https://bugzilla.novell.com/show_bug.cgi?id=794331 https://bugzilla.novell.com/show_bug.cgi?id=794331#c0 Summary: pulseaudio segfaults for bluetooth devices Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: i586 OS/Version: openSUSE 12.2 Status: NEW Severity: Major Priority: P5 - None Component: Sound AssignedTo: tiwai@suse.com ReportedBy: ptesarik@suse.com QAContact: qa-bugs@suse.de Found By: L3 Blocker: --- When trying to use a bluetooth headset with the pulseaudio bluetooth module, pulseaudio crashes as soon as the bluetooth device is paired (or at startup if the device is already present before starting pulseaudio). I have tracked this down to an overflow issue. In short, when endpoint_set_configuration() reads the D-Bus arguments, it reads the "NREC" boolean argument into a variable of type "pa_bool_t", which is only 1 byte long. However, the D-Bus boolean type (as seen on the wire, and as used by libdbus) is always 32 bits long, so this overwrites the following variable on the stack. In my case it happened to be the least significant 24 bits bytes of the path variable, effectively turning it into an invalid pointer and crashing when a strdup is attempted on that string. Upstream seems to have the same issue: http://cgit.freedesktop.org/pulseaudio/pulseaudio/tree/src/modules/bluetooth... But I haven't tested with their version. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.