wavparse: Fix crash that occurs in push mode when header chunks are corrupted

in certain ways. In the case that a test is provided for, the size of the `fmt ` chunk is changed from 16 bytes to 18 bytes (bytes 17 - 20 below): ``` $ hexdump -C corruptheadertestsrc.wav 00000000 52 49 46 46 e4 fd 00 00 57 41 56 45 66 6d 74 20 |RIFF....WAVEfmt | 00000010 12 00 00 00 01 00 01 00 80 3e 00 00 00 7d 00 00 |.........>...}..| 00000020 02 00 10 00 64 61 74 61 |....data| 00000028 ``` (Note that the original file is much larger. This was the smallest sub-file I could find that would generate the crash.) Note that, while the same issue doesn't cause a crash in pull mode, there's a different issue in that the file is processed successfully as if it was a .wav file with zero samples. Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/3174>
author: Devin Anderson <danderson@microsoft.com> 2022-10-13 03:20:45 +0300
committer: Tim-Philipp Müller <tim@centricular.com> 2022-10-13 14:15:03 +0300
commit: 80de451c0678b3151925d1a85c0526c334ee2405 (patch)
tree: 23d54c0eb873634a15fc81d2de6c40dd6c99d94a
parent: 0c28e3cf2603728d45a67045bd88019141207165 (diff)
3 files changed, 59 insertions, 13 deletions
diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
index 86ce795f3a..1d74603b73 100644
--- a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
+++ b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
@@ -2498,20 +2498,32 @@ gst_wavparse_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
       break;
     }
     case GST_EVENT_EOS:
-      if (wav->state == GST_WAVPARSE_START || !wav->caps) {
+      if (!wav->caps) {
         GST_ELEMENT_ERROR (wav, STREAM, WRONG_TYPE, (NULL),
             ("No valid input found before end of stream"));
       } else {
-        /* add pad if needed so EOS is seen downstream */
-        if (G_UNLIKELY (wav->first)) {
-          wav->first = FALSE;
-          gst_wavparse_add_src_pad (wav, NULL);
+        switch (wav->state) {
+          case GST_WAVPARSE_START:
+            GST_ELEMENT_ERROR (wav, STREAM, WRONG_TYPE, (NULL),
+                ("No valid input found before end of stream"));
+            break;
+          case GST_WAVPARSE_HEADER:
+            GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL),
+                ("No audio data chunk found before end of stream"));
+            break;
+          case GST_WAVPARSE_DATA:
+            /* add pad if needed so EOS is seen downstream */
+            if (G_UNLIKELY (wav->first)) {
+              wav->first = FALSE;
+              gst_wavparse_add_src_pad (wav, NULL);
+            }
+            /* stream leftover data in current segment */
+            gst_wavparse_flush_data (wav);
+            break;
+          default:
+            g_assert_not_reached ();
         }
-
-        /* stream leftover data in current segment */
-        gst_wavparse_flush_data (wav);
       }
-
       /* fall-through */
     case GST_EVENT_FLUSH_STOP:
     {
diff --git a/subprojects/gst-plugins-good/tests/check/elements/wavparse.c b/subprojects/gst-plugins-good/tests/check/elements/wavparse.c
index 89e988b1e2..153fb5e09f 100644
--- a/subprojects/gst-plugins-good/tests/check/elements/wavparse.c
+++ b/subprojects/gst-plugins-good/tests/check/elements/wavparse.c
@@ -21,10 +21,12 @@
 
 #include <gst/check/gstcheck.h>
 
+#define CORRUPT_HEADER_WAV_PATH GST_TEST_FILES_PATH G_DIR_SEPARATOR_S \
+    "corruptheadertestsrc.wav"
 #define SIMPLE_WAV_PATH GST_TEST_FILES_PATH G_DIR_SEPARATOR_S "audiotestsrc.wav"
 
 static GstElement *
-create_pipeline (GstPadMode mode)
+create_file_pipeline (const char *path, GstPadMode mode)
 {
   GstElement *pipeline;
   GstElement *src, *q = NULL;
@@ -43,7 +45,7 @@ create_pipeline (GstPadMode mode)
 
   gst_bin_add_many (GST_BIN (pipeline), src, wavparse, fakesink, q, NULL);
 
-  g_object_set (src, "location", SIMPLE_WAV_PATH, NULL);
+  g_object_set (src, "location", path, NULL);
 
   if (mode == GST_PAD_MODE_PUSH)
     fail_unless (gst_element_link_many (src, q, wavparse, fakesink, NULL));
@@ -60,7 +62,7 @@ do_test_simple_file (GstPadMode mode)
   GstElement *pipeline;
   GstMessage *msg;
 
-  pipeline = create_pipeline (mode);
+  pipeline = create_file_pipeline (SIMPLE_WAV_PATH, mode);
 
   ret = gst_element_set_state (pipeline, GST_STATE_PLAYING);
   fail_unless_equals_int (ret, GST_STATE_CHANGE_ASYNC);
@@ -93,6 +95,37 @@ GST_START_TEST (test_simple_file_push)
 GST_END_TEST;
 
 static void
+do_test_corrupt_header_file (GstPadMode mode)
+{
+  GstStateChangeReturn ret;
+  GstElement *pipeline;
+  GstMessage *msg;
+
+  pipeline = create_file_pipeline (CORRUPT_HEADER_WAV_PATH, mode);
+
+  ret = gst_element_set_state (pipeline, GST_STATE_PLAYING);
+  fail_unless_equals_int (ret, GST_STATE_CHANGE_ASYNC);
+
+  ret = gst_element_get_state (pipeline, NULL, NULL, GST_CLOCK_TIME_NONE);
+  fail_unless_equals_int (ret, GST_STATE_CHANGE_FAILURE);
+
+  msg = gst_bus_timed_pop_filtered (GST_ELEMENT_BUS (pipeline),
+      GST_CLOCK_TIME_NONE, GST_MESSAGE_EOS | GST_MESSAGE_ERROR);
+  fail_unless_equals_int (GST_MESSAGE_TYPE (msg), GST_MESSAGE_ERROR);
+
+  gst_message_unref (msg);
+  gst_element_set_state (pipeline, GST_STATE_NULL);
+  gst_object_unref (pipeline);
+}
+
+GST_START_TEST (test_corrupt_header_file_push)
+{
+  do_test_corrupt_header_file (GST_PAD_MODE_PUSH);
+}
+
+GST_END_TEST;
+
+static void
 do_test_empty_file (gboolean can_activate_pull)
 {
   GstStateChangeReturn ret1, ret2;
@@ -166,7 +199,7 @@ GST_START_TEST (test_seek)
   GstClockTime seek_position = (20 * GST_MSECOND);
   GstClockTime first_ts = GST_CLOCK_TIME_NONE;
 
-  pipeline = create_pipeline (GST_PAD_MODE_PULL);
+  pipeline = create_file_pipeline (SIMPLE_WAV_PATH, GST_PAD_MODE_PULL);
   wavparse = gst_bin_get_by_name (GST_BIN (pipeline), "wavparse");
   fail_unless (wavparse);
   fakesink = gst_bin_get_by_name (GST_BIN (pipeline), "fakesink");
@@ -248,6 +281,7 @@ wavparse_suite (void)
   suite_add_tcase (s, tc_chain);
   tcase_add_test (tc_chain, test_empty_file_pull);
   tcase_add_test (tc_chain, test_empty_file_push);
+  tcase_add_test (tc_chain, test_corrupt_header_file_push);
   tcase_add_test (tc_chain, test_simple_file_pull);
   tcase_add_test (tc_chain, test_simple_file_push);
   tcase_add_test (tc_chain, test_seek);
diff --git a/subprojects/gst-plugins-good/tests/files/corruptheadertestsrc.wav b/subprojects/gst-plugins-good/tests/files/corruptheadertestsrc.wav
new file mode 100755
index 0000000000..f8aa22c96d
--- /dev/null
+++ b/subprojects/gst-plugins-good/tests/files/corruptheadertestsrc.wav
author	Devin Anderson <danderson@microsoft.com>	2022-10-13 03:20:45 +0300
committer	Tim-Philipp Müller <tim@centricular.com>	2022-10-13 14:15:03 +0300
commit	80de451c0678b3151925d1a85c0526c334ee2405 (patch)
tree	23d54c0eb873634a15fc81d2de6c40dd6c99d94a
parent	0c28e3cf2603728d45a67045bd88019141207165 (diff)