Hello all, I just tried to find out what caused the crash. This bug seems to be caused by libcdio17_1.0.0-2. In this library the memory of p_env->cdtext gets freed once in cdtext_destroy and then again in get_cdtext_generic.
Upstream was notified about the issue in [1] and fixed the issue in commits [2] and [3]. I expect this issue gets resolved when libcdio18_2.0.0* gets installed. So either this bug should be forwarded to libcdio or closed directly. Kind regards, Bernhard (gdb) list cdtext_destroy 238 cdtext_destroy(cdtext_t *p_cdtext) ... 255 free(p_cdtext); (gdb) list get_cdtext_generic 281 get_cdtext_generic (void *p_user_data) ... 300 cdtext_destroy (p_env->cdtext); <- once freed inside this function 301 free(p_env->cdtext); <- again freed here [1] http://lists.gnu.org/archive/html/libcdio-devel/2017-12/msg00010.html [2] http://git.savannah.gnu.org/cgit/libcdio.git/commit/lib/driver/_cdio_generic.c?id=f6f9c48fb40b8a1e8218799724b0b61a7161eb1d [3] http://git.savannah.gnu.org/cgit/libcdio.git/commit/lib/driver/_cdio_generic.c?id=dec2f876c2d7162da213429bce1a7140cdbdd734
*** Error in `/usr/lib/x86_64-linux-gnu/kodi/kodi.bin': double free or corruption (out): 0x00007f0af0004530 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x722fb)[0x7f0b506ae2fb] /lib/x86_64-linux-gnu/libc.so.6(+0x7895e)[0x7f0b506b495e] /lib/x86_64-linux-gnu/libc.so.6(+0x791be)[0x7f0b506b51be] /usr/lib/x86_64-linux-gnu/libcdio.so.17(+0x8937)[0x7f0b560ac937] /usr/lib/x86_64-linux-gnu/kodi/kodi.bin(_ZN12MEDIA_DETECT12CCdIoSupport13GetCdTextInfoERSt3mapI14cdtext_field_tNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEESt4lessIS2_ESaISt4pairIKS2_S8_EEEi+0x47)[0x556cf9cde727] /usr/lib/x86_64-linux-gnu/kodi/kodi.bin(_ZN12MEDIA_DETECT12CCdIoSupport9GetCdInfoEPc+0xcae)[0x556cf9cdf55e] /usr/lib/x86_64-linux-gnu/kodi/kodi.bin(_ZN12MEDIA_DETECT15CDetectDVDMedia15DetectMediaTypeEv+0xe7)[0x556cf9ce06a7] /usr/lib/x86_64-linux-gnu/kodi/kodi.bin(_ZN12MEDIA_DETECT15CDetectDVDMedia12UpdateDvdromEv+0x17e)[0x556cf9ce0c7e] /usr/lib/x86_64-linux-gnu/kodi/kodi.bin(_ZN12MEDIA_DETECT15CDetectDVDMedia7ProcessEv+0x98)[0x556cf9ce10d8] /usr/lib/x86_64-linux-gnu/kodi/kodi.bin(_ZN7CThread6ActionEv+0x1f)[0x556cfa1f44ff] /usr/lib/x86_64-linux-gnu/kodi/kodi.bin(_ZN7CThread12staticThreadEPv+0xbf)[0x556cfa1f47bf] /lib/x86_64-linux-gnu/libpthread.so.0(+0x7519)[0x7f0b593be519] /lib/x86_64-linux-gnu/libc.so.6(clone+0x3f)[0x7f0b50728a4f] ======= Memory map: ======== apt update apt install mc htop xserver-xorg sddm openbox valgrind strace gdb dpkg-dev devscripts deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20171231T200000Z/ buster main deb-src [check-valid-until=no] https://snapshot.debian.org/archive/debian/20171231T200000Z/ buster main deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-debug/20171231T200000Z/ buster-debug main apt update apt install kodi kodi-bin-dbgsym libcdio17-dbgsym mkdir kodi/orig -p cd kodi/orig apt source kodi cd ../.. mkdir libcdio17/orig -p cd libcdio17/orig apt source libcdio17 cd ../.. systemctl start sddm ps aux | grep kodi.bin | grep -v grep benutzer 23787 2.3 10.7 4595216 331584 ? Sl 10:03 0:19 /usr/lib/x86_64-linux-gnu/kodi/kodi.bin --standalone gdb -q --pid 23787 set height 0 set width 0 set pagination off directory /home/benutzer/libcdio17/orig/libcdio-1.0.0/src directory /home/benutzer/libcdio17/orig/libcdio-1.0.0/lib/driver disassemble cdio_get_cdtext --> ./gnu_linux.c: .get_cdtext = get_cdtext_generic, disassemble get_cdtext_generic 0x00007f04f66ba932 <+114>: callq 0x7f04f66b8b00 <free@plt> 0x00007f04f66ba937 <+119>: movq $0x0,0x1028(%rbx) disassemble _ZN12MEDIA_DETECT12CCdIoSupport13GetCdTextInfoERSt3mapI14cdtext_field_tNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEESt4lessIS2_ESaISt4pairIKS2_S8_EEEi 0x000055c888a7f722 <+66>: callq 0x55c88833b150 <cdio_get_cdtext@plt> 0x000055c888a7f727 <+71>: test %rax,%rax disassemble _ZN12MEDIA_DETECT12CCdIoSupport9GetCdInfoEPc 0x000055c888a80559 <+3241>: callq 0x55c888a7f6e0 <MEDIA_DETECT::CCdIoSupport::GetCdTextInfo(std::map<cdtext_field_t, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<cdtext_field_t>, std::allocator<std::pair<cdtext_field_t const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >&, int)> 0x000055c888a8055e <+3246>: lea 0x50(%rsp),%r14 disassemble _ZN12MEDIA_DETECT15CDetectDVDMedia15DetectMediaTypeEv 0x000055c888a816a2 <+226>: callq 0x55c888a7f8b0 <MEDIA_DETECT::CCdIoSupport::GetCdInfo(char*)> 0x000055c888a816a7 <+231>: test %rax,%rax disassemble _ZN12MEDIA_DETECT15CDetectDVDMedia12UpdateDvdromEv 0x000055c888a81c79 <+377>: callq 0x55c888a815c0 <MEDIA_DETECT::CDetectDVDMedia::DetectMediaType()> 0x000055c888a81c7e <+382>: lea 0x40(%rsp),%r12 disassemble _ZN12MEDIA_DETECT15CDetectDVDMedia7ProcessEv 0x000055c888a820d3 <+147>: callq 0x55c888a81b00 <MEDIA_DETECT::CDetectDVDMedia::UpdateDvdrom()> 0x000055c888a820d8 <+152>: movb $0x0,0x2a0(%rbp) disassemble _ZN7CThread6ActionEv 0x000055c888f954fc <+28>: callq *0x30(%rax) 0x000055c888f954ff <+31>: mov (%rbx),%rax disassemble _ZN7CThread12staticThreadEPv 0x000055c888f957ba <+186>: callq 0x55c888f954e0 <CThread::Action()> 0x000055c888f957bf <+191>: lea 0x230(%rbx),%r12 . (gdb) list cdio_get_cdtext 63 cdtext_t * 64 cdio_get_cdtext (CdIo *obj) 65 { 66 if (obj == NULL) return NULL; 67 68 if (NULL != obj->op.get_cdtext) { 69 return obj->op.get_cdtext (obj->env); 70 } else { 71 return NULL; 72 } 73 } (gdb) list get_cdtext_generic 280 cdtext_t * 281 get_cdtext_generic (void *p_user_data) 282 { 283 generic_img_private_t *p_env = p_user_data; 284 uint8_t *p_cdtext_data = NULL; 285 size_t len; 286 287 if (!p_env) return NULL; 288 289 if (p_env->b_cdtext_error) return NULL; 290 291 if (NULL == p_env->cdtext) { 292 p_cdtext_data = read_cdtext_generic (p_env); 293 294 if (NULL != p_cdtext_data) { 295 len = CDIO_MMC_GET_LEN16(p_cdtext_data)-2; 296 p_env->cdtext = cdtext_init(); 297 298 if(len <= 0 || 0 != cdtext_data_init (p_env->cdtext, &p_cdtext_data[4], len)) { 299 p_env->b_cdtext_error = true; 300 cdtext_destroy (p_env->cdtext); 301 free(p_env->cdtext); 302 p_env->cdtext = NULL; 303 } 304 305 free(p_cdtext_data); 306 } 307 } 308 309 return p_env->cdtext; 310 } (gdb) disassemble /m 0x00007f04f66ba92b,0x00007f04f66ba942 Dump of assembler code from 0x7f04f66ba92b to 0x7f04f66ba942: 301 free(p_env->cdtext); 0x00007f04f66ba92b <get_cdtext_generic+107>: mov 0x1028(%rbx),%rdi 0x00007f04f66ba932 <get_cdtext_generic+114>: callq 0x7f04f66b8b00 <free@plt> 302 p_env->cdtext = NULL; 0x00007f04f66ba937 <get_cdtext_generic+119>: movq $0x0,0x1028(%rbx) End of assembler dump. http://git.savannah.gnu.org/cgit/libcdio.git/tree/lib/driver/_cdio_generic.c http://git.savannah.gnu.org/cgit/libcdio.git/log/lib/driver/_cdio_generic.c (gdb) list cdtext_destroy 237 void 238 cdtext_destroy(cdtext_t *p_cdtext) 239 { 240 cdtext_field_t k; 241 track_t j; 242 int i; 243 244 if (!p_cdtext) return; 245 for (i=0; i<CDTEXT_NUM_BLOCKS_MAX; i++) { 246 for (j=0; j<CDTEXT_NUM_TRACKS_MAX; j++) { 247 for (k=0; k < MAX_CDTEXT_FIELDS; k++) { 248 if (p_cdtext->block[i].track[j].field[k]) { 249 free(p_cdtext->block[i].track[j].field[k]); 250 p_cdtext->block[i].track[j].field[k] = NULL; 251 } 252 } 253 } 254 } 255 free(p_cdtext); 256 } http://git.savannah.gnu.org/cgit/libcdio.git/tree/lib/driver/cdtext.c http://git.savannah.gnu.org/cgit/libcdio.git/log/lib/driver/cdtext.c ----- http://git.savannah.gnu.org/cgit/libcdio.git/commit/lib/driver/_cdio_generic.c?id=f6f9c48fb40b8a1e8218799724b0b61a7161eb1d http://git.savannah.gnu.org/cgit/libcdio.git/commit/lib/driver/_cdio_generic.c?id=dec2f876c2d7162da213429bce1a7140cdbdd734 http://lists.gnu.org/archive/html/libcdio-devel/2017-12/msg00010.html
