[Live-devel] testRTSPClient heap corruption

[Ross Finlayson]

Guy Bonneau wrote:

> I took a fast look at your issue and I believe I might have found the cause of the corruption. Put a breakpoint at line 1263 of file RTSPClient.cpp. This line should be:
>  
>   client->connectionHandler1();
>  
> Set testRTSPClient as the starting application of the solution and setup the argument in the debug property dialog. The run and wait for the timeout to occur. You will break at line 1263 of file RTSPClient. Then trace and debug the code single stepping until you reach line 399 of testRTSPClient.cpp . At this point this is the call stack you should have:
>  
> RTSPClient::connectionHandler (void* instance, int /*mask*/)
> client->connectionHandler1()
>  
> RTSPClient::connectionHandler1()
> handleRequestError(request)
>  
> RTSPClient::handleRequestError(RequestRecord* request)
> if (request->handler() != NULL) (*request->handler())(this, resultCode, strDup(envir().getResultMsg()));
>  
> continueAfterDESCRIBE(RTSPClient* rtspClient, int resultCode, char* resultString)
> shutdownStream(rtspClient);
>  
> void shutdownStream(RTSPClient* rtspClient, int exitCode)
> Medium::close(rtspClient);  //(Breakpoint)
>  
> 
> I might be wrong but this is what I believe might be the issue. The rtspClient object is deleted by Medium::close(rtspClient) in the context of the object still being used.

Yes, Guy has definitely found a potential problem.  The "RTSPClient" code needs to be more careful about not accessing "RTSPClient" object state after calling "handleRequestError()", because of the likelihood (which in fact happens in "testRTSPClient") of the "RTSPClient" object being deleted when the error is handled.

This will be fixed in the next release of the code.


Ross Finlayson
Live Networks, Inc.
http://www.live555.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20120426/d4dcaafb/attachment.html>