (p_this=0x7fb9440010d8) at dvdnav.c:326
 vlc_module_load (p_this=p_this@entry=0x7fb9440010d8, psz_capability=psz_capability@entry=0x7fb97e222852 "access_demux", psz_name=<optimized out>, b_strict=b_strict@entry=true, probe=probe@entry=0x7fb97e1e8cc0 <generic_start>) at modules/modules.c:347
 module_need (obj=obj@entry=0x7fb9440010d8, cap=cap@entry=0x7fb97e222852 "access_demux", name=<optimized out>, strict=strict@entry=true) at modules/modules.c:437

Rémi, thanks. I tried to file this under libdvdnav, but I guess it didn't work. Hm.

Status changed to 'Confirmed' because the bug affects multiple users.

This isn't the same as bug 934471, although the stacktraces are deceptively similar. However, it seems to be crashing on a different line, and for a different reason.

#0 0x00007fb974591b16 in dvdnav_describe_title_chapters (this=0x7fb944001360, title=title@entry=1, times=times@entry=0x7fb9704e2fd8, duration=duration@entry=0x7fb9704e2fd0) at searching.c:653
        retval = 0
        parts = 29
        pgc = 0x25
        tmp = 0x7fb9440554a0

The code is:

    pgc = ifo->vts_pgcit->pgci_srp[ptt[i].pgcn-1].pgc; // = 0x25
    if (pgc == NULL) {
      printerr("PGC missing.");
      continue;
    }
    if(ptt[i].pgn > pgc->nr_of_programs) { // 653: Crash!

So, it looks to me like this is an invalid pointer situation. Question is how did it get set to 0x25 (37) in the first place?

(Oh, and looks like the apport hook has a bug in it too; that should be fixed as well...)

Upstream is affected, too. The patch from [1] does not fix my bug. The .IFO and . BUP files of the causing video DVD are the same.

Please let me know how to collect all needed data to fix this bug or when I should test a patch.

[1] http://lists.mplayerhq.hu/pipermail/dvdnav-discuss/2013-March/001896.html

(apport hook issue looks to be fixed @ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702942, included in 2.0.5-2)

@bdrung,

Well, the stacktrace for this bug is only hinting at the problem, but I don't think other logs would explain what happened. It seems a pointer is getting set to an invalid value somewhere else in the program prior to the crash, but not clear how, when, or why.

So I think the next step for this is to gather more data as to how this pointer is being changed through the life of the program. Attached is a debugging patch to print out some additional debugging info. Apply this patch to your build, repro the bug, collect the debug log leading up to the crash, and post that back here (or email it to me directly if it includes any private information). Make sure to doublecheck that you're getting the same crash (faulting in dvdnav_describe_title_chapters()).

The value 0x25 seems intriguing to me; in decimal that's number 37, which seems like it could be the number of something. You might look and see if there's any 37's in the log output, or check if there are 37 chapters or something. Or, could be a red herring. Maybe also repro the crash three or four times and see if pgc is always 0x25 or if it varies from crash to crash.

I'd also of course be interested in knowing what DVD causes this fault, and/or steps to reproduce the problem. I might be better able to figure this out if I can reproduce the fault locally.

The pointers vary from run to run. The .pgcN value stays constant:

lp1094499: set_FP_PGC(vm=0x7f9584001d30)
lp1094499: .pgc=0x7f9584006a90
lp1094499: .pgcN=1024)
lp1094499: set_PGCN(vm=0x7f9584001d30, pgcN=6)
lp1094499: pgcit=0x7f9584001f70
lp1094499: .pgc=0x7f9584007680
lp1094499: .pgcN=6

lp1094499: set_FP_PGC(vm=0x7f5cc4001d30)
lp1094499: .pgc=0x7f5cc4008690
lp1094499: .pgcN=1024)
lp1094499: set_PGCN(vm=0x7f5cc4001d30, pgcN=6)
lp1094499: pgcit=0x7f5cc40088c0
lp1094499: .pgc=0x7f5cc4009360
lp1094499: .pgcN=6

I can constantly reproduce this crash with the "Inside Man" DVD. VLC crashes when opening the DVD. I have attached a tarball with two ifo files from the DVD that can be used to reproduce this crash.

Here is the forgotten tarball.

Thanks. This works to reproduce the crash.

#0 0x00007fffe8b1a98a in dvdnav_describe_title_chapters (this=0x7fffd0001380, title=<optimized out>,
    times=0x7fffe903d098, duration=0x7fffe903d090) at searching.c:644
        cellnr = <optimized out>
        endcellnr = <optimized out>
        retval = 0
        parts = <optimized out>
        i = <optimized out>
        ptitle = <optimized out>
        ptt = <optimized out>
        ifo = <optimized out>
        pgc = <optimized out>
        cell = <optimized out>
        length = <optimized out>
        tmp = 0x7fffd005be90

In playing with the IFO bdrung provided I found that the crash was caused by an out of bounds array access. The value was up in the 32,000's. I haven't sorted out why it's so high for this IFO, but am guessing it's either undefined data or bad pointer math. Potentially the bug is in libdvdread rather than in libdvdnav, but I only see the bad value in dvdnav code.

Anyway, I stuck in a test to verify the value is in the 0 to 1000 range and skip processing if it isn't. That definitely prevented vlc from crashing. However since there was only the IFO provided, I can't tell if this resulted in a playable movie.

I've stuck my debug packages for dvdnav and dvdread (which spit out a lot of values) into the following PPA. bdrung, why don't you give this a try with the full DVD copy.

https://launchpad.net/~bryce/+archive/lp1094499

I tried to play the full DVD with the patched libdvdnav from your PPA. It plays without problems (no crash any more). Attached the terminal output from VLC.

PS: I don't need binary packages. I happily take patches and build the package on my own.

Excellent. Looks like you're getting pgcn in the same range as me:

i: 1
ifo: 0x7f3a00049640
ifo->vts_pgcit: 0x7f3a0000c670
ifo->vts_pgcit->pgci_srp: 0x7f3a00049840
*(ifo->vts_pgcit->pgci_srp): 129
ifo->vts_pgcit->last_byte: 1431
ptt[1].pgcn: 32570
PGCN out of bounds

That last message indicates the workaround was invoked. Since that "fixed" the problem I'll go ahead and cleanup and submit that as a solution for now. Later, maybe someone can figure out why the numbers are so out of range here.

This is the cleaned up patch without all the debug chatter.

I've sent the patch upstream for review and uploaded it to saucy.

Can you list any other DVDs which you find are fixed with this patch? My "Inside Man" dvd didn't have this issue and I haven't run into it with other DVDs.

I reproduced the issue on precise, so am adding a task to SRU the fix there. If you think the fix should also go to quantal and raring, feel free to add those tasks too.

This bug was fixed in the package libdvdnav - 4.2.0+20130225-1ubuntu1

---------------
libdvdnav (4.2.0+20130225-1ubuntu1) saucy; urgency=low

  * Add 100_pgcn_bounds.patch: Check for out-of-bounds values for pgcn.
    Fixes a crash in dvdnav_describe_title_chapters() with vlc, lsdvd, and
    other video players. This occurs with the "Inside Man" DVD.
    (LP: #1094499)
 -- Bryce Harrington <email address hidden> Mon, 06 May 2013 12:19:32 -0700

"Inside Man" (the German version) is the only DVD that triggers this bug for me.

The SRU process requires us to publish the fix in quantal and raring, too. When doing the SRU, we (I) should include more fixes for precise and quantal: The three commits from 2012-08-30 [1]. That's what the VLC developers ask for.

[1] https://github.com/microe/libdvdnav/commits/master

Sounds good. I'll let you drive the SRU's. I agree those three fixes would be worth inclusion.

Status changed to 'Confirmed' because the bug affects multiple users.

Thank you, all, for figuring out much more than I did.

Thanks for uploading the fix for this bug report to -proposed. However, when reviewing the package in -proposed and the details of this bug report I noticed that the bug description is missing information required for the SRU process. You can find full details at http://wiki.ubuntu.com/StableReleaseUpdates#Procedure but essentially this bug is missing some of the following: a statement of impact, a test case and details regarding the regression potential. Thanks in advance!

Hello Edward, or anyone else affected,

Accepted libdvdnav into raring-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/libdvdnav/4.2.0+20130225-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Edward, or anyone else affected,

Accepted libdvdnav into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/libdvdnav/4.2.0+20120524-2ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Edward, or anyone else affected,

Accepted libdvdnav into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/libdvdnav/4.2.0-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I have verified that "Inside Man" is correctly played on raring whit the libdvdnav update and I have verified that the test case runs without crashing on precise and quantal.

This bug was fixed in the package libdvdnav - 4.2.0+20120524-2ubuntu0.1

---------------
libdvdnav (4.2.0+20120524-2ubuntu0.1) quantal-proposed; urgency=low

  * debian/patches/03-Make-sure-pgc-is-valid.patch,
    debian/patches/04-Ignore-parts-where-the-pgc-start-byte-is-wrong.patch,
    debian/patches/05-Skip-PGCs-w-a-cell-number-of-0.patch: Validate PGC values
    before accessing them to avoid causing a crash.
  * debian/patches/06-pgcn-bounds.patch: Check for out-of-bounds values for
    pgcn. Fixes a crash in dvdnav_describe_title_chapters() with vlc, lsdvd, and
    other video players. This occurs with the "Inside Man" DVD. Thanks to Bryce
    Harrington <email address hidden>. (LP: #1094499)
 -- Benjamin Drung <email address hidden> Sat, 20 Jul 2013 00:37:27 +0200

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

This bug was fixed in the package libdvdnav - 4.2.0+20130225-1ubuntu0.1

---------------
libdvdnav (4.2.0+20130225-1ubuntu0.1) raring-proposed; urgency=low

  * debian/patches/0003-pgcn-bounds.patch: Check for out-of-bounds values for
    pgcn. Fixes a crash in dvdnav_describe_title_chapters() with vlc, lsdvd, and
    other video players. This occurs with the "Inside Man" DVD. Thanks to Bryce
    Harrington <email address hidden>. (LP: #1094499)
 -- Benjamin Drung <email address hidden> Sat, 20 Jul 2013 00:26:42 +0200

From dpkg.log on Precise: 2013-11-12 19:24:35 status installed libdvdnav4 4.2.0-1ubuntu0.1. Ran the command
"vlc -d OZ_THE_GREAT_AND_POWERFUL.iso" and got the following:

$ VLC media player 2.0.8 Twoflower (revision 2.0.8a-0-g68cf50b)
[0xa001908] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
libdvdnav: Using dvdnav version 4.2.0
libdvdread: Using libdvdcss version 1.2.10 for DVD access
libdvdnav: DVD Title: OZ_THE_GREAT_AND_POWERFUL
libdvdnav: DVD Serial Number: 42968718
libdvdnav: DVD Title (Alternative): OZ_THE_GREAT_AND_POWERFUL
libdvdnav: Unable to find map file '/home/crlb/.dvdnav/OZ_THE_GREAT_AND_POWERFUL.map'
libdvdnav: DVD disk reports itself with Region mask 0x00ed0000. Regions: 2 5

libdvdread: Attempting to retrieve all CSS keys
libdvdread: This can take a _long_ time, please be patient

libdvdread: Get key for /VIDEO_TS/VIDEO_TS.VOB at 0x000001fd
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_01_1.VOB at 0x000004fa
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_02_1.VOB at 0x00000518
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_03_1.VOB at 0x00000567
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_04_0.VOB at 0x00000656
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_04_1.VOB at 0x0000110a
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_05_1.VOB at 0x00001efa
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_06_1.VOB at 0x000030bc
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_07_0.VOB at 0x00049ddc
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_07_1.VOB at 0x00060dcc
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_08_1.VOB at 0x0006100a
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_09_1.VOB at 0x0006100a
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_10_1.VOB at 0x0006100a
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_11_1.VOB at 0x0006100a
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_12_1.VOB at 0x0006100a
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_13_1.VOB at 0x0006100a
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_14_1.VOB at 0x0006100a
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_15_1.VOB at 0x0006100a
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_16_1.VOB at 0x0006100a
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_17_1.VOB at 0x0006100a
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_18_1.VOB at 0x0006100a
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_19_1.VOB at 0x0036adfa
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_20_1.VOB at 0x0036b012
libdvdread: Elapsed time 0
libdvdread: Get key for /VIDEO_TS/VTS_21_1.VOB at 0x00381a75
libdvdread: Elapsed time 0
libdvdread: Found 21 VTS's
libdvdread: Elapsed time 0
libdvdnav: decoder.c: [WARNING, unknown bits: 1000000000080000]
libdvdnav: decoder.c: [WARNING, unknown bits: 1000000000000000]

*** libdvdread: CHECK_VALUE failed in /build/bu...

Colin, mind opening a new bug for that dvd issue? That looks like a crash due to a bad pgc->cell_playback_offset value, which is different from this bug. This one is already closed and considered fixed, so no further work is going to be done on it.

I seem to recall having a similar issue with that disk, but didn't investigate it at the time. You might want to test the upstream libdvdnav/libdvdread, as a lot of fixes have gone into those lately, so there might already be a patch available. If so, and especially if you can help identify which patch is needed, that could help accelerate getting that fix into precise.

This bug was fixed in the package libdvdnav - 4.2.0-1ubuntu0.1

---------------
libdvdnav (4.2.0-1ubuntu0.1) precise-proposed; urgency=low

  * debian/patches/03-check-cellnr.patch: Check for new row being 0. Fixes
    issue where VLC (and Totem) crashes in dvdnav_describe_title_chapters().
    Thanks to Bryce Harrington <email address hidden>. (LP: #934471)
  * debian/patches/04-Make-sure-pgc-is-valid.patch,
    debian/patches/05-Ignore-parts-where-the-pgc-start-byte-is-wrong.patch,
    debian/patches/06-Skip-PGCs-w-a-cell-number-of-0.patch: Validate PGC values
    before accessing them to avoid causing a crash.
  * debian/patches/07-pgcn-bounds.patch: Check for out-of-bounds values for
    pgcn. Fixes a crash in dvdnav_describe_title_chapters() with vlc, lsdvd, and
    other video players. This occurs with the "Inside Man" DVD. Thanks to Bryce
    Harrington <email address hidden>. (LP: #1094499)
 -- Benjamin Drung <email address hidden> Sat, 20 Jul 2013 00:46:43 +0200

Using libdvdnav 4.2.0-1ubuntu0.1 and vlc 2.0.8-0ubuntu0.12.04.1, I still get this crash with DVD "Shadow Recruit" (at dvdnav_describe_title_chapters(), stack trace says it is under package vlc-nox 2.0.8-0ubuntu0.12.04.1). Also happened with "Madagascar" and several others, although the package may have been updated since then.

BUT, the same crash occurs in VLC 2.0.5 running on Windows XP on a totally different machine. I can't verify the stack trace under Windows, but VLC behaves exactly the same way -- closes itself a few seconds after attempting to open the DVD.

I don't think it's a region issue, both DVD players should be the same region as the DVDs I am playing.

Each time, the DVD works fine under Media Player Classic (for Windows).

It didn't occur to me until recently to try it on Windows. So out of all the problematic DVDs, I've only tried 3 on Windows as well. However, all of those had the same issue under Windows.

Today I updated VLC on Windows to 2.1.3 and the Shadow Recruit DVD no longer crashed.

I hope this may be useful to someone.