Project

General

Profile

Bug #2273

potential memory corruption in cron.c

Added by Sebastian Brings about 10 years ago. Updated about 10 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
Crashes
Target version:
-
Start date:
2014-09-06
Due date:
% Done:

100%

Estimated time:
Found in version:
3.9.1367~gca742e0-dirty
Affected Versions:

Description

Version :
pi@raspberry03 ~/tvheadend $ cat src/version.c
const char *tvheadend_version = "3.9.1367~gca742e0-dirty";
pi@raspberry03 ~/tvheadend $

I experience crashes during startup, with back traces frequently ending in memory allocation like here:
(gdb) where
#0 0xb6bbadf8 in GI_libc_free (mem=0x11f73e0) at malloc.c:3724
#1 0x00035d44 in htsmsg_field_destroy (msg=<optimized out>, f=0x11f73e0) at src/htsmsg.c:62
#2 0x00035d94 in htsmsg_clear (msg=0x113fb00) at src/htsmsg.c:74
#3 0x00036060 in htsmsg_destroy (msg=0x113fb00) at src/htsmsg.c:180
#4 0x000255f0 in _epggrab_load () at src/epggrab.c:185
#5 epggrab_init () at src/epggrab.c:382
#6 0x0000e118 in main (argc=0, argv=0xbebded54) at src/main.c:841

So I am running tvheadend under valgrind and get an invalid write reported:

hts@raspberry03:~/.hts/tvheadend/epggrab$ valgrind --tool=memcheck /usr/local/bin/tvheadend -u hts -g video
...
2014-09-06 19:06:34.533 [ INFO] epggrab: module /usr/bin/tv_grab_it created
7754 Invalid write of size 4
7754 at 0x4B7DC: cron_multi_set (cron.c:187)
7754 by 0x2501B: epggrab_set_cron (epggrab.c:247)
7754 by 0x2549B: epggrab_init (epggrab.c:155)
7754 by 0xE117: main (main.c:841)
7754 Address 0x8da5224 is 0 bytes after a block of size 28 alloc'd
7754 at 0x4835978: malloc (vg_replace_malloc.c:263)
7754 by 0x4835B0B: realloc (vg_replace_malloc.c:632)
7754 by 0x4B79B: cron_multi_set (cron.c:180)
7754 by 0x2501B: epggrab_set_cron (epggrab.c:247)
7754 by 0x2549B: epggrab_init (epggrab.c:155)
7754 by 0xE117: main (main.c:841)
7754
2014-09-06 19:06:35.268 [ INFO] epgdb: loaded v2

Line numbers may not match the original ones due to 2 more printf's I added while searching the issue.
When allocating 8 more bytes (just to give it a try) in the realloc() call, the valgrind message disappears and also the crashing.

epg configuraton is:
hts@raspberry03:~/.hts/tvheadend/epggrab$ cat config {
"channel_rename": 1,
"channel_renumber": 1,
"channel_reicon": 0,
"epgdb_periodicsave": 0,
"cron": "# Default config (00:04 and 12:04 everyday)\n4 */12 * * *",
"ota_cron": "# Default config (02:04 and 14:04 everyday)\n4 2 * * *\n4 14 * * *",
"ota_timeout": 600,
"ota_initial": 1
}

History

#1

Updated by Jaroslav Kysela about 10 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset commit:tvheadend|4963d4c94da4c1d64db547a1963da826a319ce84.

#2

Updated by Jaroslav Kysela about 10 years ago

Yes, you're right. Many thanks.

Also available in: Atom PDF