Debian Bug report logs - #580095
libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***

version graph

Package: libmpg123-0; Maintainer for libmpg123-0 is Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>; Source for libmpg123-0 is src:mpg123.

Reported by: gregor herrmann <gregoa@debian.org>

Date: Mon, 3 May 2010 15:51:02 UTC

Severity: grave

Tags: patch

Found in version mpg123/1.12.1-1

Fixed in version mpg123/1.12.1-2

Done: Daniel Kobras <kobras@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://sourceforge.net/tracker/?func=detail&aid=2996045&group_id=135704&atid=733194

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Mon, 03 May 2010 15:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
New Bug report received and forwarded. Copy sent to Daniel Kobras <kobras@debian.org>. (Mon, 03 May 2010 15:51:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Mon, 03 May 2010 17:50:08 +0200
Package: libmpg123-0
Version: 1.12.1-1
Severity: grave
Justification: renders package unusable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The new version of libmpg123-0 (1.12.1-1) causes mpg123 to explode
after playing a song; and while playing the song mpg123 uses insane
amounts of CPU.

#v+
gregoa@belanna:~$ /usr/bin/mpg123.bin data/sound/cds/tracy_chapman-tracy_chapman/01_talkin\'_bout_a_revolution.mp3
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
        version 1.12.1; written and copyright by Michael Hipp and others
        free software (LGPL/GPL) without any warranty but with best wishes

Directory: data/sound/cds/tracy_chapman-tracy_chapman/
Playing MPEG stream 1 of 1: 01_talkin'_bout_a_revolution.mp3 ...
Title:   Talkin' Bout a Revolution       Artist: Tracy Chapman
Album:   Tracy Chapman
MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo

[2:39] Decoding of 01_talkin'_bout_a_revolution.mp3 finished.
*** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb755f824]
/lib/i686/cmov/libc.so.6[0xb75610b3]
/lib/i686/cmov/libc.so.6(cfree+0x6d)[0xb75640dd]
/usr/lib/libasound.so.2[0xb7263907]
/usr/lib/libasound.so.2(snd_pcm_close+0x8a)[0xb72646fa]
/usr/lib/libasound.so.2[0xb729901b]
/usr/lib/libasound.so.2(snd_pcm_close+0x7e)[0xb72646ee]
/usr/lib/libasound.so.2[0xb7280bee]
/usr/lib/libasound.so.2(snd_pcm_close+0x7e)[0xb72646ee]
/usr/lib/mpg123/output_alsa.so[0xb76dee13]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb750ab55]
/usr/bin[0xb7706ab1]
======= Memory map: ========
b7000000-b7021000 rw-p 00000000 00:00 0 
b7021000-b7100000 ---p 00000000 00:00 0 
b7167000-b7184000 r-xp 00000000 21:03 9863176    /lib/libgcc_s.so.1
b7184000-b7185000 rw-p 0001c000 21:03 9863176    /lib/libgcc_s.so.1
b719a000-b71bf000 rw-p 00000000 00:00 0 
b71bf000-b71cf000 rw-s 00000000 00:04 1015810    /SYSV0056a4d6 (deleted)
b71cf000-b71d9000 r-xp 00000000 21:03 9863442    /lib/i686/cmov/libnss_files-2.10.2.so
b71d9000-b71da000 r--p 00009000 21:03 9863442    /lib/i686/cmov/libnss_files-2.10.2.so
b71da000-b71db000 rw-p 0000a000 21:03 9863442    /lib/i686/cmov/libnss_files-2.10.2.so
b71db000-b71e4000 r-xp 00000000 21:03 9865172    /lib/i686/cmov/libnss_nis-2.10.2.so
b71e4000-b71e5000 r--p 00008000 21:03 9865172    /lib/i686/cmov/libnss_nis-2.10.2.so
b71e5000-b71e6000 rw-p 00009000 21:03 9865172    /lib/i686/cmov/libnss_nis-2.10.2.so
b71e6000-b71f9000 r-xp 00000000 21:03 9865171    /lib/i686/cmov/libnsl-2.10.2.so
b71f9000-b71fa000 r--p 00012000 21:03 9865171    /lib/i686/cmov/libnsl-2.10.2.so
b71fa000-b71fb000 rw-p 00013000 21:03 9865171    /lib/i686/cmov/libnsl-2.10.2.so
b71fb000-b71fd000 rw-p 00000000 00:00 0 
b71fd000-b7212000 r-xp 00000000 21:03 9865596    /lib/i686/cmov/libpthread-2.10.2.so
b7212000-b7213000 r--p 00014000 21:03 9865596    /lib/i686/cmov/libpthread-2.10.2.so
b7213000-b7214000 rw-p 00015000 21:03 9865596    /lib/i686/cmov/libpthread-2.10.2.so
b7214000-b7216000 rw-p 00000000 00:00 0 
b7216000-b72da000 r-xp 00000000 21:03 11667179   /usr/lib/libasound.so.2.0.0
b72da000-b72de000 rw-p 000c4000 21:03 11667179   /usr/lib/libasound.so.2.0.0
b72f2000-b72f3000 rw-s 00000000 00:04 983041     /SYSV0056a4d5 (deleted)
b72f3000-b74f3000 r--p 00000000 21:03 12009498   /usr/lib/locale/locale-archive
b74f3000-b74f4000 rw-p 00000000 00:00 0 
b74f4000-b7635000 r-xp 00000000 21:03 9865168    /lib/i686/cmov/libc-2.10.2.so
b7635000-b7637000 r--p 00141000 21:03 9865168    /lib/i686/cmov/libc-2.10.2.so
b7637000-b7638000 rw-p 00143000 21:03 9865168    /lib/i686/cmov/libc-2.10.2.so
b7638000-b763b000 rw-p 00000000 00:00 0 
b763b000-b765f000 r-xp 00000000 21:03 9863486    /lib/i686/cmov/libm-2.10.2.so
b765f000-b7660000 r--p 00023000 21:03 9863486    /lib/i686/cmov/libm-2.10.2.so
b7660000-b7661000 rw-p 00024000 21:03 9863486    /lib/i686/cmov/libm-2.10.2.so
b7661000-b7663000 r-xp 00000000 21:03 9865600    /lib/i686/cmov/libdl-2.10.2.so
b7663000-b7664000 r--p 00001000 21:03 9865600    /lib/i686/cmov/libdl-2.10.2.so
b7664000-b7665000 rw-p 00002000 21:03 9865600    /lib/i686/cmov/libdl-2.10.2.so
b7665000-b7666000 rw-p 00000000 00:00 0 
b7666000-b766d000 r-xp 00000000 21:03 11670092   /usr/lib/libltdl.so.7.2.1
b766d000-b766e000 rw-p 00007000 21:03 11670092   /usr/lib/libltdl.so.7.2.1
b766e000-b76b9000 r-xp 00000000 21:03 11666631   /usr/lib/libmpg123.so.0.25.0
b76b9000-b76ba000 ---p 0004b000 21:03 11666631   /usr/lib/libmpg123.so.0.25.0
b76ba000-b76bb000 r--p 0004b000 21:03 11666631   /usr/lib/libmpg123.so.0.25.0
b76bb000-b76bd000 rw-p 0004c000 21:03 11666631   /usr/lib/libmpg123.so.0.25.0
b76bd000-b76cd000 rw-p 00000000 00:00 0 
b76cd000-b76d3000 r-xp 00000000 21:03 9863272    /lib/i686/cmov/libnss_compat-2.10.2.so
b76d3000-b76d4000 r--p 00006000 21:03 9863272    /lib/i686/cmov/libnss_compat-2.10.2.so
b76d4000-b76d5000 rw-p 00007000 21:03 9863272    /lib/i686/cmov/libnss_compat-2.10.2.so
b76d5000-b76dc000 r-xp 00000000 21:03 9863256    /lib/i686/cmov/librt-2.10.2.so
b76dc000-b76dd000 r--p 00006000 21:03 9863256    /lib/i686/cmov/librt-2.10.2.so
b76dd000-b76de000 rw-p 00007000 21:03 9863256    /lib/i686/cmov/librt-2.10.2.so
b76de000-b76e0000 r-xp 00000000 21:03 11928475   /usr/lib/mpg123/output_alsa.so
b76e0000-b76e1000 r--p 00001000 21:03 11928475   /usr/lib/mpg123/output_alsa.so
b76e1000-b76e2000 rw-p 00002000 21:03 11928475   /usr/lib/mpg123/output_alsa.so
b76e2000-b76e4000 rw-p 00000000 00:00 0 
b76e4000-b76e5000 r-xp 00000000 00:00 0          [vdso]
b76e5000-b7701000 r-xp 00000000 21:03 9865155    /lib/ld-2.10.2.so
b7701000-b7702000 r--p 0001b000 21:03 9865155    /lib/ld-2.10.2.so
b7702000-b7703000 rw-p 0001c000 21:03 9865155    /lib/ld-2.10.2.so
b7703000-b7723000 r-xp 00000000 21:03 11665958   /usr/bin/mpg123.bin
b7723000-b7724000 r--p 0001f000 21:03 11665958   /usr/bin/mpg123.bin
b7724000-b7725000 rw-p 00020000 21:03 11665958   /usr/bin/mpg123.bin
b7725000-b7726000 rw-p 00000000 00:00 0 
b7bfb000-b7c4a000 rw-p 00000000 00:00 0          [heap]
bfe62000-bfe77000 rw-p 00000000 00:00 0          [stack]
Aborted
#v-

Going back to testing (libmpg123-0 1.10.0-2), while keeping mpg123 at
the version from unstable, helps.

Cheers,
gregor

- -- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'oldstable'), (500, 'experimental'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.33.201003210129
Locale: LANG=C, LC_CTYPE=de_AT@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages libmpg123-0 depends on:
ii  libc6                         2.10.2-6   Embedded GNU C Library: Shared lib
ii  libltdl7                      2.2.6b-2   A system independent dlopen wrappe

libmpg123-0 recommends no packages.

libmpg123-0 suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJL3vCrAAoJELs6aAGGSaoGvpcP/3Hzy1XlQbnXWmRzRxFkoL9j
TVk0K+lTxRn4YL/rFJkeCygxl6oldSg7v9MGvS90NXD+EyHR0HUm1em4BAzrvfZh
Qt2izKXBTX9w6kz18mBC4uVACDPQDtXl2QC2EufCKTRMMNQw39tB2Cw4rFHBbFAo
CYEwMRUE04u1RNWqISj3mMMNpvxVAoYQVl40Sfk8g+i6VNIl/m8Klm1ICvpWGq9K
BjMDU4losWDkimK0eAyhtJEb5l3cZ1ZR3ezNM0/i9e9q75xEEaJvSyJ3peyFa9ty
zBuj6Rwwqbjff3DxDtkg7CP1H7eJfUiF97bqJXuocmb68KYeK1ELCrksctADUYAU
cdQaZoYjrOOblziH6F/HmAeR+0WHuv4Sfe+5ly96oHVBTQ3L9yyKdip/bk87qgJi
rQXpojUwTdDdlqOqi+BQRq3Qc796uE6021QiXKfFA31gSxWWlbo+mAxM7TuA2eoI
bScR3HX/kwrNrCZwg0z0DasNhxJc/IXK25MAzceKy+uR8GBlCqeU0Rfdo/bRsv8b
8AvWKC/J/sWXp6xQYiaEemyYmGAnrbEHN2fCDKvN+LhVESdRiuZmQBY70U+x4eeV
Txa10pChyMWe/0gho2FjPlBSexruLKM8B/Oi0x1n6SsrdRWfhZTj1hjXaZjSBenj
wNDML6QRYpyp3xEpG5uN
=KXLR
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#580095; Package libmpg123-0. (Mon, 03 May 2010 17:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. (Mon, 03 May 2010 17:27:03 GMT) Full text and rfc822 format available.

Message #10 received at submit@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: gregor herrmann <gregoa@debian.org>, 580095@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Mon, 3 May 2010 19:25:54 +0200
Hi!

On Mon, May 03, 2010 at 05:50:08PM +0200, gregor herrmann wrote:
> The new version of libmpg123-0 (1.12.1-1) causes mpg123 to explode
> after playing a song; and while playing the song mpg123 uses insane
> amounts of CPU.

Thanks for the report. I didn't notice this behaviour while testing the package
on amd64, so this bug is likely to be specific to i386 (or 32bit archs in
general). I'll check with upstream.

Regards,

Daniel.





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#580095; Package libmpg123-0. (Mon, 03 May 2010 17:27:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. (Mon, 03 May 2010 17:27:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Mon, 03 May 2010 17:33:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Mon, 03 May 2010 17:33:07 GMT) Full text and rfc822 format available.

Message #20 received at 580095@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: Daniel Kobras <kobras@debian.org>
Cc: 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Mon, 3 May 2010 19:31:05 +0200
[Message part 1 (text/plain, inline)]
On Mon, 03 May 2010 19:25:54 +0200, Daniel Kobras wrote:

> > The new version of libmpg123-0 (1.12.1-1) causes mpg123 to explode
> > after playing a song; and while playing the song mpg123 uses insane
> > amounts of CPU.
> Thanks for the report. I didn't notice this behaviour while testing the package
> on amd64, so this bug is likely to be specific to i386 (or 32bit archs in
> general). I'll check with upstream.

Cool, thanks for your quick response!

Cheers,
gregor

-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: J.J. Cale: Sensitive Kind
[signature.asc (application/pgp-signature, inline)]

Set Bug forwarded-to-address to 'https://sourceforge.net/tracker/?func=detail&aid=2996045&group_id=135704&atid=733194'. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. (Mon, 03 May 2010 17:51:15 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Fri, 07 May 2010 21:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Orgis <thomas-forum@orgis.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Fri, 07 May 2010 21:27:03 GMT) Full text and rfc822 format available.

Message #27 received at 580095@bugs.debian.org (full text, mbox):

From: Thomas Orgis <thomas-forum@orgis.org>
To: 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Fri, 7 May 2010 23:13:45 +0200
Hi, this is mpg123 upstream.

I asked for some confirmation of the confinedness of the issue to the ALSA output on http://sourceforge.net/tracker/?func=detail&aid=2996045&group_id=135704&atid=733194 ...

Actually, this concerns both issues: The crash and the high CPU usage. Can you try another output module for mpg123? Like, mpg123 -o oss, mpg123 -o portaudio, mpg123 -o sdl  ... there are some to choose from. If these don't show any of the issues, we can be more sure to search for something in the ALSA library.
What makes me wonder, though, is that you "fix" this by downgrading libmpg123?! The basic ALSA usage didn't change... I suspect some subtle bug that is always present but only shows more quickly under some circumstances.


Alrighty then,

Thomas.




Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Fri, 07 May 2010 22:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Fri, 07 May 2010 22:15:03 GMT) Full text and rfc822 format available.

Message #32 received at 580095@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: Thomas Orgis <thomas-forum@orgis.org>, 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Sat, 8 May 2010 00:12:09 +0200
[Message part 1 (text/plain, inline)]
On Fri, 07 May 2010 23:13:45 +0200, Thomas Orgis wrote:

> Hi, this is mpg123 upstream.

Hi!
 
> I asked for some confirmation of the confinedness of the issue to
> the ALSA output on
> http://sourceforge.net/tracker/?func=detail&aid=2996045&group_id=135704&atid=733194
> ...

Ah, sorry, I haven't followed the comments over there, thanks for
bringing the questions to the Debian BTS.
 
> Actually, this concerns both issues: The crash and the high CPU
> usage. Can you try another output module for mpg123? Like, mpg123
> -o oss, mpg123 -o portaudio, mpg123 -o sdl ... there are some to
> choose from. If these don't show any of the issues, we can be more
> sure to search for something in the ALSA library. 

Ok, let's try (with libmpg123-0 1.12.1-1):

Summary:
- pulse, arts, esd, jack, nas: I have no pulse audio/artsd/esd/jackd/nas daemon installed
- dummy: fails
- alsa: still fails
- oss: hm, somethings blocking my sound device; ah. found it later.
  no visible effects on the cpu. but the same errors on exit.

Details:
gregoa@belanna:~$ for m in $(mpg123.bin --list-modules| grep output | cut -f1 -d" "); do echo "=== module $m ==="; mpg123.bin -o $m data/sound/cds/tracy_chapman-tracy_chapman/01_talkin\'_bout_a_revolution.mp3; done
=== module pulse ===
[pulse.c:84] error: Failed to open pulse audio output: Connection refused
[audio.c:625] error: failed to open audio device
[audio.c:180] error: Unable to find a working output module in this list: pulse
[audio.c:527] error: Failed to open audio output module
[mpg123.c:847] error: Failed to initialize output, goodbye.
=== module dummy ===
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
    version 1.12.1; written and copyright by Michael Hipp and others
    free software (LGPL/GPL) without any warranty but with best wishes

Directory: data/sound/cds/tracy_chapman-tracy_chapman/
Playing MPEG stream 1 of 1: 01_talkin'_bout_a_revolution.mp3 ...
Title:   Talkin' Bout a Revolution       Artist: Tracy Chapman
Album:   Tracy Chapman
MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo

[2:39] Decoding of 01_talkin'_bout_a_revolution.mp3 finished.
*** glibc detected *** mpg123.bin: double free or corruption (out): 0xb8aad548 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb756d824]
/lib/i686/cmov/libc.so.6[0xb756f0b3]
/lib/i686/cmov/libc.so.6(cfree+0x6d)[0xb75720dd]
/usr/lib/libmpg123.so.0[0xb768368e]
mpg123.bin[0xb771f555]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7518b55]
mpg123.bin[0xb7714ab1]
======= Memory map: ========
b71e2000-b71ff000 r-xp 00000000 21:03 9863176    /lib/libgcc_s.so.1
b71ff000-b7200000 rw-p 0001c000 21:03 9863176    /lib/libgcc_s.so.1
b7200000-b7221000 rw-p 00000000 00:00 0 
b7221000-b7300000 ---p 00000000 00:00 0 
b7301000-b7501000 r--p 00000000 21:03 12009498   /usr/lib/locale/locale-archive
b7501000-b7502000 rw-p 00000000 00:00 0 
b7502000-b7643000 r-xp 00000000 21:03 9865168    /lib/i686/cmov/libc-2.10.2.so
b7643000-b7645000 r--p 00141000 21:03 9865168    /lib/i686/cmov/libc-2.10.2.so
b7645000-b7646000 rw-p 00143000 21:03 9865168    /lib/i686/cmov/libc-2.10.2.so
b7646000-b7649000 rw-p 00000000 00:00 0 
b7649000-b766d000 r-xp 00000000 21:03 9863486    /lib/i686/cmov/libm-2.10.2.so
b766d000-b766e000 r--p 00023000 21:03 9863486    /lib/i686/cmov/libm-2.10.2.so
b766e000-b766f000 rw-p 00024000 21:03 9863486    /lib/i686/cmov/libm-2.10.2.so
b766f000-b7671000 r-xp 00000000 21:03 9865600    /lib/i686/cmov/libdl-2.10.2.so
b7671000-b7672000 r--p 00001000 21:03 9865600    /lib/i686/cmov/libdl-2.10.2.so
b7672000-b7673000 rw-p 00002000 21:03 9865600    /lib/i686/cmov/libdl-2.10.2.so
b7673000-b7674000 rw-p 00000000 00:00 0 
b7674000-b767b000 r-xp 00000000 21:03 11670092   /usr/lib/libltdl.so.7.2.1
b767b000-b767c000 rw-p 00007000 21:03 11670092   /usr/lib/libltdl.so.7.2.1
b767c000-b76c7000 r-xp 00000000 21:03 16597192   /usr/lib/libmpg123.so.0.25.0
b76c7000-b76c8000 ---p 0004b000 21:03 16597192   /usr/lib/libmpg123.so.0.25.0
b76c8000-b76c9000 r--p 0004b000 21:03 16597192   /usr/lib/libmpg123.so.0.25.0
b76c9000-b76cb000 rw-p 0004c000 21:03 16597192   /usr/lib/libmpg123.so.0.25.0
b76cb000-b76db000 rw-p 00000000 00:00 0 
b76f0000-b76f2000 rw-p 00000000 00:00 0 
b76f2000-b76f3000 r-xp 00000000 00:00 0          [vdso]
b76f3000-b770f000 r-xp 00000000 21:03 9865155    /lib/ld-2.10.2.so
b770f000-b7710000 r--p 0001b000 21:03 9865155    /lib/ld-2.10.2.so
b7710000-b7711000 rw-p 0001c000 21:03 9865155    /lib/ld-2.10.2.so
b7711000-b7731000 r-xp 00000000 21:03 11665958   /usr/bin/mpg123.bin
b7731000-b7732000 r--p 0001f000 21:03 11665958   /usr/bin/mpg123.bin
b7732000-b7733000 rw-p 00020000 21:03 11665958   /usr/bin/mpg123.bin
b7733000-b7734000 rw-p 00000000 00:00 0 
b8aa1000-b8ac2000 rw-p 00000000 00:00 0          [heap]
bf90b000-bf920000 rw-p 00000000 00:00 0          [stack]
Aborted
=== module arts ===
[audio.c:625] error: failed to open audio device
[audio.c:180] error: Unable to find a working output module in this list: arts
[audio.c:527] error: Failed to open audio output module
[mpg123.c:847] error: Failed to initialize output, goodbye.
=== module alsa ===
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
    version 1.12.1; written and copyright by Michael Hipp and others
    free software (LGPL/GPL) without any warranty but with best wishes

Directory: data/sound/cds/tracy_chapman-tracy_chapman/
Playing MPEG stream 1 of 1: 01_talkin'_bout_a_revolution.mp3 ...
Title:   Talkin' Bout a Revolution       Artist: Tracy Chapman
Album:   Tracy Chapman
MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo

[2:39] Decoding of 01_talkin'_bout_a_revolution.mp3 finished.
*** glibc detected *** mpg123.bin: free(): invalid pointer: 0xb826e068 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb7541824]
/lib/i686/cmov/libc.so.6[0xb75430b3]
/lib/i686/cmov/libc.so.6(cfree+0x6d)[0xb75460dd]
/usr/lib/libasound.so.2[0xb7245907]
/usr/lib/libasound.so.2(snd_pcm_close+0x8a)[0xb72466fa]
/usr/lib/libasound.so.2[0xb727b01b]
/usr/lib/libasound.so.2(snd_pcm_close+0x7e)[0xb72466ee]
/usr/lib/libasound.so.2[0xb7262bee]
/usr/lib/libasound.so.2(snd_pcm_close+0x7e)[0xb72466ee]
/usr/lib/mpg123/output_alsa.so[0xb76c0e13]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb74ecb55]
mpg123.bin[0xb76e8ab1]
======= Memory map: ========
b7000000-b7021000 rw-p 00000000 00:00 0 
b7021000-b7100000 ---p 00000000 00:00 0 
b7149000-b7166000 r-xp 00000000 21:03 9863176    /lib/libgcc_s.so.1
b7166000-b7167000 rw-p 0001c000 21:03 9863176    /lib/libgcc_s.so.1
b717c000-b71a1000 rw-p 00000000 00:00 0 
b71a1000-b71b1000 rw-s 00000000 00:04 56033282   /SYSV0056a4d6 (deleted)
b71b1000-b71bb000 r-xp 00000000 21:03 9863442    /lib/i686/cmov/libnss_files-2.10.2.so
b71bb000-b71bc000 r--p 00009000 21:03 9863442    /lib/i686/cmov/libnss_files-2.10.2.so
b71bc000-b71bd000 rw-p 0000a000 21:03 9863442    /lib/i686/cmov/libnss_files-2.10.2.so
b71bd000-b71c6000 r-xp 00000000 21:03 9865172    /lib/i686/cmov/libnss_nis-2.10.2.so
b71c6000-b71c7000 r--p 00008000 21:03 9865172    /lib/i686/cmov/libnss_nis-2.10.2.so
b71c7000-b71c8000 rw-p 00009000 21:03 9865172    /lib/i686/cmov/libnss_nis-2.10.2.so
b71c8000-b71db000 r-xp 00000000 21:03 9865171    /lib/i686/cmov/libnsl-2.10.2.so
b71db000-b71dc000 r--p 00012000 21:03 9865171    /lib/i686/cmov/libnsl-2.10.2.so
b71dc000-b71dd000 rw-p 00013000 21:03 9865171    /lib/i686/cmov/libnsl-2.10.2.so
b71dd000-b71df000 rw-p 00000000 00:00 0 
b71df000-b71f4000 r-xp 00000000 21:03 9865596    /lib/i686/cmov/libpthread-2.10.2.so
b71f4000-b71f5000 r--p 00014000 21:03 9865596    /lib/i686/cmov/libpthread-2.10.2.so
b71f5000-b71f6000 rw-p 00015000 21:03 9865596    /lib/i686/cmov/libpthread-2.10.2.so
b71f6000-b71f8000 rw-p 00000000 00:00 0 
b71f8000-b72bc000 r-xp 00000000 21:03 11667179   /usr/lib/libasound.so.2.0.0
b72bc000-b72c0000 rw-p 000c4000 21:03 11667179   /usr/lib/libasound.so.2.0.0
b72d4000-b72d5000 rw-s 00000000 00:04 56000512   /SYSV0056a4d5 (deleted)
b72d5000-b74d5000 r--p 00000000 21:03 12009498   /usr/lib/locale/locale-archive
b74d5000-b74d6000 rw-p 00000000 00:00 0 
b74d6000-b7617000 r-xp 00000000 21:03 9865168    /lib/i686/cmov/libc-2.10.2.so
b7617000-b7619000 r--p 00141000 21:03 9865168    /lib/i686/cmov/libc-2.10.2.so
b7619000-b761a000 rw-p 00143000 21:03 9865168    /lib/i686/cmov/libc-2.10.2.so
b761a000-b761d000 rw-p 00000000 00:00 0 
b761d000-b7641000 r-xp 00000000 21:03 9863486    /lib/i686/cmov/libm-2.10.2.so
b7641000-b7642000 r--p 00023000 21:03 9863486    /lib/i686/cmov/libm-2.10.2.so
b7642000-b7643000 rw-p 00024000 21:03 9863486    /lib/i686/cmov/libm-2.10.2.so
b7643000-b7645000 r-xp 00000000 21:03 9865600    /lib/i686/cmov/libdl-2.10.2.so
b7645000-b7646000 r--p 00001000 21:03 9865600    /lib/i686/cmov/libdl-2.10.2.so
b7646000-b7647000 rw-p 00002000 21:03 9865600    /lib/i686/cmov/libdl-2.10.2.so
b7647000-b7648000 rw-p 00000000 00:00 0 
b7648000-b764f000 r-xp 00000000 21:03 11670092   /usr/lib/libltdl.so.7.2.1
b764f000-b7650000 rw-p 00007000 21:03 11670092   /usr/lib/libltdl.so.7.2.1
b7650000-b769b000 r-xp 00000000 21:03 16597192   /usr/lib/libmpg123.so.0.25.0
b769b000-b769c000 ---p 0004b000 21:03 16597192   /usr/lib/libmpg123.so.0.25.0
b769c000-b769d000 r--p 0004b000 21:03 16597192   /usr/lib/libmpg123.so.0.25.0
b769d000-b769f000 rw-p 0004c000 21:03 16597192   /usr/lib/libmpg123.so.0.25.0
b769f000-b76af000 rw-p 00000000 00:00 0 
b76af000-b76b5000 r-xp 00000000 21:03 9863272    /lib/i686/cmov/libnss_compat-2.10.2.so
b76b5000-b76b6000 r--p 00006000 21:03 9863272    /lib/i686/cmov/libnss_compat-2.10.2.so
b76b6000-b76b7000 rw-p 00007000 21:03 9863272    /lib/i686/cmov/libnss_compat-2.10.2.so
b76b7000-b76be000 r-xp 00000000 21:03 9863256    /lib/i686/cmov/librt-2.10.2.so
b76be000-b76bf000 r--p 00006000 21:03 9863256    /lib/i686/cmov/librt-2.10.2.so
b76bf000-b76c0000 rw-p 00007000 21:03 9863256    /lib/i686/cmov/librt-2.10.2.so
b76c0000-b76c2000 r-xp 00000000 21:03 11928475   /usr/lib/mpg123/output_alsa.so
b76c2000-b76c3000 r--p 00001000 21:03 11928475   /usr/lib/mpg123/output_alsa.so
b76c3000-b76c4000 rw-p 00002000 21:03 11928475   /usr/lib/mpg123/output_alsa.so
b76c4000-b76c6000 rw-p 00000000 00:00 0 
b76c6000-b76c7000 r-xp 00000000 00:00 0          [vdso]
b76c7000-b76e3000 r-xp 00000000 21:03 9865155    /lib/ld-2.10.2.so
b76e3000-b76e4000 r--p 0001b000 21:03 9865155    /lib/ld-2.10.2.so
b76e4000-b76e5000 rw-p 0001c000 21:03 9865155    /lib/ld-2.10.2.so
b76e5000-b7705000 r-xp 00000000 21:03 11665958   /usr/bin/mpg123.bin
b7705000-b7706000 r--p 0001f000 21:03 11665958   /usr/bin/mpg123.bin
b7706000-b7707000 rw-p 00020000 21:03 11665958   /usr/bin/mpg123.bin
b7707000-b7708000 rw-p 00000000 00:00 0 
b8240000-b828f000 rw-p 00000000 00:00 0          [heap]
bf9ac000-bf9c1000 rw-p 00000000 00:00 0          [stack]
Aborted
=== module esd ===
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
    version 1.12.1; written and copyright by Michael Hipp and others
    free software (LGPL/GPL) without any warranty but with best wishes

Directory: data/sound/cds/tracy_chapman-tracy_chapman/
Playing MPEG stream 1 of 1: 01_talkin'_bout_a_revolution.mp3 ...
Title:   Talkin' Bout a Revolution       Artist: Tracy Chapman
Album:   Tracy Chapman
MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo
[audio.c:596] error: Error in writing audio (Bad file descriptor?)!
[mpg123.c:629] error: Deep trouble! Cannot flush to my output anymore!
Segmentation fault
=== module jack ===
Cannot connect to server socket err = No such file or directory
Cannot connect to server socket
exec of JACK server (command = "/usr/bin/jackd") failed: No such file or directory
Cannot connect to server socket err = No such file or directory
Cannot connect to server socket
Cannot connect to server socket err = No such file or directory
Cannot connect to server socket
Cannot connect to server socket err = No such file or directory
Cannot connect to server socket
Cannot connect to server socket err = No such file or directory
Cannot connect to server socket
Cannot connect to server socket err = No such file or directory
Cannot connect to server socket
jack server is not running or cannot be started
[jack.c:250] error: Failed to open jack client: 0x11
[audio.c:625] error: failed to open audio device
[audio.c:180] error: Unable to find a working output module in this list: jack
[audio.c:527] error: Failed to open audio output module
[mpg123.c:847] error: Failed to initialize output, goodbye.
=== module oss ===
[oss.c:182] error: Can't open default sound device!
[audio.c:625] error: failed to open audio device
[audio.c:180] error: Unable to find a working output module in this list: oss
[audio.c:527] error: Failed to open audio output module
[mpg123.c:847] error: Failed to initialize output, goodbye.
=== module nas ===
[nas.c:220] error: could not open default NAS server
[audio.c:625] error: failed to open audio device
[audio.c:180] error: Unable to find a working output module in this list: nas
[audio.c:527] error: Failed to open audio output module
[mpg123.c:847] error: Failed to initialize output, goodbye.

gregoa@belanna:~$ mpg123.bin -o oss data/sound/cds/tracy_chapman-tracy_chapman/01_talkin\'_bout_a_revolution.mp3
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
    version 1.12.1; written and copyright by Michael Hipp and others
    free software (LGPL/GPL) without any warranty but with best wishes

Directory: data/sound/cds/tracy_chapman-tracy_chapman/
Playing MPEG stream 1 of 1: 01_talkin'_bout_a_revolution.mp3 ...
Title:   Talkin' Bout a Revolution       Artist: Tracy Chapman
Album:   Tracy Chapman
MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo

[2:39] Decoding of 01_talkin'_bout_a_revolution.mp3 finished.
*** glibc detected *** mpg123.bin: double free or corruption (out): 0xb84b3550 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb7545824]
/lib/i686/cmov/libc.so.6[0xb75470b3]
/lib/i686/cmov/libc.so.6(cfree+0x6d)[0xb754a0dd]
/usr/lib/libmpg123.so.0[0xb765b68e]
mpg123.bin[0xb76f7555]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb74f0b55]
mpg123.bin[0xb76ecab1]
======= Memory map: ========
b7100000-b7121000 rw-p 00000000 00:00 0 
b7121000-b7200000 ---p 00000000 00:00 0 
b72bb000-b72d8000 r-xp 00000000 21:03 9863176    /lib/libgcc_s.so.1
b72d8000-b72d9000 rw-p 0001c000 21:03 9863176    /lib/libgcc_s.so.1
b72d9000-b74d9000 r--p 00000000 21:03 12009498   /usr/lib/locale/locale-archive
b74d9000-b74da000 rw-p 00000000 00:00 0 
b74da000-b761b000 r-xp 00000000 21:03 9865168    /lib/i686/cmov/libc-2.10.2.so
b761b000-b761d000 r--p 00141000 21:03 9865168    /lib/i686/cmov/libc-2.10.2.so
b761d000-b761e000 rw-p 00143000 21:03 9865168    /lib/i686/cmov/libc-2.10.2.so
b761e000-b7621000 rw-p 00000000 00:00 0 
b7621000-b7645000 r-xp 00000000 21:03 9863486    /lib/i686/cmov/libm-2.10.2.so
b7645000-b7646000 r--p 00023000 21:03 9863486    /lib/i686/cmov/libm-2.10.2.so
b7646000-b7647000 rw-p 00024000 21:03 9863486    /lib/i686/cmov/libm-2.10.2.so
b7647000-b7649000 r-xp 00000000 21:03 9865600    /lib/i686/cmov/libdl-2.10.2.so
b7649000-b764a000 r--p 00001000 21:03 9865600    /lib/i686/cmov/libdl-2.10.2.so
b764a000-b764b000 rw-p 00002000 21:03 9865600    /lib/i686/cmov/libdl-2.10.2.so
b764b000-b764c000 rw-p 00000000 00:00 0 
b764c000-b7653000 r-xp 00000000 21:03 11670092   /usr/lib/libltdl.so.7.2.1
b7653000-b7654000 rw-p 00007000 21:03 11670092   /usr/lib/libltdl.so.7.2.1
b7654000-b769f000 r-xp 00000000 21:03 16597192   /usr/lib/libmpg123.so.0.25.0
b769f000-b76a0000 ---p 0004b000 21:03 16597192   /usr/lib/libmpg123.so.0.25.0
b76a0000-b76a1000 r--p 0004b000 21:03 16597192   /usr/lib/libmpg123.so.0.25.0
b76a1000-b76a3000 rw-p 0004c000 21:03 16597192   /usr/lib/libmpg123.so.0.25.0
b76a3000-b76b3000 rw-p 00000000 00:00 0 
b76c8000-b76ca000 rw-p 00000000 00:00 0 
b76ca000-b76cb000 r-xp 00000000 00:00 0          [vdso]
b76cb000-b76e7000 r-xp 00000000 21:03 9865155    /lib/ld-2.10.2.so
b76e7000-b76e8000 r--p 0001b000 21:03 9865155    /lib/ld-2.10.2.so
b76e8000-b76e9000 rw-p 0001c000 21:03 9865155    /lib/ld-2.10.2.so
b76e9000-b7709000 r-xp 00000000 21:03 11665958   /usr/bin/mpg123.bin
b7709000-b770a000 r--p 0001f000 21:03 11665958   /usr/bin/mpg123.bin
b770a000-b770b000 rw-p 00020000 21:03 11665958   /usr/bin/mpg123.bin
b770b000-b770c000 rw-p 00000000 00:00 0 
b84a7000-b84c8000 rw-p 00000000 00:00 0          [heap]
bffe7000-bfffc000 rw-p 00000000 00:00 0          [stack]
Aborted


> What makes me
> wonder, though, is that you "fix" this by downgrading libmpg123?!

Ack, that's strange.


Cheers,
gregor
 
-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: Rolling Stones: Soyoung
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Sat, 08 May 2010 11:16:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Orgis <thomas-forum@orgis.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Sat, 08 May 2010 11:16:05 GMT) Full text and rfc822 format available.

Message #37 received at 580095@bugs.debian.org (full text, mbox):

From: Thomas Orgis <thomas-forum@orgis.org>
To: gregor herrmann <gregoa@debian.org>
Cc: 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Sat, 8 May 2010 13:04:04 +0200
[Message part 1 (text/plain, inline)]
Am Sat, 8 May 2010 00:12:09 +0200
schrieb gregor herrmann <gregoa@debian.org>: 

> Summary:
> - pulse, arts, esd, jack, nas: I have no pulse audio/artsd/esd/jackd/nas daemon installed
> - dummy: fails
> - alsa: still fails
> - oss: hm, somethings blocking my sound device; ah. found it later.
>   no visible effects on the cpu. but the same errors on exit.

Well, I see a lot of crashing there... especially the dummy output does that, too. This sorta rules out libsound. I cannot reproduce this on my system (64 or 32 bit, glibc 2.11) ... so I'll have to try debian in a VM I guess.
What's your setup: debian testing with mpg123 picked from unstable? System wholly on unstable?
(I don't know if version differences between the two matter atm.)

And in case I keep having trouble to reproduce... a run of libmpg123 with debugging symbols would be nice. There's -dbg packages in debian, right? Or else, could you try to build it yourself?


Alrighty then,

Thomas.
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Sat, 08 May 2010 11:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Sat, 08 May 2010 11:27:03 GMT) Full text and rfc822 format available.

Message #42 received at 580095@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: Thomas Orgis <thomas-forum@orgis.org>
Cc: 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Sat, 8 May 2010 13:24:24 +0200
[Message part 1 (text/plain, inline)]
On Sat, 08 May 2010 13:04:04 +0200, Thomas Orgis wrote:

> > Summary:
> > - pulse, arts, esd, jack, nas: I have no pulse audio/artsd/esd/jackd/nas daemon installed
> > - dummy: fails
> > - alsa: still fails
> > - oss: hm, somethings blocking my sound device; ah. found it later.
> >   no visible effects on the cpu. but the same errors on exit.

> Well, I see a lot of crashing there... especially the dummy output
> does that, too. 

Right, the failing dummy output module is interesting.

> What's your setup: debian testing with mpg123 picked from unstable? System wholly on unstable?

Almost completely unstable.

> (I don't know if version differences between the two matter atm.)

My original bug report should contain the versions of all involved
other components (at the bottom).
 
> And in case I keep having trouble to reproduce... a run of
> libmpg123 with debugging symbols would be nice. There's -dbg
> packages in debian, right? Or else, could you try to build it
> yourself?

I don't see a libmpg123- or mpg123- -dbg package at the moment, but
I'm happy to rebuild the package(s) and run whatever tests, if you
tell me what you need.
 
Cheers,
gregor

-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: Queen: Mustapha
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#580095; Package libmpg123-0. (Sat, 08 May 2010 13:42:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. (Sat, 08 May 2010 13:42:13 GMT) Full text and rfc822 format available.

Message #47 received at 580095@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: gregor herrmann <gregoa@debian.org>, 580095@bugs.debian.org
Cc: Thomas Orgis <thomas-forum@orgis.org>
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Sat, 8 May 2010 15:39:42 +0200
Hi!

On Sat, May 08, 2010 at 01:24:24PM +0200, gregor herrmann wrote:
> > What's your setup: debian testing with mpg123 picked from unstable? System wholly on unstable?
> 
> Almost completely unstable.

I've now set up an i386 chroot with current unstable and cannot reproduce the
problem there, either. Do you see the error with any mp3, or just with specific
files?

> I don't see a libmpg123- or mpg123- -dbg package at the moment, but
> I'm happy to rebuild the package(s) and run whatever tests, if you
> tell me what you need.

Fair enough. I'll add a -dbg package in one of the next uploads.

Regards,

Daniel.





Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Sat, 08 May 2010 23:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Sat, 08 May 2010 23:15:03 GMT) Full text and rfc822 format available.

Message #52 received at 580095@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: Daniel Kobras <kobras@debian.org>
Cc: 580095@bugs.debian.org, Thomas Orgis <thomas-forum@orgis.org>
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Sun, 9 May 2010 01:11:19 +0200
[Message part 1 (text/plain, inline)]
On Sat, 08 May 2010 15:39:42 +0200, Daniel Kobras wrote:

> I've now set up an i386 chroot with current unstable and cannot reproduce the
> problem there, either. Do you see the error with any mp3, or just with specific
> files?

I've now tried with 77 small mp3s [0] from my hard disk, and the first
crash came after file number 20. And another one later.

With 92 large files [0]: no crash after the first 64 files.

I've now also tried mpg123 on my laptop (also i386 and unstable): no
crash after 104 files.

And, back on my desktop, 01_talkin'_bout_a_revolution.mp3 (the file
that always caused the crash so far), also completed without a problem
... But another one from the same album crashed later. But only once
in several tries. -- And hours later 01_... crashes again. *sigh*

So it seems that not all mp3s are affected, or not always; now we
only need to find out which ones or under which circumstances :/
 
> > I don't see a libmpg123- or mpg123- -dbg package at the moment, but
> > I'm happy to rebuild the package(s) and run whatever tests, if you
> > tell me what you need.
> Fair enough. I'll add a -dbg package in one of the next uploads.

Cool, thanks!


Cheers,
gregor
 

[0]
$ find data/sound -name "*.mp3" -size 1M ...
$ find data/sound -name "*.mp3" -size 10M ...
-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Sun, 09 May 2010 19:18:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Orgis <thomas-forum@orgis.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Sun, 09 May 2010 19:18:07 GMT) Full text and rfc822 format available.

Message #57 received at 580095@bugs.debian.org (full text, mbox):

From: Thomas Orgis <thomas-forum@orgis.org>
To: gregor herrmann <gregoa@debian.org>
Cc: Daniel Kobras <kobras@debian.org>, 580095@bugs.debian.org, Thomas Orgis <thomas-forum@orgis.org>
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Sun, 9 May 2010 21:16:47 +0200
I just added this to the mpg123 tracker item:

I managed to reproduce a crash
(no report of double free(), but a segfault during free()) on a VM install
of debian testing, with mpg123 from unstable.

The funny thing is that I observe the debian mpg123 binary crashing with
the debian libmpg123 and a self-built one from vanilla upstream sources,
but vice versa the self-built mpg123 binary is _not_ crashing with either
lib.
The offending free() call does happen in libmpg123, it's the cleanup
during mpg123_delete(). I have no idea so far what shold be wrong here...
everything looks right.

Mpg123 allocates rawdecwin = 0xb930ee30 ... and at the end wants to free
rawdecwin = 0xb930ee30. What special trick is there going on with the
packaged binary that it triggers a segfault at the free()? Valgrind also
has nothing to complain.

The essence of the two log files I attached there is that the crash occurs on a regular and for all I can tell valid call to free() with a pointer that was returned from malloc() before. There must be some other mess up with glibc's internals.

Can you repeat what I did:

1. Download the vanilla sources: http://mpg123.org/current
2. Build that (no need for devel packages, libc is enough)
	cd mpg123-1.12.1 && ./configure --prefix=some_place && make && make install
3. Download test file from mpg123 repo: http://mpg123.org/cgi-bin/viewvc.cgi/test/regression/drum.mp3
4. run some_place/mpg123 --cpu generic -o dummy drum.mp3
5. run mpg123 --cpu generic -o dummy drum.mp3
6. Use LD_LIBRARY_PATH run each binary with each library, LD_LIBRARY_PATH=some_place/lib mpg123 ...

For me, every call with the packaged /usr/bin/mpg123 crashes after decoding the file, every call with the self-built one succeeds.

Explanations welcome.




Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Sun, 09 May 2010 22:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Sun, 09 May 2010 22:12:03 GMT) Full text and rfc822 format available.

Message #62 received at 580095@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: Thomas Orgis <thomas-forum@orgis.org>
Cc: Daniel Kobras <kobras@debian.org>, 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Mon, 10 May 2010 00:09:02 +0200
[Message part 1 (text/plain, inline)]
On Sun, 09 May 2010 21:16:47 +0200, Thomas Orgis wrote:

> I managed to reproduce a crash

I'm glad I'm not the only one with this phenomenon :)

> Can you repeat what I did:

Sure, thanks for the clear and simple instructions!
 
> 1. Download the vanilla sources: http://mpg123.org/current
> 2. Build that (no need for devel packages, libc is enough)
> 	cd mpg123-1.12.1 && ./configure --prefix=some_place && make && make install
> 3. Download test file from mpg123 repo: http://mpg123.org/cgi-bin/viewvc.cgi/test/regression/drum.mp3
> 4. run some_place/mpg123 --cpu generic -o dummy drum.mp3
> 5. run mpg123 --cpu generic -o dummy drum.mp3
> 6. Use LD_LIBRARY_PATH run each binary with each library, LD_LIBRARY_PATH=some_place/lib mpg123 ...
> 
> For me, every call with the packaged /usr/bin/mpg123 crashes after
> decoding the file, every call with the self-built one succeeds.

My results:

#v+
gregoa@belanna:/tmp/mpg123$ LD_LIBRARY_PATH=/usr/lib /usr/bin/mpg123.bin -o dummy drum.mp3 
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
    version 1.12.1; written and copyright by Michael Hipp and others
    free software (LGPL/GPL) without any warranty but with best wishes

Playing MPEG stream 1 of 1: drum.mp3 ...
Title:   Test track (some drums)         Artist: Thomas Orgis
Comment: A file for basic regression testing of mpg123.
Album:   The mpg123 Repository
Year:    2010                            Genre:  Instrumental
MPEG 1.0 layer III, VBR, 48000 Hz joint-stereo

[0:29] Decoding of drum.mp3 finished.
Segmentation fault

gregoa@belanna:/tmp/mpg123$ LD_LIBRARY_PATH=/home/gregoa/opt/lib /usr/bin/mpg123.bin -o dummy drum.mp3 
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
    version 1.12.1; written and copyright by Michael Hipp and others
    free software (LGPL/GPL) without any warranty but with best wishes

Playing MPEG stream 1 of 1: drum.mp3 ...
Title:   Test track (some drums)         Artist: Thomas Orgis
Comment: A file for basic regression testing of mpg123.
Album:   The mpg123 Repository
Year:    2010                            Genre:  Instrumental
MPEG 1.0 layer III, VBR, 48000 Hz joint-stereo

[0:29] Decoding of drum.mp3 finished.
Segmentation fault

gregoa@belanna:/tmp/mpg123$ LD_LIBRARY_PATH=/usr/lib /home/gregoa/opt/bin/mpg123 -o dummy drum.mp3 
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
    version 1.12.1; written and copyright by Michael Hipp and others
    free software (LGPL/GPL) without any warranty but with best wishes

Playing MPEG stream 1 of 1: drum.mp3 ...
Title:   Test track (some drums)         Artist: Thomas Orgis
Comment: A file for basic regression testing of mpg123.
Album:   The mpg123 Repository
Year:    2010                            Genre:  Instrumental
MPEG 1.0 layer III, VBR, 48000 Hz joint-stereo

[0:29] Decoding of drum.mp3 finished.
gregoa@belanna:/tmp/mpg123$ LD_LIBRARY_PATH=/home/gregoa/opt/lib /home/gregoa/opt/bin/mpg123 -o dummy drum.mp3 
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
    version 1.12.1; written and copyright by Michael Hipp and others
    free software (LGPL/GPL) without any warranty but with best wishes

Playing MPEG stream 1 of 1: drum.mp3 ...
Title:   Test track (some drums)         Artist: Thomas Orgis
Comment: A file for basic regression testing of mpg123.
Album:   The mpg123 Repository
Year:    2010                            Genre:  Instrumental
MPEG 1.0 layer III, VBR, 48000 Hz joint-stereo

[0:29] Decoding of drum.mp3 finished.
#v-

So the same like in your tests.

And now with the alsa putput plugin (it seems I have the alsa headers installed):

#v+
gregoa@belanna:/tmp/mpg123$ LD_LIBRARY_PATH=/usr/lib /usr/bin/mpg123.bin -o alsa drum.mp3 
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
    version 1.12.1; written and copyright by Michael Hipp and others
    free software (LGPL/GPL) without any warranty but with best wishes

Playing MPEG stream 1 of 1: drum.mp3 ...
Title:   Test track (some drums)         Artist: Thomas Orgis
Comment: A file for basic regression testing of mpg123.
Album:   The mpg123 Repository
Year:    2010                            Genre:  Instrumental
MPEG 1.0 layer III, VBR, 48000 Hz joint-stereo
Segmentation fault
gregoa@belanna:/tmp/mpg123$ LD_LIBRARY_PATH=/home/gregoa/opt/lib /usr/bin/mpg123.bin -o alsa drum.mp3 
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
    version 1.12.1; written and copyright by Michael Hipp and others
    free software (LGPL/GPL) without any warranty but with best wishes

Playing MPEG stream 1 of 1: drum.mp3 ...
Title:   Test track (some drums)         Artist: Thomas Orgis
Comment: A file for basic regression testing of mpg123.
Album:   The mpg123 Repository
Year:    2010                            Genre:  Instrumental
MPEG 1.0 layer III, VBR, 48000 Hz joint-stereo
Segmentation fault
gregoa@belanna:/tmp/mpg123$ LD_LIBRARY_PATH=/usr/lib /home/gregoa/opt/bin/mpg123 -o alsa drum.mp3 
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
    version 1.12.1; written and copyright by Michael Hipp and others
    free software (LGPL/GPL) without any warranty but with best wishes

Playing MPEG stream 1 of 1: drum.mp3 ...
Title:   Test track (some drums)         Artist: Thomas Orgis
Comment: A file for basic regression testing of mpg123.
Album:   The mpg123 Repository
Year:    2010                            Genre:  Instrumental
MPEG 1.0 layer III, VBR, 48000 Hz joint-stereo

[0:29] Decoding of drum.mp3 finished.
gregoa@belanna:/tmp/mpg123$ LD_LIBRARY_PATH=/home/gregoa/opt/lib /home/gregoa/opt/bin/mpg123 -o alsa drum.mp3 
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
    version 1.12.1; written and copyright by Michael Hipp and others
    free software (LGPL/GPL) without any warranty but with best wishes

Playing MPEG stream 1 of 1: drum.mp3 ...
Title:   Test track (some drums)         Artist: Thomas Orgis
Comment: A file for basic regression testing of mpg123.
Album:   The mpg123 Repository
Year:    2010                            Genre:  Instrumental
MPEG 1.0 layer III, VBR, 48000 Hz joint-stereo

[0:29] Decoding of drum.mp3 finished.
#v-

The result is the same with alsa and with dummy. In the case of the
segfaults the "Decoding .." line is also missing, and obviously the
segfaults happens before any audio outout.


And another test: I've rebuilt the debian package (without any
changes); but the results are the same ...

Cheers,
gregor

-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#580095; Package libmpg123-0. (Mon, 10 May 2010 19:27:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. (Mon, 10 May 2010 19:27:07 GMT) Full text and rfc822 format available.

Message #67 received at 580095@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: gregor herrmann <gregoa@debian.org>
Cc: Thomas Orgis <thomas-forum@orgis.org>, 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Mon, 10 May 2010 21:23:59 +0200
Hi!

On Mon, May 10, 2010 at 12:09:02AM +0200, gregor herrmann wrote:
> On Sun, 09 May 2010 21:16:47 +0200, Thomas Orgis wrote:
> > I managed to reproduce a crash
> 
> I'm glad I'm not the only one with this phenomenon :)

With drum.mp3, I'm now also seeing the segfault in an i386 chroot. amd64 is
still fine. Building the Debian package with DEB_BUILD_OPTIONS=noharden (ie.
without CFLAGS "-Wformat -D_FORTIFY_SOURCE=2 -fstack-protector -fPIE" and
LDFLAGS "-Wl,-z,relro -pie") prevents the crashes. However, I'm not sure
whether we really reproduce Gregor's original problem because for me, and
unhardened mpg123 always terminates normally even with hardened libmpg123 and
output plugin (dummy), and a hardened mpg123 always crashes, even with
unhardened libmpg123 and output plugin. In contrast, Gregor states that he
could cure the crashes by changing to a different libmpg123.

Anyway, this means that there is either a toolchain bug on i386 in one of the
hardening options, or a bug in mpg123 that usually goes unnoticed and is only
uncovered in a hardened build. I haven't managed to drill down any further so
far. Needless to say that mpg123 doesn't segfault anymore as soon as it's run
in valgrind.

Regards,

Daniel.





Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Mon, 10 May 2010 20:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Orgis <thomas-forum@orgis.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Mon, 10 May 2010 20:48:03 GMT) Full text and rfc822 format available.

Message #72 received at 580095@bugs.debian.org (full text, mbox):

From: Thomas Orgis <thomas-forum@orgis.org>
To: Daniel Kobras <kobras@debian.org>
Cc: gregor herrmann <gregoa@debian.org>, 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Mon, 10 May 2010 22:43:52 +0200
[Message part 1 (text/plain, inline)]
Am Mon, 10 May 2010 21:23:59 +0200
schrieb Daniel Kobras <kobras@debian.org>: 

> With drum.mp3, I'm now also seeing the segfault in an i386 chroot. amd64 is
> still fine. Building the Debian package with DEB_BUILD_OPTIONS=noharden (ie.
> without CFLAGS "-Wformat -D_FORTIFY_SOURCE=2 -fstack-protector -fPIE" and
> LDFLAGS "-Wl,-z,relro -pie") prevents the crashes.

Now that is a hint. One might understand trouble from one of the hand-written assembly decoders... but this issue also persists with --cpu generic. Can one narrow it down to one of the different hardening settings?

> However, I'm not sure
> whether we really reproduce Gregor's original problem because for me, and
> unhardened mpg123 always terminates normally even with hardened libmpg123 and
> output plugin (dummy), and a hardened mpg123 always crashes, even with
> unhardened libmpg123 and output plugin.

This is what Gregor states, IMHO, also consistent with my tests. One of us got confused;-)


Alrighty then,

Thomas.
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Mon, 10 May 2010 20:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Mon, 10 May 2010 20:57:06 GMT) Full text and rfc822 format available.

Message #77 received at 580095@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: Thomas Orgis <thomas-forum@orgis.org>
Cc: Daniel Kobras <kobras@debian.org>, 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Mon, 10 May 2010 22:54:15 +0200
[Message part 1 (text/plain, inline)]
On Mon, 10 May 2010 22:43:52 +0200, Thomas Orgis wrote:

> > However, I'm not sure
> > whether we really reproduce Gregor's original problem because for me, and
> > unhardened mpg123 always terminates normally even with hardened libmpg123 and
> > output plugin (dummy), and a hardened mpg123 always crashes, even with
> > unhardened libmpg123 and output plugin.
> This is what Gregor states, IMHO, also consistent with my tests. 

Yup, my test results with the current (vanilla|debian) binary+lib are
the same as yours but they are not necessarily the same as my
original crashes, and yesterday I haven't systematically tested
against the lib from testing.
But since I was not able to reliably reproduce the crashes it's no
big help anyway ...

> One of us got confused;-)

Or three of us? :)

Cheers,
gregor

-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: Status Quo: Roll Over Lay Down
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Wed, 12 May 2010 14:54:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Orgis <thomas-forum@orgis.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Wed, 12 May 2010 14:54:06 GMT) Full text and rfc822 format available.

Message #82 received at 580095@bugs.debian.org (full text, mbox):

From: Thomas Orgis <thomas-forum@orgis.org>
To: gregor herrmann <gregoa@debian.org>
Cc: Daniel Kobras <kobras@debian.org>, 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Wed, 12 May 2010 16:51:48 +0200
[Message part 1 (text/plain, inline)]
Poke, poke.

Am Mon, 10 May 2010 22:54:15 +0200
schrieb gregor herrmann <gregoa@debian.org>: 

> Yup, my test results with the current (vanilla|debian) binary+lib are
> the same as yours but they are not necessarily the same as my
> original crashes, and yesterday I haven't systematically tested
> against the lib from testing.
> But since I was not able to reliably reproduce the crashes it's no
> big help anyway ...

Can you repeat your inital tests with the lot of files to
  a) reproduce at least one original crash with the stock mpg123
  b) confirm (or) not that you do not manage to produce that crash with self-built mpg123
?

Then... the obvious way would be to find out which one of the hardened flags Daniel mentioned breaks mpg123. So... write a script that iterates over the flags, and builds mpg123 with a reasonable subset of the combinations.

CFLAGS=... ./configure ... --with-optimization=0  # The latter option to really only use your CFLAGS.

I'd like to see where this one is going. Will there be a bug to fix in mpg123 or not?


Alrighty then,

Thomas.
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Thu, 13 May 2010 08:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Thu, 13 May 2010 08:27:03 GMT) Full text and rfc822 format available.

Message #87 received at 580095@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: Thomas Orgis <thomas-forum@orgis.org>
Cc: Daniel Kobras <kobras@debian.org>, 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Thu, 13 May 2010 10:26:13 +0200
[Message part 1 (text/plain, inline)]
On Wed, 12 May 2010 16:51:48 +0200, Thomas Orgis wrote:

> > Yup, my test results with the current (vanilla|debian) binary+lib are
> > the same as yours but they are not necessarily the same as my
> > original crashes, and yesterday I haven't systematically tested
> > against the lib from testing.
> > But since I was not able to reliably reproduce the crashes it's no
> > big help anyway ...
> Can you repeat your inital tests with the lot of files to

Will do, but not before Sunday; sorry.

Cheers,
gregor

-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    BOFH excuse #62:  need to wrap system in aluminum foil to fix problem 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Wed, 19 May 2010 20:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Wed, 19 May 2010 20:45:03 GMT) Full text and rfc822 format available.

Message #92 received at 580095@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: Thomas Orgis <thomas-forum@orgis.org>
Cc: Daniel Kobras <kobras@debian.org>, 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Wed, 19 May 2010 22:40:08 +0200
[Message part 1 (text/plain, inline)]
On Wed, 12 May 2010 16:51:48 +0200, Thomas Orgis wrote:

> Poke, poke.

Sorry for the delay, now I found some time for playing with the
flags.
 
> Can you repeat your inital tests with the lot of files to
>   a) reproduce at least one original crash with the stock mpg123
>   b) confirm (or) not that you do not manage to produce that crash with self-built mpg123
> ?

I was not able to reproduce the original crash with the vanilla (lib)mpg123.
 
> Then... the obvious way would be to find out which one of the
> hardened flags Daniel mentioned breaks mpg123. So... write a script
> that iterates over the flags, and builds mpg123 with a reasonable
> subset of the combinations.
> 
> CFLAGS=... ./configure ... --with-optimization=0  # The latter option to really only use your CFLAGS.

I can reproduce the crash reliably with the CFLAGS and LDFLAGS from
Daniel's mail.

The minimal change to make the crash go away is to remove "-pie" from
LDFLAGS.

I'm attaching a log of my attempts.

HTH,
gregor

-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    
[log.gz (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Thu, 20 May 2010 15:24:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Orgis <thomas-forum@orgis.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Thu, 20 May 2010 15:24:09 GMT) Full text and rfc822 format available.

Message #97 received at 580095@bugs.debian.org (full text, mbox):

From: Thomas Orgis <thomas-forum@orgis.org>
To: gregor herrmann <gregoa@debian.org>
Cc: Daniel Kobras <kobras@debian.org>, 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin: free(): invalid pointer: 0xb7c29098 ***
Date: Thu, 20 May 2010 17:21:30 +0200
[Message part 1 (text/plain, inline)]
Am Wed, 19 May 2010 22:40:08 +0200
schrieb gregor herrmann <gregoa@debian.org>: 

> The minimal change to make the crash go away is to remove "-pie" from
> LDFLAGS.

So, we have some textrel issues, I suppose. I fail to see how mpg123 triggers that, though. One observation I have, again in a VM with debian unstable. Using only the hardened CFLAGS / LDFLAGS Daniel mentioned via

CFLAGS=... LDFLAGS=... ./configure --with-optimization=0 --with-cpu=generic && make

I observe crashes of 

	src/mpg123 -t drum.mp3

for the build with the standard gcc (4.4) ... also for gcc-4.3 ... but not when using gcc-4.1 .
I did not watch the history of the PIC/PIE stuff and what exactly changed in the gcc versions, but, might that be an indication of an issue with the compiler?


Alrighty then,

Thomas.

PS: Gregor... I might be lost here: How is the reproducability of the original crash now (with the mpg123 from debian)?
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Fri, 21 May 2010 23:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to William Pitcock <nenolod@dereferenced.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Fri, 21 May 2010 23:54:03 GMT) Full text and rfc822 format available.

Message #102 received at 580095@bugs.debian.org (full text, mbox):

From: William Pitcock <nenolod@dereferenced.org>
To: 580095@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin/mpg123.bin: free(): invalid pointer: 0xb7c29098 ***
Date: Sat, 22 May 2010 03:43:28 +0400 (MSD)
[Message part 1 (text/plain, inline)]
tags 580095 + patch
thanks

Hi,

This is due to a memory alignment issue in the way that the struct is packed.
With some help from an affected user, we bisected it to mpg123 SVN r2491.

When r2491 is backed out (using the attached patch), this bug does not show up.

The reason why is because some of the assembly decoders and also the reference
decoders expect the memory to be aligned.  If this is not true, it writes to
memory outside of the array, causing subtle heap corruption.

Valgrind does not appear to work because the assembly decoders do not get chosen,
which have a higher likelyhood of triggering the bug.

William
[mpg123-force-alignment.patch (text/x-patch, attachment)]

Added tag(s) patch. Request was from William Pitcock <nenolod@dereferenced.org> to control@bugs.debian.org. (Fri, 21 May 2010 23:54:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Sat, 22 May 2010 00:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Sat, 22 May 2010 00:30:03 GMT) Full text and rfc822 format available.

Message #109 received at 580095@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: William Pitcock <nenolod@dereferenced.org>, 580095@bugs.debian.org
Cc: Thomas Orgis <thomas-forum@orgis.org>
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin/mpg123.bin: free(): invalid pointer: 0xb7c29098 ***
Date: Sat, 22 May 2010 02:27:32 +0200
[Message part 1 (text/plain, inline)]
On Sat, 22 May 2010 03:43:28 +0400, William Pitcock wrote:

> This is due to a memory alignment issue in the way that the struct is packed.
> With some help from an affected user, we bisected it to mpg123 SVN r2491.
> 
> When r2491 is backed out (using the attached patch), this bug does not show up.

I've rebuilt and installed the Debian package with this patch, and I
can confirm that I don't see any crashes anymore.
 
Cheers,
gregor

-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Sat, 22 May 2010 11:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Orgis <thomas-forum@orgis.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Sat, 22 May 2010 11:36:03 GMT) Full text and rfc822 format available.

Message #114 received at 580095@bugs.debian.org (full text, mbox):

From: Thomas Orgis <thomas-forum@orgis.org>
To: William Pitcock <nenolod@dereferenced.org>, 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin/mpg123.bin: free(): invalid pointer: 0xb7c29098 ***
Date: Sat, 22 May 2010 13:33:25 +0200
Am Sat, 22 May 2010 03:43:28 +0400 (MSD)
schrieb William Pitcock <nenolod@dereferenced.org>: 

> This is due to a memory alignment issue in the way that the struct is packed.
> With some help from an affected user, we bisected it to mpg123 SVN r2491.

OK, that revision replaced aligned memory blocks that relied on special
compiler support with manually aligned pointers, that potentially work
on any C compiler. If there is something un-aligned, this is a serious
bug in my code there. That was the whole point

> The reason why is because some of the assembly decoders and also the reference
> decoders expect the memory to be aligned.  If this is not true, it writes to
> memory outside of the array, causing subtle heap corruption.

Can you point out what piece of code writes to outside the array? That
sounds like I miscalculated some buffer size. Or it was already wrong
in the old code, but for some reason there's been padding that has
hidden the issue.
So... are we talking about unaligned access or about buffer overflow?
your explanations suggests the latter.


Alrighty then,

Thomas.

PS: I wonder if I should nag someone to change the debian bug tracker
web interface... it filters the messages for things like hyper links,
but still puts the messages into <pre>, which prevents automatic
paragraph wrapping in browsers (that don't offer a special switch for
that, like the pre wrapping firefox plugin). It should let the text
float, instead of imposing whatever line length people use onto every
web user.




Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Sat, 22 May 2010 22:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to William Pitcock <nenolod@dereferenced.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Sat, 22 May 2010 22:45:03 GMT) Full text and rfc822 format available.

Message #119 received at 580095@bugs.debian.org (full text, mbox):

From: William Pitcock <nenolod@dereferenced.org>
To: Thomas Orgis <thomas-forum@orgis.org>
Cc: 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin/mpg123.bin: free(): invalid pointer: 0xb7c29098 ***
Date: Sun, 23 May 2010 02:41:04 +0400 (MSD)
Hi,

----- "Thomas Orgis" <thomas-forum@orgis.org> wrote:

> Am Sat, 22 May 2010 03:43:28 +0400 (MSD)
> schrieb William Pitcock <nenolod@dereferenced.org>: 
> 
> > This is due to a memory alignment issue in the way that the struct
> is packed.
> > With some help from an affected user, we bisected it to mpg123 SVN
> r2491.
> 
> OK, that revision replaced aligned memory blocks that relied on
> special
> compiler support with manually aligned pointers, that potentially
> work
> on any C compiler. If there is something un-aligned, this is a
> serious
> bug in my code there. That was the whole point

Understandable.

> 
> > The reason why is because some of the assembly decoders and also the
> reference
> > decoders expect the memory to be aligned.  If this is not true, it
> writes to
> > memory outside of the array, causing subtle heap corruption.
> 
> Can you point out what piece of code writes to outside the array?
> That
> sounds like I miscalculated some buffer size. Or it was already wrong
> in the old code, but for some reason there's been padding that has
> hidden the issue.
> So... are we talking about unaligned access or about buffer overflow?
> your explanations suggests the latter.

Both.  I believe this is caused by a bug where the pointers appear to
become realigned twice (e.g. to the next 16 bytes.) So I believe the
second realignment is a bug that has always been there.

It is true that the fraction blocks are "padded" in r2149, this is due to
the fact that the blocks were in stack memory so they had as much padding as
they pretty much wanted, provided that accesses didn't go past the stack
boundary (usually 4M on i386, 16M on x86-64.)

So there is a bug here, but for the time being there are two easy ways to
fix this bug as far as Debian is concerned:

* Reversion of r2491 (the patch supplied does that)
* Adding additional padding to the code (make it 64 bytes to ensure that
  the block is cache-aligned)

If you would like me to prepare a new patch that adds additional padding,
please let me know.  It appears that you made some progress in that direction
on the IRC channel this morning; I was out of office until the afternoon.

William




Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Sun, 23 May 2010 03:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Orgis <thomas-forum@orgis.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Sun, 23 May 2010 03:30:03 GMT) Full text and rfc822 format available.

Message #124 received at 580095@bugs.debian.org (full text, mbox):

From: Thomas Orgis <thomas-forum@orgis.org>
To: William Pitcock <nenolod@dereferenced.org>, gregor herrmann <gregoa@debian.org>
Cc: 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin/mpg123.bin: free(): invalid pointer: 0xb7c29098 ***
Date: Sun, 23 May 2010 05:26:47 +0200
Am Sun, 23 May 2010 02:41:04 +0400 (MSD)
schrieb William Pitcock <nenolod@dereferenced.org>: 

> Both.  I believe this is caused by a bug where the pointers appear to
> become realigned twice (e.g. to the next 16 bytes.) So I believe the
> second realignment is a bug that has always been there.

Though that assumption proved not to hit the nail exactly, you managed
to kick me in the correct direction: There indeed is an issue with the
alignment. The humble truth is that my alignment math breaks for
pointer addresses that don't fit into ptrdiff_t (which is present
implicitly in the (pointer-NULL)%alignment computation) ... which the
hardening of debian manages -- malloc returns stuff in the upper half
of the address space, which other systems return somewhat smaller
pointers values.

I fixed the pointer alignment code now to operate on the pointer value
via uintptr_t, which should be "proper" enough. It fixes the crash in
my virtual machine.

Please have a go with
http://mpg123.org/download/mpg123-1.12.2-preview.tar.bz2

This is 1.12.1 with this urgent fix together with other build fixes and
one internal improvement of the feeder API (used by the xmms2 plugin
and hopefully soon my MPlayer, but not mpg123 itself). I'll rework that
memory management part with mpg123 1.13 to be more efficient with
storage, but opted to play it safe with minimal modification for
1.12.2 .

Please give this version a full treatment to make sure that I nailed it
this time... an official release will follow quickly after some
confirmation.


Alrighty then,

Thomas.

PS: While nenoload has more mighty tools at his disposal, I still want
to mention that running every app through a little test after linking
with -lduma (apt-get install duma) could work wonders... this catches
the memory corruption right at the first invalid access outside of a
specific allocated region -- at least it did in this case.




Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#580095; Package libmpg123-0. (Sun, 23 May 2010 13:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Sun, 23 May 2010 13:09:04 GMT) Full text and rfc822 format available.

Message #129 received at 580095@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: Thomas Orgis <thomas-forum@orgis.org>
Cc: William Pitcock <nenolod@dereferenced.org>, 580095@bugs.debian.org
Subject: Re: Bug#580095: libmpg123-0: *** glibc detected *** /usr/bin/mpg123.bin: free(): invalid pointer: 0xb7c29098 ***
Date: Sun, 23 May 2010 15:05:29 +0200
[Message part 1 (text/plain, inline)]
On Sun, 23 May 2010 05:26:47 +0200, Thomas Orgis wrote:

> I fixed the pointer alignment code now to operate on the pointer value
> via uintptr_t, which should be "proper" enough. It fixes the crash in
> my virtual machine.

Cool!
 
> Please have a go with
> http://mpg123.org/download/mpg123-1.12.2-preview.tar.bz2
[..]
> Please give this version a full treatment to make sure that I nailed it
> this time... an official release will follow quickly after some
> confirmation.

I've built and installed an updated debian package with
1.12.2-preview, and I haven't seen any crashes so far.

Cheers,
gregor

-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    
[signature.asc (application/pgp-signature, inline)]

Reply sent to Daniel Kobras <kobras@debian.org>:
You have taken responsibility. (Fri, 11 Jun 2010 21:45:07 GMT) Full text and rfc822 format available.

Notification sent to gregor herrmann <gregoa@debian.org>:
Bug acknowledged by developer. (Fri, 11 Jun 2010 21:45:08 GMT) Full text and rfc822 format available.

Message #134 received at 580095-close@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: 580095-close@bugs.debian.org
Subject: Bug#580095: fixed in mpg123 1.12.1-2
Date: Fri, 11 Jun 2010 21:42:20 +0000
Source: mpg123
Source-Version: 1.12.1-2

We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive:

libmpg123-0_1.12.1-2_amd64.deb
  to main/m/mpg123/libmpg123-0_1.12.1-2_amd64.deb
libmpg123-dev_1.12.1-2_amd64.deb
  to main/m/mpg123/libmpg123-dev_1.12.1-2_amd64.deb
mpg123-alsa_1.12.1-2_amd64.deb
  to main/m/mpg123/mpg123-alsa_1.12.1-2_amd64.deb
mpg123-esd_1.12.1-2_amd64.deb
  to main/m/mpg123/mpg123-esd_1.12.1-2_amd64.deb
mpg123-nas_1.12.1-2_amd64.deb
  to main/m/mpg123/mpg123-nas_1.12.1-2_amd64.deb
mpg123_1.12.1-2.diff.gz
  to main/m/mpg123/mpg123_1.12.1-2.diff.gz
mpg123_1.12.1-2.dsc
  to main/m/mpg123/mpg123_1.12.1-2.dsc
mpg123_1.12.1-2_amd64.deb
  to main/m/mpg123/mpg123_1.12.1-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 580095@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kobras <kobras@debian.org> (supplier of updated mpg123 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 09 Jun 2010 21:40:23 +0200
Source: mpg123
Binary: mpg123 libmpg123-0 libmpg123-dev mpg123-oss-i486 mpg123-oss-3dnow mpg123-esd mpg123-nas mpg123-alsa
Architecture: source amd64
Version: 1.12.1-2
Distribution: unstable
Urgency: low
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Daniel Kobras <kobras@debian.org>
Description: 
 libmpg123-0 - MPEG layer 1/2/3 audio decoder -- runtime library
 libmpg123-dev - MPEG layer 1/2/3 audio decoder -- development files
 mpg123     - MPEG layer 1/2/3 audio player
 mpg123-alsa - MPEG layer 1/2/3 audio player with ALSA support - dummy package
 mpg123-esd - MPEG layer 1/2/3 audio player with Esound support - dummy package
 mpg123-nas - MPEG layer 1/2/3 audio player with NAS support - dummy package
 mpg123-oss-3dnow - MPEG layer 1/2/3 audio player for 3DNow! machines - dummy package
 mpg123-oss-i486 - MPEG layer 1/2/3 audio player for i486 machines - dummy package
Closes: 580095
Changes: 
 mpg123 (1.12.1-2) unstable; urgency=low
 .
   * configure.ac, src/libmpg123/frame.c: Apply backport of upstream patch
     to fix calculation of pointer alignment on 32bit archs. Many thanks
     to William Pitcock, Gregor Herrmann, and upstream author Thomas Orgis
     for tracking down this problem. Closes: #580095
   * debian/rules: Run autoreconf to rebuild configure script after
     having applied above patch. In clean target, remove any files
     altered by autoreconf.
   * debian/control: Build-depend on automake and autoconf for autoreconf.
Checksums-Sha1: 
 2dff527ca4ebdf58a3267fc1a7cc8c55e2f0a387 1263 mpg123_1.12.1-2.dsc
 a9d1f648f434c43649144eb3cc4252137de6b3df 19151 mpg123_1.12.1-2.diff.gz
 a481ad6b141db022163cfde1a8ffbf475e343cdf 143894 libmpg123-0_1.12.1-2_amd64.deb
 77c7c8cbfdf4d870d93a02aa3aaded7eb187f536 190422 libmpg123-dev_1.12.1-2_amd64.deb
 e46ebd62348501a55693e60c99464ca7fdaaf3ca 152326 mpg123_1.12.1-2_amd64.deb
 a181136168de9ef225ca5016e667ece54d936bca 14010 mpg123-esd_1.12.1-2_amd64.deb
 1e2bcfdf64cf41fba033c8cb2bed0b3e2592ab68 14018 mpg123-nas_1.12.1-2_amd64.deb
 876052124c47bffc8bc242d24cf1f15c39db6be3 14010 mpg123-alsa_1.12.1-2_amd64.deb
Checksums-Sha256: 
 b113a9b31dac4e7967abdd64a12e486ef8084d0f220c0ee439d0fcf024a7797a 1263 mpg123_1.12.1-2.dsc
 92a7d319b43ae8a1ba44021fa54a2f7910c376bbf66bed38406d71c87ccf3ea4 19151 mpg123_1.12.1-2.diff.gz
 86691beb80a86aa215e11ca528187ddb803c50aab103fd9c5c17b6230eada657 143894 libmpg123-0_1.12.1-2_amd64.deb
 51051fe0bb21fe3b498b8fd4b90b7e80878be8671a68e43e048a5d11f80907e5 190422 libmpg123-dev_1.12.1-2_amd64.deb
 abfa75002c1ca7adc60d8bc63f533d2501c88978d35d79aad9b45df71a80039e 152326 mpg123_1.12.1-2_amd64.deb
 1b67ad7e3581adf59a43b21e325da0d33871d0fa7d0c1cd37568d61642f85012 14010 mpg123-esd_1.12.1-2_amd64.deb
 097fe03c3a598fd7d7cf18d8d21774d322c76310b0e6399b015236bc7c9a6f2a 14018 mpg123-nas_1.12.1-2_amd64.deb
 f803278dd3fa563cab8cb3ad83b90b7606069b2f7f8e1853edc34ea784d7692f 14010 mpg123-alsa_1.12.1-2_amd64.deb
Files: 
 10170564b55cf70e03408cbccff67737 1263 sound optional mpg123_1.12.1-2.dsc
 65cbe927720aaa9330816fca7bcd22dc 19151 sound optional mpg123_1.12.1-2.diff.gz
 490f8eb9309ee6a3081bb24261ce81af 143894 libs optional libmpg123-0_1.12.1-2_amd64.deb
 f5fa18b41ae1148adf9c8b5a9fff2b7e 190422 libdevel optional libmpg123-dev_1.12.1-2_amd64.deb
 3692a12775b79c18e1a6e0c44be868bb 152326 sound optional mpg123_1.12.1-2_amd64.deb
 7b7283e239b67e832b6263c40507ac6b 14010 sound optional mpg123-esd_1.12.1-2_amd64.deb
 525ff22db69dca3186e3e45393d1db68 14018 sound optional mpg123-nas_1.12.1-2_amd64.deb
 7c94e2557aa9f48405b959074af64cb8 14010 sound optional mpg123-alsa_1.12.1-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwP8bQACgkQpOKIA4m/fitu5ACfUA5uXQ3vKIbfmSJfEV9W+zDJ
d3QAn0GtG1ZSxawKtliqiQR7OugRUpDh
=VY7B
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 14 Jul 2010 07:39:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:17:16 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.