[Live-devel] Memory Leak in MPEGProgramStreamParser

Ba Jinsheng bajinsheng at u.nus.edu
Tue Sep 7 06:01:15 PDT 2021


Dear Ross Finlayson,

I want to report an memory leak bug in the MPEGProgramStreamParser.

Sorry, I don't provide poc this time because I can not reproduce it in single request.

But in a long time running, the memory would always exceed 3GB and the memory leak is detected by Address Sanitizer and Valgrind.

This is the call stack generated by Address Sanitizer.

==1569==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 2020 byte(s) in 1 object(s) allocated from:
    #0 0x4c751d in operator new[](unsigned long) (/home/ubuntu/experiments/live555-libfuzzer/testProgs/testOnDemandRTSPServer+0x4c751d)
    #1 0x55b60d in MPEGProgramStreamParser::parsePESPacket() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2Demux.cpp:746:28
    #2 0x557add in MPEGProgramStreamParser::parse() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2Demux.cpp:369:24
    #3 0x557add in MPEG1or2Demux::continueReadProcessing() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2Demux.cpp:236:50
    #4 0x55c976 in MPEG1or2DemuxedElementaryStream::doGetNextFrame() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2DemuxedElementaryStream.cpp:45:19
    #5 0x613fb3 in StreamParser::ensureValidBytes1(unsigned int) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/StreamParser.cpp:156:17
    #6 0x572f83 in StreamParser::ensureValidBytes(unsigned int) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/./StreamParser.hh:125:5
    #7 0x572f83 in StreamParser::testBytes(unsigned char*, unsigned int) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/./StreamParser.hh:95:5
    #8 0x572f83 in StreamParser::getBytes(unsigned char*, unsigned int) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/./StreamParser.hh:90:5
    #9 0x572f83 in MPEG1or2AudioStreamParser::parse(unsigned int&) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2AudioStreamFramer.cpp:200:5
    #10 0x571fbf in MPEG1or2AudioStreamFramer::continueReadProcessing() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2AudioStreamFramer.cpp:134:41
    #11 0x571fbf in MPEG1or2AudioStreamFramer::doGetNextFrame() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2AudioStreamFramer.cpp:94:3
    #12 0x5d1c14 in MultiFramedRTPSink::packFrame() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MultiFramedRTPSink.cpp:223:14
    #13 0x64fc12 in AlarmHandler::handleTimeout() /home/ubuntu/experiments/live555-libfuzzer/BasicUsageEnvironment/BasicTaskScheduler0.cpp:34:5
    #14 0x6463ac in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live555-libfuzzer/BasicUsageEnvironment/BasicTaskScheduler.cpp:212:15
    #15 0x64e5fa in BasicTaskScheduler0::doEventLoop(char volatile*) /home/ubuntu/experiments/live555-libfuzzer/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5

SUMMARY: AddressSanitizer: 2020 byte(s) leaked in 1 allocation(s).

INFO: a leak has been found in the initial corpus.



This is call stacks generated by Valgrind:
==13334== HEAP SUMMARY:
==13334==     in use at exit: 208,316,602 bytes in 26,254 blocks
==13334==   total heap usage: 331,478,081 allocs, 331,451,827 frees, 332,736,466,349 bytes allocated
==13334==
==13334== Thread 1:
==13334== 8,100 bytes in 4 blocks are definitely lost in loss record 602 of 712
==13334==    at 0x4C2E80F: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13334==    by 0x46821D: MPEGProgramStreamParser::parsePESPacket() (MPEG1or2Demux.cpp:746)
==13334==    by 0x466A59: parse (MPEG1or2Demux.cpp:369)
==13334==    by 0x466A59: MPEG1or2Demux::continueReadProcessing() (MPEG1or2Demux.cpp:236)
==13334==    by 0x468A77: MPEG1or2DemuxedElementaryStream::doGetNextFrame() (MPEG1or2DemuxedElementaryStream.cpp:45)
==13334==    by 0x4B4455: StreamParser::ensureValidBytes1(unsigned int) (StreamParser.cpp:156)
==13334==    by 0x469D62: ensureValidBytes (StreamParser.hh:125)
==13334==    by 0x469D62: test4Bytes (StreamParser.hh:54)
==13334==    by 0x469D62: MPEG1or2VideoStreamParser::parseVideoSequenceHeader(unsigned char) (MPEG1or2VideoStreamFramer.cpp:250)
==13334==    by 0x469BC3: MPEG1or2VideoStreamParser::parse() (MPEG1or2VideoStreamFramer.cpp:160)
==13334==    by 0x469363: continueReadProcessing (MPEGVideoStreamFramer.cpp:161)
==13334==    by 0x469363: MPEGVideoStreamFramer::doGetNextFrame() (MPEGVideoStreamFramer.cpp:144)
==13334==    by 0x49799B: MultiFramedRTPSink::packFrame() (MultiFramedRTPSink.cpp:223)
==13334==    by 0x497731: buildAndSendPacket (MultiFramedRTPSink.cpp:199)
==13334==    by 0x497731: MultiFramedRTPSink::continuePlaying() (MultiFramedRTPSink.cpp:159)
==13334==    by 0x4A03EC: StreamState::startPlaying(Destinations*, unsigned int, void (*)(void*), void*, void (*)(void*, unsigned char), void*) (OnDemandServerMediaSubsession.cpp:561)
==13334==    by 0x4A0040: OnDemandServerMediaSubsession::startStream(unsigned int, void*, void (*)(void*), void*, unsigned short&, unsigned int&, void (*)(void*, unsigned char), void*) (OnDemandServerMediaSubsession.cpp:215)
==13334==
==13334== 10,125 bytes in 5 blocks are definitely lost in loss record 609 of 712
==13334==    at 0x4C2E80F: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13334==    by 0x46821D: MPEGProgramStreamParser::parsePESPacket() (MPEG1or2Demux.cpp:746)
==13334==    by 0x466A59: parse (MPEG1or2Demux.cpp:369)
==13334==    by 0x466A59: MPEG1or2Demux::continueReadProcessing() (MPEG1or2Demux.cpp:236)
==13334==    by 0x468A77: MPEG1or2DemuxedElementaryStream::doGetNextFrame() (MPEG1or2DemuxedElementaryStream.cpp:45)
==13334==    by 0x4B4455: StreamParser::ensureValidBytes1(unsigned int) (StreamParser.cpp:156)
==13334==    by 0x46AEF1: ensureValidBytes (StreamParser.hh:125)
==13334==    by 0x46AEF1: test4Bytes (StreamParser.hh:54)
==13334==    by 0x46AEF1: get4Bytes (StreamParser.hh:47)
==13334==    by 0x46AEF1: MPEGVideoStreamParser::saveToNextCode(unsigned int&) (MPEGVideoStreamParser.hh:81)
==13334==    by 0x46A8D8: MPEG1or2VideoStreamParser::parseSlice() (MPEG1or2VideoStreamFramer.cpp:430)
==13334==    by 0x469C58: MPEG1or2VideoStreamParser::parse() (MPEG1or2VideoStreamFramer.cpp:175)
==13334==    by 0x469363: continueReadProcessing (MPEGVideoStreamFramer.cpp:161)
==13334==    by 0x469363: MPEGVideoStreamFramer::doGetNextFrame() (MPEGVideoStreamFramer.cpp:144)
==13334==    by 0x49799B: MultiFramedRTPSink::packFrame() (MultiFramedRTPSink.cpp:223)
==13334==    by 0x498043: MultiFramedRTPSink::afterGettingFrame1(unsigned int, unsigned int, timeval, unsigned int) (MultiFramedRTPSink.cpp:350)
==13334==    by 0x4CDC09: AlarmHandler::handleTimeout() (BasicTaskScheduler0.cpp:34)
==13334==
==13334== 30,345 bytes in 15 blocks are definitely lost in loss record 640 of 712
==13334==    at 0x4C2E80F: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13334==    by 0x46821D: MPEGProgramStreamParser::parsePESPacket() (MPEG1or2Demux.cpp:746)
==13334==    by 0x466A59: parse (MPEG1or2Demux.cpp:369)
==13334==    by 0x466A59: MPEG1or2Demux::continueReadProcessing() (MPEG1or2Demux.cpp:236)
==13334==    by 0x468A77: MPEG1or2DemuxedElementaryStream::doGetNextFrame() (MPEG1or2DemuxedElementaryStream.cpp:45)
==13334==    by 0x4B4455: StreamParser::ensureValidBytes1(unsigned int) (StreamParser.cpp:156)
==13334==    by 0x4708E4: ensureValidBytes (StreamParser.hh:125)
==13334==    by 0x4708E4: testBytes (StreamParser.hh:95)
==13334==    by 0x4708E4: getBytes (StreamParser.hh:90)
==13334==    by 0x4708E4: MPEG1or2AudioStreamParser::parse(unsigned int&) (MPEG1or2AudioStreamFramer.cpp:200)
==13334==    by 0x4702A6: continueReadProcessing (MPEG1or2AudioStreamFramer.cpp:134)
==13334==    by 0x4702A6: MPEG1or2AudioStreamFramer::doGetNextFrame() (MPEG1or2AudioStreamFramer.cpp:94)
==13334==    by 0x49799B: MultiFramedRTPSink::packFrame() (MultiFramedRTPSink.cpp:223)
==13334==    by 0x4CDC09: AlarmHandler::handleTimeout() (BasicTaskScheduler0.cpp:34)
==13334==    by 0x4C9B6F: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:212)
==13334==    by 0x4CD2BC: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:80)
==13334==    by 0x480424: readAndSaveAFrame (AC3AudioStreamFramer.cpp:314)
==13334==    by 0x480424: AC3AudioStreamFramer::samplingRate() (AC3AudioStreamFramer.cpp:112)
==13334==
==13334== 42,474 bytes in 21 blocks are definitely lost in loss record 654 of 712
==13334==    at 0x4C2E80F: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13334==    by 0x46821D: MPEGProgramStreamParser::parsePESPacket() (MPEG1or2Demux.cpp:746)
==13334==    by 0x466A59: parse (MPEG1or2Demux.cpp:369)
==13334==    by 0x466A59: MPEG1or2Demux::continueReadProcessing() (MPEG1or2Demux.cpp:236)
==13334==    by 0x468A77: MPEG1or2DemuxedElementaryStream::doGetNextFrame() (MPEG1or2DemuxedElementaryStream.cpp:45)
==13334==    by 0x4B4455: StreamParser::ensureValidBytes1(unsigned int) (StreamParser.cpp:156)
==13334==    by 0x4708E4: ensureValidBytes (StreamParser.hh:125)
==13334==    by 0x4708E4: testBytes (StreamParser.hh:95)
==13334==    by 0x4708E4: getBytes (StreamParser.hh:90)
==13334==    by 0x4708E4: MPEG1or2AudioStreamParser::parse(unsigned int&) (MPEG1or2AudioStreamFramer.cpp:200)
==13334==    by 0x4702A6: continueReadProcessing (MPEG1or2AudioStreamFramer.cpp:134)
==13334==    by 0x4702A6: MPEG1or2AudioStreamFramer::doGetNextFrame() (MPEG1or2AudioStreamFramer.cpp:94)
==13334==    by 0x49799B: MultiFramedRTPSink::packFrame() (MultiFramedRTPSink.cpp:223)



Best regards,
Jinsheng Ba

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20210907/799e8ead/attachment-0001.htm>


More information about the live-devel mailing list