From d50b6542e330db416b50aa717aa67e2a0b564d58 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Sun, 8 Feb 2009 14:19:24 +0000 Subject: Remove a break which causes some front ends to hang. (cset ce60f8b5995a) (If this causes xine-lib to hang on certain broken streams, we have a problem.) --- src/xine-engine/demux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/xine-engine/demux.c b/src/xine-engine/demux.c index 4d6bc6c1c..cfb13831e 100644 --- a/src/xine-engine/demux.c +++ b/src/xine-engine/demux.c @@ -377,7 +377,7 @@ static void *demux_loop (void *stream_gen) { pthread_cond_wait (&stream->counter_changed, &stream->counter_lock); if (demux_unstick_ao_loop (stream)) - break; + /* break amarok */; } pthread_mutex_unlock (&stream->counter_lock); -- cgit v1.2.3 From 8f9a6421c30167b2bf314d512ae70b27d0167bb1 Mon Sep 17 00:00:00 2001 From: Miguel Freitas Date: Mon, 9 Feb 2009 22:09:28 -0200 Subject: Fix race conditions in gapless_switch (ref. kde bug #180339) --- src/xine-engine/audio_decoder.c | 6 ++++-- src/xine-engine/audio_out.c | 2 +- src/xine-engine/buffer.h | 3 +++ src/xine-engine/demux.c | 3 +++ src/xine-engine/video_decoder.c | 2 +- src/xine-engine/xine.c | 6 ++++-- src/xine-engine/xine_interface.c | 3 +++ src/xine-engine/xine_internal.h | 1 + 8 files changed, 20 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/xine-engine/audio_decoder.c b/src/xine-engine/audio_decoder.c index 5476262d9..855dee372 100644 --- a/src/xine-engine/audio_decoder.c +++ b/src/xine-engine/audio_decoder.c @@ -89,16 +89,18 @@ static void *audio_decoder_loop (void *stream_gen) { if (stream->audio_decoder_plugin) { lprintf ("close old decoder\n"); - + + stream->keep_ao_driver_open = !!(buf->decoder_flags & BUF_FLAG_GAPLESS_SW); _x_free_audio_decoder (stream, stream->audio_decoder_plugin); stream->audio_decoder_plugin = NULL; stream->audio_track_map_entries = 0; stream->audio_type = 0; + stream->keep_ao_driver_open = 0; } running_ticket->release(running_ticket, 0); - if( !stream->gapless_switch ) + if( !(buf->decoder_flags & BUF_FLAG_GAPLESS_SW) ) stream->metronom->handle_audio_discontinuity (stream->metronom, DISC_STREAMSTART, 0); buftype_unknown = 0; diff --git a/src/xine-engine/audio_out.c b/src/xine-engine/audio_out.c index d28c45ea6..43553875e 100644 --- a/src/xine-engine/audio_out.c +++ b/src/xine-engine/audio_out.c @@ -1609,7 +1609,7 @@ static void ao_close(xine_audio_port_t *this_gen, xine_stream_t *stream) { pthread_mutex_unlock(&this->streams_lock); /* close driver if no streams left */ - if (!ite && !this->grab_only && !stream->gapless_switch) { + if (!ite && !this->grab_only && !stream->keep_ao_driver_open) { xprintf (this->xine, XINE_VERBOSITY_DEBUG, "audio_out: no streams left, closing driver\n"); if (this->audio_loop_running) { diff --git a/src/xine-engine/buffer.h b/src/xine-engine/buffer.h index 718dedd74..7669c38e6 100644 --- a/src/xine-engine/buffer.h +++ b/src/xine-engine/buffer.h @@ -374,6 +374,9 @@ struct buf_element_s { * decoder_info[2] carries denominator for display aspect ratio */ #define BUF_FLAG_ASPECT 0x0800 +/* represent the state of gapless_switch at the time buf was enqueued */ +#define BUF_FLAG_GAPLESS_SW 0x1000 + /* Special buffer types: * Sometimes there is a need to relay special information from a demuxer diff --git a/src/xine-engine/demux.c b/src/xine-engine/demux.c index cfb13831e..5e9cf5a83 100644 --- a/src/xine-engine/demux.c +++ b/src/xine-engine/demux.c @@ -231,15 +231,18 @@ void _x_demux_control_headers_done (xine_stream_t *stream) { void _x_demux_control_start( xine_stream_t *stream ) { buf_element_t *buf; + uint32_t flags = (stream->gapless_switch) ? BUF_FLAG_GAPLESS_SW : 0; pthread_mutex_lock(&stream->demux_mutex); buf = stream->video_fifo->buffer_pool_alloc (stream->video_fifo); buf->type = BUF_CONTROL_START; + buf->decoder_flags = flags; stream->video_fifo->put (stream->video_fifo, buf); buf = stream->audio_fifo->buffer_pool_alloc (stream->audio_fifo); buf->type = BUF_CONTROL_START; + buf->decoder_flags = flags; stream->audio_fifo->put (stream->audio_fifo, buf); pthread_mutex_unlock(&stream->demux_mutex); diff --git a/src/xine-engine/video_decoder.c b/src/xine-engine/video_decoder.c index c88e01714..d3c9e0d34 100644 --- a/src/xine-engine/video_decoder.c +++ b/src/xine-engine/video_decoder.c @@ -160,7 +160,7 @@ static void *video_decoder_loop (void *stream_gen) { running_ticket->release(running_ticket, 0); - if( !stream->gapless_switch ) + if( !(buf->decoder_flags & BUF_FLAG_GAPLESS_SW) ) stream->metronom->handle_video_discontinuity (stream->metronom, DISC_STREAMSTART, 0); diff --git a/src/xine-engine/xine.c b/src/xine-engine/xine.c index e4e36527f..63a5b7213 100644 --- a/src/xine-engine/xine.c +++ b/src/xine-engine/xine.c @@ -419,6 +419,7 @@ void xine_stop (xine_stream_t *stream) { static void close_internal (xine_stream_t *stream) { int i ; + int gapless_switch = stream->gapless_switch; if( stream->slave ) { xine_close( stream->slave ); @@ -429,7 +430,7 @@ static void close_internal (xine_stream_t *stream) { } } - if( !stream->gapless_switch ) { + if( !gapless_switch ) { /* make sure that other threads cannot change the speed, especially pauseing the stream */ pthread_mutex_lock(&stream->speed_change_lock); stream->ignore_speed_change = 1; @@ -445,7 +446,7 @@ static void close_internal (xine_stream_t *stream) { stop_internal( stream ); - if( !stream->gapless_switch ) { + if( !gapless_switch ) { if (stream->video_out) stream->video_out->set_property(stream->video_out, VO_PROP_DISCARD_FRAMES, 0); if (stream->audio_out) @@ -596,6 +597,7 @@ xine_stream_t *xine_stream_new (xine_t *this, stream->early_finish_event = 0; stream->delay_finish_event = 0; stream->gapless_switch = 0; + stream->keep_ao_driver_open = 0; stream->video_out = vo; if (vo) diff --git a/src/xine-engine/xine_interface.c b/src/xine-engine/xine_interface.c index d1d5a18d9..0438aedfa 100644 --- a/src/xine-engine/xine_interface.c +++ b/src/xine-engine/xine_interface.c @@ -527,6 +527,9 @@ void xine_set_param (xine_stream_t *stream, int param, int value) { case XINE_PARAM_GAPLESS_SWITCH: stream->gapless_switch = !!value; + if( stream->gapless_switch && !stream->early_finish_event ) { + xprintf (stream->xine, XINE_VERBOSITY_DEBUG, "frontend possibly buggy: gapless_switch without early_finish_event\n"); + } break; default: diff --git a/src/xine-engine/xine_internal.h b/src/xine-engine/xine_internal.h index f97ca0b24..945157fc2 100644 --- a/src/xine-engine/xine_internal.h +++ b/src/xine-engine/xine_internal.h @@ -361,6 +361,7 @@ struct xine_stream_s { int early_finish_event; /* do not wait fifos get empty before sending event */ int gapless_switch; /* next stream switch will be gapless */ int delay_finish_event; /* delay event in 1/10 sec units. 0=>no delay, -1=>forever */ + int keep_ao_driver_open; #endif }; -- cgit v1.2.3 From 2afab9c8441685d1ec8f6ef5c9f8c4a163533dfa Mon Sep 17 00:00:00 2001 From: Lorenzo Desole Date: Mon, 9 Feb 2009 22:38:40 +0100 Subject: demux_unstick_ao_loop() reports that xine might be stuck != is stuck Don't give up immediately if demux_unstick_ao_loop() reports that xine might be stuck, because it's not necessarily so. According to my tests, this fixes http://bugs.kde.org/show_bug.cgi?id=180339#c42 and http://bugs.debian.org/514114. This has been tested with Amarok and kde 4.1.x (with phonon) and kaffeine. --- src/combined/ffmpeg/ff_audio_decoder.c | 4 ++- src/xine-engine/demux.c | 52 ++++++++++++++++++++++++---------- 2 files changed, 40 insertions(+), 16 deletions(-) (limited to 'src') diff --git a/src/combined/ffmpeg/ff_audio_decoder.c b/src/combined/ffmpeg/ff_audio_decoder.c index 140a88f80..24c193b44 100644 --- a/src/combined/ffmpeg/ff_audio_decoder.c +++ b/src/combined/ffmpeg/ff_audio_decoder.c @@ -333,8 +333,10 @@ static void ff_audio_decode_data (audio_decoder_t *this_gen, buf_element_t *buf) while (out < decode_buffer_size) { int stream_status = xine_get_status(this->stream); - if (stream_status == XINE_STATUS_QUIT || stream_status == XINE_STATUS_STOP) + if (stream_status == XINE_STATUS_QUIT || stream_status == XINE_STATUS_STOP) { + this->size = 0; return; + } audio_buffer = this->stream->audio_out->get_buffer (this->stream->audio_out); diff --git a/src/xine-engine/demux.c b/src/xine-engine/demux.c index 5e9cf5a83..2ff64dfd3 100644 --- a/src/xine-engine/demux.c +++ b/src/xine-engine/demux.c @@ -120,6 +120,16 @@ void _x_demux_flush_engine (xine_stream_t *stream) { } +struct timespec _x_compute_interval(unsigned int millisecs) { + struct timespec ts; + clock_gettime(CLOCK_REALTIME, &ts); + uint64_t ttimer = (uint64_t)ts.tv_sec*1000 + ts.tv_nsec/1000000 + millisecs; + ts.tv_sec = ttimer/1000; + ts.tv_nsec = (ttimer%1000)*1000000; + return ts; +} + + void _x_demux_control_newpts( xine_stream_t *stream, int64_t pts, uint32_t flags ) { buf_element_t *buf; @@ -147,19 +157,20 @@ void _x_demux_control_newpts( xine_stream_t *stream, int64_t pts, uint32_t flags */ static int demux_unstick_ao_loop (xine_stream_t *stream) { - if (!stream->audio_thread_created) +/* if (!stream->audio_thread_created) return 0; - +*/ int status = xine_get_status (stream); - if (status != XINE_STATUS_QUIT && status != XINE_STATUS_STOP) + if (status != XINE_STATUS_QUIT && status != XINE_STATUS_STOP && stream->demux_plugin->get_status(stream->demux_plugin) != DEMUX_FINISHED) return 0; - +#if 0 /* right, stream is stopped... */ audio_buffer_t *buf = stream->audio_out->get_buffer (stream->audio_out); buf->num_frames = 0; buf->stream = NULL; stream->audio_out->put_buffer (stream->audio_out, buf, stream); - +#endif + lprintf("stuck\n"); return 1; } @@ -200,24 +211,27 @@ void _x_demux_control_headers_done (xine_stream_t *stream) { stream->audio_fifo->put (stream->audio_fifo, buf_audio); pthread_mutex_unlock(&stream->demux_mutex); + unsigned int max_iterations = 0; while ((stream->header_count_audio < header_count_audio) || (stream->header_count_video < header_count_video)) { - struct timeval tv; - struct timespec ts; lprintf ("waiting for headers. v:%d %d a:%d %d\n", stream->header_count_video, header_count_video, stream->header_count_audio, header_count_audio); + + struct timespec ts = _x_compute_interval(1000); + int ret_wait; - gettimeofday(&tv, NULL); - ts.tv_sec = tv.tv_sec + 1; - ts.tv_nsec = tv.tv_usec * 1000; /* use timedwait to workaround buggy pthread broadcast implementations */ - pthread_cond_timedwait (&stream->counter_changed, &stream->counter_lock, &ts); + ret_wait = pthread_cond_timedwait (&stream->counter_changed, &stream->counter_lock, &ts); - if (demux_unstick_ao_loop (stream)) + if (ret_wait == ETIMEDOUT && demux_unstick_ao_loop (stream) && ++max_iterations > 4) { + xine_log(stream->xine, + XINE_LOG_MSG,_("Stuck in _x_demux_control_headers_done(). Taking the emergency exit\n")); + stream->emergency_brake = 1; break; + } } stream->demux_action_pending = 0; @@ -374,13 +388,21 @@ static void *demux_loop (void *stream_gen) { pthread_mutex_unlock( &stream->demux_lock ); pthread_mutex_lock (&stream->counter_lock); + struct timespec ts; + unsigned int max_iterations = 0; + int ret_wait; while ((stream->finished_count_audio < finished_count_audio) || (stream->finished_count_video < finished_count_video)) { lprintf ("waiting for finisheds.\n"); - pthread_cond_wait (&stream->counter_changed, &stream->counter_lock); + ts = _x_compute_interval(1000); + ret_wait = pthread_cond_timedwait (&stream->counter_changed, &stream->counter_lock, &ts); - if (demux_unstick_ao_loop (stream)) - /* break amarok */; + if (ret_wait == ETIMEDOUT && demux_unstick_ao_loop (stream) && ++max_iterations > 4) { + xine_log(stream->xine, + XINE_LOG_MSG,_("Stuck in demux_loop(). Taking the emergency exit\n")); + stream->emergency_brake = 1; + break; + } } pthread_mutex_unlock (&stream->counter_lock); -- cgit v1.2.3 From a0b9021d54dc9890da5f0c9bd26361db4556f6c2 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Tue, 10 Feb 2009 17:17:50 +0000 Subject: Fix broken size checks in various input plugins (ref. CVE-2008-5239). --- src/input/input_dvb.c | 4 +++- src/input/input_file.c | 4 +++- src/input/input_gnome_vfs.c | 4 +++- src/input/input_http.c | 4 +++- src/input/input_mms.c | 4 +++- src/input/input_net.c | 4 +++- src/input/input_pnm.c | 4 +++- src/input/input_pvr.c | 4 +++- src/input/input_rtp.c | 4 +++- src/input/input_rtsp.c | 4 +++- src/input/input_smb.c | 4 +++- src/input/input_stdin_fifo.c | 4 +++- 12 files changed, 36 insertions(+), 12 deletions(-) (limited to 'src') diff --git a/src/input/input_dvb.c b/src/input/input_dvb.c index 9c592a067..5060757e4 100644 --- a/src/input/input_dvb.c +++ b/src/input/input_dvb.c @@ -2602,7 +2602,9 @@ static buf_element_t *dvb_plugin_read_block (input_plugin_t *this_gen, buf_element_t *buf = fifo->buffer_pool_alloc (fifo); int total_bytes; - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_file.c b/src/input/input_file.c index 690913aa4..2187f0007 100644 --- a/src/input/input_file.c +++ b/src/input/input_file.c @@ -169,7 +169,9 @@ static buf_element_t *file_plugin_read_block (input_plugin_t *this_gen, fifo_buf file_input_plugin_t *this = (file_input_plugin_t *) this_gen; buf_element_t *buf = fifo->buffer_pool_alloc (fifo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_gnome_vfs.c b/src/input/input_gnome_vfs.c index ec025f7b5..a3dfafdd5 100644 --- a/src/input/input_gnome_vfs.c +++ b/src/input/input_gnome_vfs.c @@ -121,7 +121,9 @@ gnomevfs_plugin_read_block (input_plugin_t *this_gen, fifo_buffer_t *fifo, off_t total_bytes; buf_element_t *buf = fifo->buffer_pool_alloc (fifo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_http.c b/src/input/input_http.c index 3cb745656..c831dfc59 100644 --- a/src/input/input_http.c +++ b/src/input/input_http.c @@ -506,7 +506,9 @@ static buf_element_t *http_plugin_read_block (input_plugin_t *this_gen, fifo_buf off_t total_bytes; buf_element_t *buf = fifo->buffer_pool_alloc (fifo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_mms.c b/src/input/input_mms.c index d5cc0a2ac..cd88a0609 100644 --- a/src/input/input_mms.c +++ b/src/input/input_mms.c @@ -122,7 +122,9 @@ static buf_element_t *mms_plugin_read_block (input_plugin_t *this_gen, lprintf ("mms_plugin_read_block: %"PRId64" bytes...\n", todo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_net.c b/src/input/input_net.c index 719203ff9..d9da27b54 100644 --- a/src/input/input_net.c +++ b/src/input/input_net.c @@ -291,7 +291,9 @@ static buf_element_t *net_plugin_read_block (input_plugin_t *this_gen, buf_element_t *buf = fifo->buffer_pool_alloc (fifo); off_t total_bytes; - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_pnm.c b/src/input/input_pnm.c index af2b8add2..f609695d5 100644 --- a/src/input/input_pnm.c +++ b/src/input/input_pnm.c @@ -97,7 +97,9 @@ static buf_element_t *pnm_plugin_read_block (input_plugin_t *this_gen, lprintf ("pnm_plugin_read_block: %"PRId64" bytes...\n", todo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_pvr.c b/src/input/input_pvr.c index 5238fccbc..a9c92e42e 100644 --- a/src/input/input_pvr.c +++ b/src/input/input_pvr.c @@ -1208,7 +1208,9 @@ static buf_element_t *pvr_plugin_read_block (input_plugin_t *this_gen, fifo_buff } buf = fifo->buffer_pool_alloc (fifo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer(buf); return NULL; } diff --git a/src/input/input_rtp.c b/src/input/input_rtp.c index 8d07eb6cf..90bae6670 100644 --- a/src/input/input_rtp.c +++ b/src/input/input_rtp.c @@ -527,7 +527,9 @@ static buf_element_t *rtp_plugin_read_block (input_plugin_t *this_gen, buf_element_t *buf = fifo->buffer_pool_alloc (fifo); int total_bytes; - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_rtsp.c b/src/input/input_rtsp.c index bfe8fdf85..fad395e0b 100644 --- a/src/input/input_rtsp.c +++ b/src/input/input_rtsp.c @@ -98,7 +98,9 @@ static buf_element_t *rtsp_plugin_read_block (input_plugin_t *this_gen, lprintf ("rtsp_plugin_read_block: %"PRId64" bytes...\n", todo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_smb.c b/src/input/input_smb.c index 4d7e9a94a..e49eaa889 100644 --- a/src/input/input_smb.c +++ b/src/input/input_smb.c @@ -91,7 +91,9 @@ smb_plugin_read_block (input_plugin_t *this_gen, fifo_buffer_t *fifo, off_t total_bytes; buf_element_t *buf = fifo->buffer_pool_alloc (fifo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_stdin_fifo.c b/src/input/input_stdin_fifo.c index 4acd825a5..64b8d748c 100644 --- a/src/input/input_stdin_fifo.c +++ b/src/input/input_stdin_fifo.c @@ -123,7 +123,9 @@ static buf_element_t *stdin_plugin_read_block (input_plugin_t *this_gen, fifo_bu /* stdin_input_plugin_t *this = (stdin_input_plugin_t *) this_gen; */ buf_element_t *buf = fifo->buffer_pool_alloc (fifo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } -- cgit v1.2.3 From ec17a06e90ae960595fce584ce1b161f2674293e Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Tue, 10 Feb 2009 17:17:50 +0000 Subject: Fix a possible integer overflow in the 4XM demuxer. (TKADV2009-004.txt) --- src/demuxers/demux_4xm.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src') diff --git a/src/demuxers/demux_4xm.c b/src/demuxers/demux_4xm.c index a02a4b597..015ed8b2f 100644 --- a/src/demuxers/demux_4xm.c +++ b/src/demuxers/demux_4xm.c @@ -192,6 +192,10 @@ static int open_fourxm_file(demux_fourxm_t *fourxm) { const uint32_t current_track = _X_LE_32(&header[i + 8]); if (current_track + 1 > fourxm->track_count) { fourxm->track_count = current_track + 1; + if (fourxm->track_count >= UINT_MAX / sizeof(audio_track_t)) { + free(header); + return 0; + } fourxm->tracks = realloc(fourxm->tracks, fourxm->track_count * sizeof(audio_track_t)); if (!fourxm->tracks) { -- cgit v1.2.3 From 5c2144fc9e1fc812dadba98b8bdccbd6f9639460 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Tue, 10 Feb 2009 17:26:08 +0000 Subject: Disable libmpeg2new for release. --- src/Makefile.am | 1 - 1 file changed, 1 deletion(-) (limited to 'src') diff --git a/src/Makefile.am b/src/Makefile.am index 249bbc2b6..6718b4805 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -11,7 +11,6 @@ SUBDIRS = \ demuxers \ libffmpeg \ libmpeg2 \ - libmpeg2new \ liba52 \ libspudec \ libspucc \ -- cgit v1.2.3 From 6002a9a87b3f591832c2b91ca1b2b1b67be008f5 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Tue, 10 Feb 2009 18:17:12 +0000 Subject: Restart 1.1.17 (again); revert changes made specifically for the release. --- src/Makefile.am | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/Makefile.am b/src/Makefile.am index 6718b4805..249bbc2b6 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -11,6 +11,7 @@ SUBDIRS = \ demuxers \ libffmpeg \ libmpeg2 \ + libmpeg2new \ liba52 \ libspudec \ libspucc \ -- cgit v1.2.3