[Live-devel] Stack Overflow in FD_SET()

Ba Jinsheng bajinsheng at u.nus.edu
Tue Aug 3 07:52:09 PDT 2021

To whom it may concern,

I am a researcher working on fuzzing and I would like to report a stack overflow bug in live555.

When a large number of requests for the same MP3 file in a short time, the live555 quickly open the same MP3 file multiple time. Then, the value of the newly assigned file descriptor for the mp3 file quickly exceed 1024 here: liveMedia/MP3FileSource.cpp: 46
It uses "select()" system call to check if the file is readable. However, the "select()" usually support maximum 1024 file descriptor value, so it incurs a stack overflow in FD_SET: MP3StreamState.cpp: 343

This is the output from AddressSanitizer:
[cid:image001.jpg at 01D788BA.302143E0]

To reproduce it, please download the attachment:

  1.  Build the docker image:

docker build . -t live555_bug

  1.  Start a container on the image and open two terminals.
  2.  In one terminal, run the live555:
cd live/testProgs/; ./testOnDemandRTSPServer

  1.  On the other terminal, run the poc:

                Then the testOnDemandRTSPServer would crash in several seconds.

Best regards
Jinsheng Ba

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20210803/7ede9297/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 136257 bytes
Desc: image001.jpg
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20210803/7ede9297/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: overflow_poc_live555.zip
Type: application/x-zip-compressed
Size: 1555 bytes
Desc: overflow_poc_live555.zip
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20210803/7ede9297/attachment-0001.bin>

More information about the live-devel mailing list