[Live-devel] bug in RTCPInstance::processIncomingReport (RTCP.cpp)
Frederik De Ruyck
frederik.deruyck at vsk.be
Mon Nov 14 00:54:42 PST 2016
Hi,
Last week I've experienced a crash at:
void RTCPInstance::processIncomingReport(unsigned packetSize
, struct sockaddr_in const& fromAddressAndPort
, int tcpSocketNum
, unsigned char tcpStreamChannelId)
at line:
rtcpHdr = ntohl(*(u_int32_t*)pkt);
I've upgraded to the last version of Live555 (06-11-2016) to confirm
that the issue is still present.
I've had this crash three times with version 07-08-2016 and now today a
fourth time with latest 06-11-2016.
I've debugged the code and the crash is of type segfault because the
memory dereferenced at address pkt is likely outside the application's
memory space.
This is caused because packetSize is decremented beyond 0, the value of
"packetSize" at the time of the crash is 4294068404, it is of unsigned
type so it overflows to a huge number when it drops below 0.
It is the macro ADVANCE(length) that causes the pointer "pkt" to refer
to an address that is beyond the scope of "fInBuf_ptr".
I will now try to copy the incoming packet contents out of my debugger
memory editor and see if I can create a test case with that.
Regards,
Frederik De Ruyck
This email has been scanned by BullGuard antivirus protection.
For more info visit www.bullguard.com
More information about the live-devel
mailing list