[asterisk-bugs] [Asterisk 0015195]: double free or corruption (!prev) in moh_files_generator
Asterisk Bug Tracker
noreply at bugs.digium.com
Tue Sep 1 15:45:17 CDT 2009
A NOTE has been added to this issue.
======================================================================
https://issues.asterisk.org/view.php?id=15195
======================================================================
Reported By: amorsen
Assigned To: russell
======================================================================
Project: Asterisk
Issue ID: 15195
Category: Resources/res_musiconhold
Reproducibility: have not tried
Severity: block
Priority: normal
Status: closed
Target Version: 1.4.27
Asterisk Version: 1.6.0.9
Regression: No
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
Resolution: fixed
Fixed in Version:
======================================================================
Date Submitted: 2009-05-26 08:46 CDT
Last Modified: 2009-09-01 15:45 CDT
======================================================================
Summary: double free or corruption (!prev) in
moh_files_generator
Description:
https://issues.asterisk.org/view.php?id=0 0x00007f049bf54f05 in raise
(sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
https://issues.asterisk.org/view.php?id=1 0x00007f049bf56a73 in abort () at
abort.c:88
https://issues.asterisk.org/view.php?id=2 0x00007f049bf94438 in __libc_message
(do_abort=2, fmt=0x7f049c05e428
"*** glibc detected *** %s: %s: 0x%s ***\n") at
../sysdeps/unix/sysv/linux/libc_fatal.c:170
https://issues.asterisk.org/view.php?id=3 0x00007f049bf99ec8 in malloc_printerr
(action=2, str=0x7f049c05e530
"double free or corruption (!prev)", ptr=<value optimized out>) at
malloc.c:5994
https://issues.asterisk.org/view.php?id=4 0x00007f049bf9c486 in __libc_free
(mem=0x7f049c054880) at
malloc.c:3625
https://issues.asterisk.org/view.php?id=5 0x00007f049bf89f21 in _IO_new_fclose
(fp=0x8dce60) at iofclose.c:88
https://issues.asterisk.org/view.php?id=6 0x000000000046aa9d in
filestream_destructor (arg=0x8c6d18) at
file.c:321
https://issues.asterisk.org/view.php?id=7 0x000000000042f9aa in ao2_ref
(user_data=0x8c6d18, delta=5926) at
astobj2.c:227
https://issues.asterisk.org/view.php?id=8 0x0000000000470e05 in ast_frame_free
(fr=0x1239, cache=1) at
frame.c:349
https://issues.asterisk.org/view.php?id=9 0x00007f0498a458ab in
moh_files_generator (chan=0x97a7f0, data=<value
optimized out>, len=<value optimized out>, samples=<value optimized out>)
at res_musiconhold.c:302
https://issues.asterisk.org/view.php?id=10 0x000000000043de6e in
ast_read_generator_actions (chan=0x97a7f0,
f=0x8b9ca0) at channel.c:2448
https://issues.asterisk.org/view.php?id=11 0x0000000000441fe8 in __ast_read
(chan=0x97a7f0, dropaudio=0) at
channel.c:2900
https://issues.asterisk.org/view.php?id=12 0x00000000004446f0 in
ast_generic_bridge () at channel.c:4482
https://issues.asterisk.org/view.php?id=13 ast_channel_bridge (c0=0x97a7f0,
c1=0x8be2a0, config=0x7f0482ae3dd0,
fo=0x7f0482ae31b0, rc=0x7f0482ae31a8) at channel.c:4850
https://issues.asterisk.org/view.php?id=14 0x0000000000466894 in ast_bridge_call
(chan=0x97a7f0, peer=0x8be2a0,
config=0x7f0482ae3dd0) at features.c:2278
https://issues.asterisk.org/view.php?id=15 0x00007f04857065a4 in dial_exec_full
(chan=0x97a7f0, data=<value
optimized out>, peerflags=0x7f0482ae4860, continue_exec=0x0) at
app_dial.c:1911
https://issues.asterisk.org/view.php?id=16 0x00007f0485708986 in dial_exec
(chan=0x1239, data=0x1726) at
app_dial.c:1967
https://issues.asterisk.org/view.php?id=17 0x000000000049255f in pbx_exec
(c=0x97a7f0, app=0x7f04940ce7e0,
data=0x7f0482ae6d60) at pbx.c:942
https://issues.asterisk.org/view.php?id=18 0x0000000000496876 in
pbx_extension_helper (c=0x97a7f0, con=<value
optimized out>, context=0x97aa48 "DialLine", exten=0x97aa98
"792-0013d18009f0-5", priority=19, label=0x0,
callerid=0x7f04740b2fc0 "20126438", action=E_SPAWN,
found=0x7f0482ae8ecc, combined_find_spawn=1) at pbx.c:3111
https://issues.asterisk.org/view.php?id=19 0x0000000000496d30 in
ast_spawn_extension (c=0x1239, context=<value
optimized out>, exten=<value optimized out>, priority=<value optimized
out>, callerid=<value optimized out>,
found=<value optimized out>, combined_find_spawn=1) at pbx.c:3614
https://issues.asterisk.org/view.php?id=20 0x000000000049771f in __ast_pbx_run
(c=0x97a7f0, args=0x0) at
pbx.c:3701
https://issues.asterisk.org/view.php?id=21 0x00000000004987db in pbx_thread
(data=0x1239) at pbx.c:3974
https://issues.asterisk.org/view.php?id=22 0x00000000004ce37e in dummy_start
(data=<value optimized out>) at
utils.c:861
https://issues.asterisk.org/view.php?id=23 0x00007f049b9053da in start_thread
(arg=<value optimized out>) at
pthread_create.c:297
https://issues.asterisk.org/view.php?id=24 0x00007f049c0082bd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:112
======================================================================
Relationships ID Summary
----------------------------------------------------------------------
duplicate of 0015123 out of bounds crash and core dump
duplicate of 0015109 [patch] Abort by memory allocator, poss...
======================================================================
----------------------------------------------------------------------
(0109949) svnbot (reporter) - 2009-09-01 15:45
https://issues.asterisk.org/view.php?id=15195#c109949
----------------------------------------------------------------------
Repository: asterisk
Revision: 215212
U trunk/addons/format_mp3.c
------------------------------------------------------------------------
r215212 | russell | 2009-09-01 15:44:57 -0500 (Tue, 01 Sep 2009) | 45
lines
Fix memory corruption caused by format_mp3.
format_mp3 claimed that it provided AST_FRIENDLY_OFFSET in frames returned
by
read(). However, it lied. This means that other parts of the code that
attempted to make use of the offset buffer would end up corrupting the
fields
in the ast_filestream structure. This resulted in quite a few crashes due
to
unexpected values for fields in ast_filestream.
This patch closes out quite a few bugs. However, some of these bugs have
been
open for a while and have been an area where more than one bug has been
discussed. So with that said, anyone that is following one of the issues
closed here, if you still have a problem, please open a new bug report for
the
specific problem you are still having. If you do, please ensure that the
bug
report is based on the newest version of Asterisk, and that this patch is
applied if format_mp3 is in use. Thanks!
(closes issue https://issues.asterisk.org/view.php?id=15109)
Reported by: jvandal
Tested by: aragon, russell, zerohalo, marhbere, rgj
(closes issue https://issues.asterisk.org/view.php?id=14958)
Reported by: aragon
(closes issue https://issues.asterisk.org/view.php?id=15123)
Reported by: axisinternet
(closes issue https://issues.asterisk.org/view.php?id=15041)
Reported by: maxnuv
(closes issue https://issues.asterisk.org/view.php?id=15396)
Reported by: aragon
(closes issue https://issues.asterisk.org/view.php?id=15195)
Reported by: amorsen
Tested by: amorsen
(closes issue https://issues.asterisk.org/view.php?id=15781)
Reported by: jensvb
(closes issue https://issues.asterisk.org/view.php?id=15735)
Reported by: thom4fun
(closes issue https://issues.asterisk.org/view.php?id=15460)
Reported by: marhbere
------------------------------------------------------------------------
http://svn.digium.com/view/asterisk?view=rev&revision=215212
Issue History
Date Modified Username Field Change
======================================================================
2009-09-01 15:45 svnbot Checkin
2009-09-01 15:45 svnbot Note Added: 0109949
======================================================================
More information about the asterisk-bugs
mailing list