[Live-devel] SIGABRT in base64Decode in liveMedia/Base64.cpp

Piers Hawksley piers.hawksley at panogenics.com
Thu Jun 26 09:13:10 PDT 2014 

Hi Ross,

We have rebuilt with -g and without -o0 and get the same result (SIGABRT 
in disassembled code, no stack trace).

We have tried the latest build of OpenRTSP with the -T flag. OpenRTSP 
does not send GET_PARAMETER requests to the Live555 server, so it will 
not call the code in base64Decode where the SIGABRT occurs (in the new 
or delete calls).

We are using VLC client which does send the GET_PARAMETER messages. The 
crash during GET_PARAMETER message processing appears to be related to 
truncated base 64 encoded GET_PARAMETER requests, so may be triggered by 
network congestion.

Excepts from the live555 debug (with indented lines being debug we have 
added to try to locate the crash) are attached below.

It appears that after sending the RTSP/1.0 400 Bad Request response, 
RTSPClientConnection::handleRequestBytes is called with 3 bytes, which 
sets fBase64RemainderCount to 3. Is this causing the pointer passed into 
base64Decode to go out of range ?

Please let me know if there are further tests we can do to find the 
cause and indicate a fix for this issue.

Thanks for the mention in the latest changelog ...

Best Regards,

Piers Hawksley



The following happens twice with many RTCP Liveness indications between.



RTSPClientConnection[0x1b64b8]::handleRequestBytes() read 443 new 
bytes:R0VUX1BBUkFNRVRFUiBydHNwOi8vMTAuMjYuNy44MC9zdHJlYW0wLyBSVFNQLzEuMA0KQ1NlcTogNzQNCkF1dGhvcml6YXRpb246IERpZ2VzdCB1c2VybmFtZT0iQWRtaW4iLCByZWFsbT0iTElWRTU1NSBTdHJlYW1pbmcgTWVkaWEiLCBub25jZT0iYTlmMDA1ODBlYTA2ZDMxYmIxNWI1ZTU4OTk1ZGFmNmIiLCB1cmk9InJ0c3A6Ly8xMC4yNi43LjgwL3N0cmVhbTAvIiwgcmVzcG9uc2U9ImMwZDgzNGQyNGY4NjE5ZjdiOTU3NmNmZjE4YjRjN2UyIg0KVXNlci1BZ2VudDogTGliVkxDLzIuMS4zIChMSVZFNTU1IFN0cmVhbWluZyBNZWRpYSB2MjAxNC4wMS4yMSkNClNlc3Npb246IDcwOTY
numBytesToDecode=440, newBase64RemainderCount=3
     out=0x27cd80
     k=330, paddingCount=0, inSize=440
     trimTrailingZeros=1
     resultSize=330
     new result=0x27cf40
     Moved out to result
     deleted out
     decodedBytes=0x27cf40
Base64-decoded 440 input bytes into 330 new bytes:GET_PARAMETER 
rtsp://10.26.7.80/stream0/ RTSP/1.0
CSeq: 74
Authorization: Digest username="Admin", realm="LIVE555 Streaming Media", 
nonce="a9f00580ea06d31bb15b5e58995daf6b", 
uri="rtsp://10.26.7.80/stream0/", 
response="c0d834d24f8619f7b9576cff18b4c7e2"
User-Agent: LibVLC/2.1.3 (LIVE555 Streaming Media v2014.01.21)
Session: 70
     Deletedd decodedBytes
     fBase64RemainderCount=3
RTSPClientConnection[0x1b64b8]::handleRequestBytes() read 13 new 
bytes:3QjVEDQoNCg==
numBytesToDecode=16, newBase64RemainderCount=0
     out=0x183708
     k=12, paddingCount=2, inSize=16
     trimTrailingZeros=1
     resultSize=10
     new result=0x183748
     Moved out to result
     deleted out
     decodedBytes=0x183748
Base64-decoded 16 input bytes into 10 new bytes:7B5D


     Deletedd decodedBytes
     fBase64RemainderCount=0
parseRTSPRequestString() failed; checking now for HTTP commands (for 
RTSP-over-HTTP tunneling)...
parseHTTPRequestString() failed!
sending response: RTSP/1.0 400 Bad Request
Date: Wed, Jun 18 2014 14:15:32 GMT
Allow: OPTIONS, DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, GET_PARAMETER, 
SET_PARAMETER

RTSPClientConnection[0x1b64b8]::handleRequestBytes() processing 3 new 
bytes:oNC
     numBytesToDecode=0, newBase64RemainderCount=3
     fBase64RemainderCount=3




Then after a few more RTCP Liveness indications we receive a complete 
base 64 encoded GET_PARAMETER request (with fBase64RemainderCount set to 
3) and crash.



RTSPClientConnection[0x1b64b8]::handleRequestBytes() read 456 new 
bytes:R0VUX1BBUkFNRVRFUiBydHNwOi8vMTAuMjYuNy44MC9zdHJlYW0wLyBSVFNQLzEuMA0KQ1NlcTogNzUNCkF1dGhvcml6YXRpb246IERpZ2VzdCB1c2VybmFtZT0iQWRtaW4iLCByZWFsbT0iTElWRTU1NSBTdHJlYW1pbmcgTWVkaWEiLCBub25jZT0iYTlmMDA1ODBlYTA2ZDMxYmIxNWI1ZTU4OTk1ZGFmNmIiLCB1cmk9InJ0c3A6Ly8xMC4yNi43LjgwL3N0cmVhbTAvIiwgcmVzcG9uc2U9ImMwZDgzNGQyNGY4NjE5ZjdiOTU3NmNmZjE4YjRjN2UyIg0KVXNlci1BZ2VudDogTGliVkxDLzIuMS4zIChMSVZFNTU1IFN0cmVhbWluZyBNZWRpYSB2MjAxNC4wMS4yMSkNClNlc3Npb246IDcwOTY3QjVEDQoNCg==
     numBytesToDecode=456, newBase64RemainderCount=3
     out=0x183830
     k=342, paddingCount=0, inSize=456
     trimTrailingZeros=1
     resultSize=342
     new result=0x27cd48
     Moved out to result
*** glibc detected *** /program/name: free(): invalid next size (fast): 
0x00183830 ***

More information about the live-devel mailing list