Ubuntu
libhybris package

[mako] out of index crash when handling media_codec output buffers list

Bug #1234007 reported by Ricardo Salveti
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gst-plugins-bad1.0 (Ubuntu)
Invalid
Undecided
Unassigned
libhybris (Ubuntu)
Fix Released
Critical
Jim Hodapp

Bug Description

Image: 20131001.3, + updated packages to use gstreamer 1.2 (also happens with gst 1.1.4).
Device: mako

Steps to reproduce:
* Install mediaplayer-app-autopilot and gstreamer1.0-tools
* As phablet: stop unity8
* gst-launch-1.0 -v playbin uri=file:///usr/share/mediaplayer-app/videos/small.mp4

Will crash when initializing the decoding/playback.

Logs attached.

See original description
Revision history for this message
Ricardo Salveti (rsalveti) wrote :

See that mako's OMX element is a bit smarter and decides to release a few buffers before they are consumed later on. This breaks the current buffer list logic inside compat/media/media_codec_layer.cpp, causing an index out of range issue.

V/MediaCodecLayer( 4647): size_t media_codec_get_output_buffers_size(MediaCodecDelegate)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): size_t media_codec_get_nth_output_buffer_capacity(MediaCodecDelegate, size_t)
V/MediaCodecLayer( 4647): uint8_t* media_codec_get_nth_output_buffer(MediaCodecDelegate, size_t)
F/MediaCodecLayer( 4647): const TYPE& android::Vector<TYPE>::operator[](size_t) const [with TYPE = android::sp<android::ABuffer>; size_t = unsigned int]: index=9 out of range (9)

description: updated
Revision history for this message
Ricardo Salveti (rsalveti) wrote :
Changed in libhybris (Ubuntu):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jim Hodapp (jhodapp)
Revision history for this message
Ricardo Salveti (rsalveti) wrote :

This issue is currently blocking the mediaplayer-app autotests.

http://reports.qa.ubuntu.com/smokeng/saucy/touch_ro/4512/mediaplayer-app-autopilot/

Revision history for this message
Ricardo Salveti (rsalveti) wrote :

The following patch, to just request outputbuffers from media_codec every time the function is called, fixes the issue.

Not pushing it further as I want Jim to make sure this is not reflected somewhere in the hybris/gstreamer code.

diff --git a/compat/media/media_codec_layer.cpp b/compat/media/media_codec_layer.cpp
index b5f3bc8..eed34af 100644
--- a/compat/media/media_codec_layer.cpp
+++ b/compat/media/media_codec_layer.cpp
@@ -478,8 +478,8 @@ size_t media_codec_get_output_buffers_size(MediaCodecDelegate delegate)
     if (d == NULL)
         return BAD_VALUE;

- if (d->output_buffers.size() == 0)
- {
+// if (d->output_buffers.size() == 0)
+// {
         status_t ret = d->media_codec->getOutputBuffers(&d->output_buffers);
         if (ret != OK)
         {
@@ -487,7 +487,7 @@ size_t media_codec_get_output_buffers_size(MediaCodecDelegate delegate)
             return 0;
         }
         ALOGD("Got %d output buffers", d->output_buffers.size());
- }
+// }

     return d->output_buffers.size();
 }

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libhybris - 0.1.0+git20130606+c5d897a-0ubuntu31

---------------
libhybris (0.1.0+git20130606+c5d897a-0ubuntu31) saucy; urgency=low

  * 0031-Fixes-bug-lp-1234007-out-of-index-crash-for-handling.patch:
    - Fixing an out of index crash when handling media_codec_layer output
      buffers list (LP: #1234007)
 -- Ricardo Salveti de Araujo <email address hidden> Wed, 02 Oct 2013 11:35:46 -0300

Changed in libhybris (Ubuntu):
status: In Progress → Fix Released
Ricardo Salveti (rsalveti)
Changed in gst-plugins-bad1.0 (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.