[Live-devel] SEGV handling GET_PARAMETER response.

PROMONET Michel michel.promonet at thalesgroup.com
Fri Feb 8 08:08:19 PST 2013 

                Hi Ross,

Using RTSPClient that have a task sending a periodic GET_PARAMETER, sometimes a crash occurs with the following backtrace :

Thread 1 (Thread 24732):
#0  __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:31
#1  0x00000000008291b2 in RTSPClient::handleGET_PARAMETERResponse (this=0x7f6ae04d3490, parameterName=0x7f6ad51aed00 "", resultValueString=@0x7f6abd3c1ee0) at RTSPClient.cpp:1147
#2  0x000000000082b047 in RTSPClient::handleResponseBytes (this=0x7f6ae04d3490, newBytesRead=86) at RTSPClient.cpp:1605
#3  0x0000000000829e8c in RTSPClient::incomingDataHandler1 (this=0x7f6ae04d3490) at RTSPClient.cpp:1376
#4  0x0000000000829dff in RTSPClient::incomingDataHandler (instance=0x7f6ae04d3490) at RTSPClient.cpp:1369
#5  0x000000000086b9cc in BasicTaskScheduler::SingleStep (this=0x7f6ac400f5c0, maxDelayTime=0) at BasicTaskScheduler.cpp:146
#6  0x000000000086a184 in BasicTaskScheduler0::doEventLoop (this=0x7f6ac400f5c0, watchVariable=0x7f6ae05f8d32 "") at BasicTaskScheduler0.cpp:81

In this context we are in RTSPClient.cpp around 1555 :

      // If we saw a "Content-Length:" header, then make sure that we have the amount of data that it specified:
      unsigned bodyOffset = nextLineStart - headerDataCopy;
      bodyStart = &fResponseBuffer[bodyOffset];
      numBodyBytes = fResponseBytesAlreadySeen - bodyOffset;
      if (contentLength > numBodyBytes) {

Gdb says that nextLineStart is NULL, bodyOffset is a big number, and finally bodyStart point a non allocated memory (that raise a SEGV).

Do you think if is possible to add check nextLineStart before using it :
                if (nextLineStart != 0)
                {
      // If we saw a "Content-Length:" header, then make sure that we have the amount of data that it specified:
      unsigned bodyOffset = nextLineStart - headerDataCopy;
      bodyStart = &fResponseBuffer[bodyOffset];
      numBodyBytes = fResponseBytesAlreadySeen - bodyOffset;
....
}

Thanks & Regards,

                Michel.

[@@THALES GROUP RESTRICTED@@]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20130208/861a2d34/attachment.html>

More information about the live-devel mailing list