[Live-devel] Segmentation fault in DelayQueue::removeEntry(DelayQueueEntry*)

Jeremy Noring kidjan at gmail.com
Fri Nov 4 11:50:40 PDT 2011 

On Fri, Nov 4, 2011 at 7:10 AM, Ross Finlayson <finlayson at live555.com>wrote:

>  Looking at the code here
> http://www.live555.com/liveMedia/doxygen/html/DelayQueue_8cpp-source.html I
> see this:
>
> 00153 <http://www.live555.com/liveMedia/doxygen/html/classDelayQueue.html#da6c5403a9e0e40945dc2e14d0e39435> void DelayQueue::removeEntry <http://www.live555.com/liveMedia/doxygen/html/classDelayQueue.html#da6c5403a9e0e40945dc2e14d0e39435>(DelayQueueEntry <http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html>* entry) {00154   if (entry == NULL <http://www.live555.com/liveMedia/doxygen/html/UsageEnvironment_8hh.html#070d2ce7b6bb7e5c05602aa8c308d0c4> || entry->fNext <http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#3a2ccdcdcac760623833136b5ced2410> == NULL <http://www.live555.com/liveMedia/doxygen/html/UsageEnvironment_8hh.html#070d2ce7b6bb7e5c05602aa8c308d0c4>) return;00155   00156   entry->fNext <http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#3a2ccdcdcac760623833136b5ced2410>->fDeltaTimeRemaining <http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#68a7578179260ad40cb4f8fbde38e491> += entry->fDeltaTimeRemaining <http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#68a7578179260ad40cb4f8fbde38e491>;00157   entry->fPrev <http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#9bafd3137d60cd3b5cef4298a01644fd>->fNext <http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#3a2ccdcdcac760623833136b5ced2410> = entry->fNext <http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#3a2ccdcdcac760623833136b5ced2410>;00158   entry->fNext <http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#3a2ccdcdcac760623833136b5ced2410>->fPrev <http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#9bafd3137d60cd3b5cef4298a01644fd> = entry->fPrev <http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#9bafd3137d60cd3b5cef4298a01644fd>;00159   entry->fNext <http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#3a2ccdcdcac760623833136b5ced2410> = entry->fPrev <http://www.live555.com/liveMedia/doxygen/html/classDelayQueueEntry.html#9bafd3137d60cd3b5cef4298a01644fd> = NULL <http://www.live555.com/liveMedia/doxygen/html/UsageEnvironment_8hh.html#070d2ce7b6bb7e5c05602aa8c308d0c4>;00160   // in case we should try to remove it again00161 }
>
>
> I think the first if could produce a wrong memory access if entry is NULL.
> Is that correct?
>
>
> No, because the statement at line 154 quite clearly tests for "entry ==
> NULL", and returns if it is.
>

Is it possible that entry->fPrev is null?  I notice it checks entry and
fnext, but not fprev.  But on line 157, it pretty clearly attempts to
dereference both fPrev and fPrev->fNext.  Also, it dereferences
entry->fNext->fPrev, which could (in theory) be null.

Not familiar with the code, so maybe there's no problem with any of this,
but seems like ample opportunities for segmentation fault that aren't
caught by the statement at like 154.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20111104/fddeb2de/attachment.html>

More information about the live-devel mailing list