Opened 5 years ago

Closed 4 years ago

#10922 closed bug (fixed)

[app_server] crash in PicturePlayer::Play: buffer overrun

Reported by: diver Owned by: axeld
Priority: normal Milestone: R1
Component: Servers/app_server Version: R1/Development
Keywords: Cc:
Blocked By: Blocking: #11645
Has a Patch: no Platform: All

Description

hrev47314.

Launching XRS v1.13 unofficial beta2 crashes app_server .

state: Call (PicturePlayer::Play: buffer overrun)

Frame		IP			Function Name
-----------------------------------------------
00000000	0x615fe112	commpage_syscall + 0x2 
		Disassembly:
		commpage_syscall:
		0x615fe110:             89e1  mov %esp, %ecx
		0x615fe112:             0f34  sysenter  <--

		Frame memory:
				
0x715633b8	0x279a571	debugger + 0x39 
0x71563530	0x15924df	BPrivate::PicturePlayer::Play(void*, int32, void*) + 0xdb 
0x71563580	0x129cde6	ServerPicture::Play(DrawingContext*) + 0x8e 
0x71564c00	0x12a568e	ServerWindow::_DispatchViewDrawingMessage(int32, BPrivate::LinkReceiver&) + 0x2612 
0x71564de0	0x12a2d81	ServerWindow::_DispatchViewMessage(int32, BPrivate::LinkReceiver&) + 0x2531 
0x71564f10	0x12a0790	ServerWindow::_DispatchMessage(int32, BPrivate::LinkReceiver&) + 0x1270 
0x71564f90	0x12a7756	ServerWindow::_MessageLooper() + 0x27a 
0x71564fc0	0x1282c9a	MessageLooper::_message_thread(void*) + 0x26 
0x71564fe8	0x27a1621	thread_entry + 0x21 
00000000	0x615fe250	commpage_thread_exit + 0 

Attachments (2)

app_server-199-debug-08-06-2014-07-59-34.report (32.5 KB) - added by diver 5 years ago.
Xrs1.3unbeta2.zip (634.7 KB) - added by diver 5 years ago.

Download all attachments as: .zip

Change History (8)

Changed 5 years ago by diver

Attachment: Xrs1.3unbeta2.zip added

comment:1 Changed 5 years ago by jackburton

Would be interesting to compile libbe with DEBUG=2 (more specifically, just #define DEBUG 2 inside PicturePlayer.cpp). Then launch XRS. It SHOULD produce a file in /var/log/PicturePlayer.log with the BPicture ops used by XRS.

comment:2 Changed 5 years ago by pulkomandy

It seems the picture data is corrupted or truncated. As each of the operations come with a size, I'm not sure the drawing operations are relevant.

It's possible that the picture comes from archived data (in a BMessage) and we have a compatibility problem with pictures archived on BeOS.

comment:3 in reply to:  2 Changed 5 years ago by jackburton

Replying to pulkomandy:

It seems the picture data is corrupted or truncated. As each of the operations come with a size, I'm not sure the drawing operations are relevant.

It's possible that the picture comes from archived data (in a BMessage) and we have a compatibility problem with pictures archived on BeOS.

That might very well be the case. I'm sure at least we treat strings differently.

comment:4 Changed 5 years ago by anevilyak

Blocking: 11645 added

(In #11645) Looks like this is in fact a duplicate of #10922.

comment:5 Changed 4 years ago by jackburton

I think this could've been fixed by mmlr's recent work on PicturePlayer.

comment:6 Changed 4 years ago by diver

Resolution: fixed
Status: newclosed

app_server no longer crashes. Fixed in hrev49620.

Note: See TracTickets for help on using tickets.