mediaserverd crashes when accessing .hasProtectedContent property

Originator:thomas.mellenthin
Number:rdar://14056496 Date Originated:06/04/2013
Status:Duplicate Resolved:
Product:iOS SDK Product Version:6.1.3
Classification:Crash/Hang/Data Loss Reproducible:Always
 
21-Jun-2013 12:03 AM: Duplicate of 13128817 which is currently open.


-----------[ original description ]----------
Summary:

Accessing the .hasProtectedContent property of AVURLAsset may cause a crash in
the mediaserverd. The Crash happens with a specific music file which is not
DRM-protected, but has invalid id3-information at the beginning (see
attachment Track_01.mp3).


Steps to Reproduce:

Import the sample file (Track_01.mp3) into the iOS media library using iTunes.

Perform a MPMediaQuery and access the .hasProtectedContent property. I.e.:

	MPMediaItem *item = [query.items objectAtIndex: position];
	NSURL *assetURL = [item valueForProperty: MPMediaItemPropertyAssetURL];
	AVURLAsset *songAsset = [AVURLAsset URLAssetWithURL:assetURL options:nil];

	if (songAsset.hasProtectedContent) /* <-- mediaserverd crashes here */
		NSLog(@"Item %d: %@ is DRM protected.", position, assetURL.absoluteString);



Expected Results:

- mediaserverd must not crash
- as the sample file is not DRM protected, the property should return NO
- the iOS music player App should be able to playback the file


Actual Results:

- mediaserverd crashes, see the stacktace below (a full crash report is 
  attached)
- The device UI will block for a moment and a crash report of mediaserverd is 
  issued (see the device log).  
- Not only my app is affected but the whole iOS UI including springboard.
- The iOS music player app is affected too: Playback is not possible, the ui
  blocks and mediaserverd crashes.

Here is a stacktrace of the crashing thread in mediaserverd (a full crash report
is attached)

Thread 20 name:  Dispatch queue: URLAssetWorkQueue
Thread 20 Crashed:
0   CoreFoundation                  0x33311a42 CFDictionaryGetValue + 10
1   AudioToolbox                    0x32eb1fc0 ID3FileStream::ProcessCommentFrame() + 136
2   AudioToolbox                    0x32eb1924 ID3FileStream::ParseHeader(AudioFileStreamContinuation&) + 2584
3   AudioToolbox                    0x32e4d1e2 AudioFileStreamWrapper::ParseBytes(unsigned long, void const*, unsigned long) + 154
4   AudioToolbox                    0x32e4aa30 AudioFileStreamParseBytes + 132
5   MediaToolbox                    0x3448ba84 PushBytesThroughParser + 392
6   MediaToolbox                    0x3448afa6 FigAudioFileStreamFormatReaderCreateFromStream + 886
7   MediaToolbox                    0x3448e7e6 InstantiateAudioFileStreamFormatReader + 98
8   MediaToolbox                    0x343fd7b0 instantiateFormatReader + 48
9   MediaToolbox                    0x343fcf1a FigFormatReaderCreateForStream + 218
10  MediaToolbox                    0x3456cf80 EnsureFormatReaderCreated + 364
11  MediaToolbox                    0x3456dac8 EnsureTracksArrayCreated + 44
12  MediaToolbox                    0x3456f280 ProduceFormatReaderAssetProperty + 60
13  MediaToolbox                    0x3456ba2c URLAssetPropertyWorkFunction + 232
14  libdispatch.dylib               0x3b696eca _dispatch_queue_drain$VARIANT$mp + 138
15  libdispatch.dylib               0x3b696dbc _dispatch_queue_invoke$VARIANT$mp + 36
16  libdispatch.dylib               0x3b69791a _dispatch_root_queue_drain + 182
17  libdispatch.dylib               0x3b697abc _dispatch_worker_thread2 + 80
18  libsystem_c.dylib               0x3b6c7a0e _pthread_wqthread + 358
19  libsystem_c.dylib               0x3b6c78a0 start_wqthread + 4


Regression:

Unknown.

Notes:

The sample file may be broken and I understand that Apple cannot take care of
all badly encoded music files in the world. But there might be many files out
there encoded with this buggy software and many users might be affected.

The file plays back on Max OS X 10.8.2 without problems (Quicklook, iTunes).

The OS X info window (Finder: go to file, cmd-i) displays the comment filed
as "RCK". Maybe there is a wrong offset, because this is the id of the next
field TRCK (see hexdump "Created by GripTRCK").

00000000  49 44 33 04 00 00 00 00  09 06 54 49 54 32 00 00  |ID3.......TIT2..|
00000010  00 0e 00 00 03 54 69 6d  65 20 54 6f 20 52 65 6c  |.....Time To Rel|
00000020  61 78 54 50 45 31 00 00  00 0e 00 00 03 54 68 65  |axTPE1.......The|
00000030  20 4f 66 66 73 70 72 69  6e 67 54 41 4c 42 00 00  | OffspringTALB..|
00000040  00 06 00 00 03 53 6d 61  73 68 54 43 4f 4e 00 00  |.....SmashTCON..|
00000050  00 06 00 00 03 28 31 32  31 29 43 4f 4d 4d 00 00  |.....(121)COMM..|
00000060  00 11 00 00 03 00 43 72  65 61 74 65 64 20 62 79  |......Created by|
00000070  20 47 72 69 70 54 52 43  4b 00 00 00 02 00 00 03  | GripTRCK.......|
00000080  31 54 52 44 43 00 00 00  05 00 00 03 31 39 39 34  |1TRDC.......1994|
00000090  43 4f 4d 4d 00 00 00 68  00 00 00 65 6e 67 69 54  |COMM...h...engiT|
000000a0  75 6e 4e 4f 52 4d 00 20  30 30 30 30 30 30 42 46  |unNORM. 000000BF|
000000b0  20 30 30 30 30 30 30 44  39 20 30 30 30 30 30 37  | 000000D9 000007|
000000c0  31 38 20 30 30 30 30 30  38 35 43 20 30 30 30 30  |18 0000085C 0000|
000000d0  33 43 44 43 20 30 30 30  30 33 43 44 43 20 30 30  |3CDC 00003CDC 00|
000000e0  30 30 34 45 36 31 20 30  30 30 30 35 33 43 41 20  |004E61 000053CA |
000000f0  30 30 30 30 30 32 35 42  20 30 30 30 30 30 32 35  |0000025B 0000025|
00000100  42 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |B...............|
00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!