[Live-devel] Live555 Assertion Violation bug

Ba Jinsheng bajinsheng at u.nus.edu
Thu Aug 12 07:19:39 PDT 2021 

Dear Ross Finlayson,

There may be an assertion violation bug.

When sending multiple SETUP and PLAY commands, the live555 may violate this assertion: liveMedia/FramedSource.cpp:65
Then it outputs "FramedSource[0x610000000440]::getNextFrame(): attempting to read more than once at the same time!" and aborts itself.

The call stack of the exit point:
    #6 0x64fafa in UsageEnvironment::internalError() /home/ubuntu/experiments/live555-libfuzzer/UsageEnvironment/UsageEnvironment.cpp:42:3
    #7 0x5502d5 in FramedSource::getNextFrame(unsigned char*, unsigned int, void (*)(void*, unsigned int, unsigned int, timeval, unsigned int), void*, void (*)(void*), void*) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/FramedSource.cpp:65:13
    #8 0x613e63 in StreamParser::ensureValidBytes1(unsigned int) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/StreamParser.cpp:156:17
    #9 0x558f35 in StreamParser::ensureValidBytes(unsigned int) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/./StreamParser.hh:125:5
    #10 0x558f35 in StreamParser::test4Bytes() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/./StreamParser.hh:54:5
    #11 0x558f35 in MPEGProgramStreamParser::parsePackHeader() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2Demux.cpp:397:19
    #12 0x557b6e in MPEGProgramStreamParser::parse() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2Demux.cpp:358:2
    #13 0x557b6e in MPEG1or2Demux::continueReadProcessing() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2Demux.cpp:236:50
    #14 0x55c946 in MPEG1or2DemuxedElementaryStream::doGetNextFrame() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2DemuxedElementaryStream.cpp:45:19
    #15 0x613e63 in StreamParser::ensureValidBytes1(unsigned int) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/StreamParser.cpp:156:17
    #16 0x572bb6 in StreamParser::ensureValidBytes(unsigned int) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/./StreamParser.hh:125:5
    #17 0x572bb6 in StreamParser::test4Bytes() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/./StreamParser.hh:54:5
    #18 0x572bb6 in MPEG1or2AudioStreamParser::parse(unsigned int&) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2AudioStreamFramer.cpp:184:34
    #19 0x571f8f in MPEG1or2AudioStreamFramer::continueReadProcessing() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2AudioStreamFramer.cpp:134:41
    #20 0x571f8f in MPEG1or2AudioStreamFramer::doGetNextFrame() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2AudioStreamFramer.cpp:94:3
    #21 0x5d1ac4 in MultiFramedRTPSink::packFrame() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MultiFramedRTPSink.cpp:223:14
    #22 0x5d11b4 in MultiFramedRTPSink::buildAndSendPacket(unsigned char) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MultiFramedRTPSink.cpp:199:3
    #23 0x5d11b4 in MultiFramedRTPSink::continuePlaying() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MultiFramedRTPSink.cpp:159:3
    #24 0x5e8085 in StreamState::startPlaying(Destinations*, unsigned int, void (*)(void*), void*, void (*)(void*, unsigned char), void*) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/OnDemandServerMediaSubsession.cpp:558:17
    #25 0x5e7796 in OnDemandServerMediaSubsession::startStream(unsigned int, void*, void (*)(void*), void*, unsigned short&, unsigned int&, void (*)(void*, unsigned char), void*) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/OnDemandServerMediaSubsession.cpp:215:18
    #26 0x4e75c0 in RTSPServer::RTSPClientSession::handleCmd_PLAY(RTSPServer::RTSPClientConnection*, ServerMediaSubsession*, char const*) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/RTSPServer.cpp:1861:36
    #27 0x4e569e in RTSPServer::RTSPClientSession::handleCmd_withinSession(RTSPServer::RTSPClientConnection*, char const*, char const*, char const*, char const*) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/RTSPServer.cpp
    #28 0x4dffc6 in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/RTSPServer.cpp:927:22
    #29 0x4d1e2e in GenericMediaServer::ClientConnection::incomingRequestHandler() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/GenericMediaServer.cpp:291:3
    #30 0x4d1e2e in GenericMediaServer::ClientConnection::incomingRequestHandler(void*, int) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/GenericMediaServer.cpp:284:15
    #31 0x645f85 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live555-libfuzzer/BasicUsageEnvironment/BasicTaskScheduler.cpp:171:2
    #32 0x64e4aa in BasicTaskScheduler0::doEventLoop(char volatile*) /home/ubuntu/experiments/live555-libfuzzer/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5


To reproduce it, please download the attachment:

  1.  Build the docker image:

docker build . -t live555_bug

  1.  Start a container on the image and open two terminals.
  2.  In one terminal, run the live555:
cd live/testProgs/; ./testOnDemandRTSPServer

  1.  On the other terminal, run the poc:

python3 poc.py
                Then the testOnDemandRTSPServer aborts.


Best regards,
Jinsheng Ba

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20210812/5bf95e61/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: live555_assertion.zip
Type: application/x-zip-compressed
Size: 1442 bytes
Desc: live555_assertion.zip
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20210812/5bf95e61/attachment.bin>

More information about the live-devel mailing list