[asterisk-bugs] [JIRA] (ASTERISK-26926) func_speex: Crash caused by frame with no datalen

Richard Mudgett (JIRA) noreply at issues.asterisk.org
Tue Apr 11 17:32:57 CDT 2017 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-26926?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=236476#comment-236476 ] 

Richard Mudgett edited comment on ASTERISK-26926 at 4/11/17 5:31 PM:
---------------------------------------------------------------------

Here's the backtrace:
{noformat}
Core was generated by `/usr/sbin/asterisk -f -vvvg -c'.
Program terminated with signal 11, Segmentation fault.
#0  preprocess_analysis (st=0x2ac0740fd750, x=0x3cab9378) at preprocess.c:626
626           st->frame[N3+i]=x[i];
(gdb) where
#0  preprocess_analysis (st=0x2ac0740fd750, x=0x3cab9378) at preprocess.c:626
#1  0x00002ac0684ddfb7 in speex_preprocess_run (st=0x2ac0740fd750, x=0x3cab9378) at preprocess.c:762
#2  0x00002ac06ed0d1d3 in speex_callback (audiohook=<value optimized out>,  chan=<value optimized out>, frame=0x2ac07413e730, direction=<value optimized out>) at func_speex.c:189
#3  0x0000000000460293 in audio_audiohook_write_list (chan=0x2ac07413ba98,  audiohook_list=0x2ac03c1ec070, direction=AST_AUDIOHOOK_DIRECTION_READ, frame=0x2ac07413e730) at audiohook.c:1040
#4  0x00000000004bb84d in __ast_read (chan=0x2ac07413ba98, dropaudio=0) at channel.c:4302
#5  0x000000000047b9d9 in bridge_handle_trip (bridge_channel=0x2ac03c810388)  at bridge_channel.c:2435
#6  bridge_channel_wait (bridge_channel=0x2ac03c810388)  at bridge_channel.c:2615
#7  0x000000000047c888 in bridge_channel_internal_join (bridge_channel=0x2ac03c810388) at bridge_channel.c:2761
#8  0x0000000000468a18 in ast_bridge_join (bridge=0xfa10c88,  chan=0x2ac07413ba98, swap=0x0, features=0x2ac06fe777a8, tech_args=<value optimized out>, flags=<value optimized out>)  at bridge.c:1714
#9  0x00002ac05576afde in confbridge_exec (chan=0x2ac07413ba98,  data=<value optimized out>) at app_confbridge.c:2374
{noformat}



was (Author: kenner):
Here's the backtrace:

Core was generated by `/usr/sbin/asterisk -f -vvvg -c'.
Program terminated with signal 11, Segmentation fault.
#0  preprocess_analysis (st=0x2ac0740fd750, x=0x3cab9378) at preprocess.c:626
626           st->frame[N3+i]=x[i];
(gdb) where
#0  preprocess_analysis (st=0x2ac0740fd750, x=0x3cab9378) at preprocess.c:626
#1  0x00002ac0684ddfb7 in speex_preprocess_run (st=0x2ac0740fd750, x=0x3cab9378) at preprocess.c:762
#2  0x00002ac06ed0d1d3 in speex_callback (audiohook=<value optimized out>,  chan=<value optimized out>, frame=0x2ac07413e730, direction=<value optimized out>) at func_speex.c:189
#3  0x0000000000460293 in audio_audiohook_write_list (chan=0x2ac07413ba98,  audiohook_list=0x2ac03c1ec070, direction=AST_AUDIOHOOK_DIRECTION_READ, frame=0x2ac07413e730) at audiohook.c:1040
#4  0x00000000004bb84d in __ast_read (chan=0x2ac07413ba98, dropaudio=0) at channel.c:4302
#5  0x000000000047b9d9 in bridge_handle_trip (bridge_channel=0x2ac03c810388)  at bridge_channel.c:2435
#6  bridge_channel_wait (bridge_channel=0x2ac03c810388)  at bridge_channel.c:2615
#7  0x000000000047c888 in bridge_channel_internal_join (bridge_channel=0x2ac03c810388) at bridge_channel.c:2761
#8  0x0000000000468a18 in ast_bridge_join (bridge=0xfa10c88,  chan=0x2ac07413ba98, swap=0x0, features=0x2ac06fe777a8, tech_args=<value optimized out>, flags=<value optimized out>)  at bridge.c:1714
#9  0x00002ac05576afde in confbridge_exec (chan=0x2ac07413ba98,  data=<value optimized out>) at app_confbridge.c:2374

> func_speex: Crash caused by frame with no datalen
> -------------------------------------------------
>
>                 Key: ASTERISK-26926
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-26926
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Functions/func_speex
>    Affects Versions: 14.3.0
>         Environment: Siren14 (and likely Siren7)
>            Reporter: Richard Kenner
>            Severity: Minor
>
> There is a crash in preprocess_analysis (st=0x2ac0740fd750, x=0x3cab9378) at preprocess.c:626 due to a frame being passed to func_speex.c looking like:  
> {noformat}
> (gdb) print *frame
> $1 = {frametype = AST_FRAME_VOICE, subclass = {integer = 0, 
>     format = 0xe2f9e20, frame_ending = 0}, datalen = 0, samples = 640, 
>   mallocd = 1, mallocd_hdr_len = 232, offset = 64, 
>   src = 0x2ac07413e7f8 "siren14tolin32", data = {ptr = 0x3cab9378, 
>     uint32 = 1017877368, pad = "x\223\253<\000\000\000"}, delivery = {
>     tv_sec = 1491485582, tv_usec = 407272}, frame_list = {next = 0x0}, 
>   flags = 0, ts = 0, len = 0, seqno = 0}
> {noformat}
> A check for  datalen != 0 is missing before the call to speex_preprocess around line 188 of func_speex.c.
> This was most recently seen with Siren14, but I believe also occurs less often with Siren7.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list