Summary:ASTERISK-13243: [patch] Supplying stereo .WAV file causes Asterisk to crash
Reporter:gkloepfer (gkloepfer)Labels:
Date Opened:2008-12-18 15:42:43.000-0600Date Closed:2009-01-07 16:31:05.000-0600
Versions:Frequency of
Environment:Attachments:( 0) crashit.wav
( 1) file-crash-patch.diff
Description:Accidentally supplied a stereo .WAV file to Asterisk PlayBack() application, and Asterisk crashed with:

*** glibc detected *** asterisk: munmap_chunk(): invalid pointer: 0x082d0ae0 ***

Compiled with malloc debugging and AO2 debugging on.  Asterisk reported a free of unallocated space at line 471 of file.c (free(s)).

The problem will likely occur with any media file that exists with an invalid format.


The problem is that in ast_filehelper() (in main/file.c) a filestream is allocated with ast_filestream(), which is later freed with the C free() function.  ast_filestream() returns a pointer to the user portion of an astobj2 container, not the container itself.  So when free is called, it attempts to free space in the middle of the container rather than the container itself.

ast_filestream() handles must be freed with ast_closestream(), not free().

This occurs in three places in file.c.  A patch is attached.  It has been moderately tested.  I am also attaching the .WAV file that caused the crash.

Note that when malloc and astobj2 debugging is enabled, it is very apparent that  astobj2 objects are not being freed (each time the invalid sound file is played, another astobj is left dangling).
Comments:By: Leif Madsen (lmadsen) 2008-12-18 16:10:19.000-0600

file, I think you might like this!

By: Russell Bryant (russell) 2009-01-07 16:31:05.000-0600

Someone mentioned this problem on IRC as an unrelated report to this, and I ended up fixing it based on his debug information.  Sorry that I didn't see your patch earlier!  It is fixed in 1.4/trunk/1.6.0/1.6.1