[Live-devel] Heap-user-after-free in live.2023.06.20
Meng Ruijie
ruijie_meng at u.nus.edu
Fri Jun 23 00:32:47 PDT 2023
Hello,
There may be one heap-use-after-free while calling RTPInterface::sendDataOverTCP. The following is the bug report from the ASAN:
----
==17==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000f3a0e8 at pc 0x0000005d5ec8 bp 0x7ffff35fc420 sp 0x7ffff35fc418
READ of size 1 at 0x62e000f3a0e8 thread T0
#0 0x5d5ec7 in RTPInterface::sendDataOverTCP(int, TLSState*, unsigned char const*, unsigned int, unsigned char) /home/ubuntu/experiments/live/liveMedia
/RTPInterface.cpp:394:51
#1 0x5d4296 in RTPInterface::sendRTPorRTCPPacketOverTCP(unsigned char*, unsigned int, int, unsigned char, TLSState*) /home/ubuntu/experiments/live/live
Media/RTPInterface.cpp:371:10
#2 0x5d4296 in RTPInterface::sendPacket(unsigned char*, unsigned int) /home/ubuntu/experiments/live/liveMedia/RTPInterface.cpp:254:10
#3 0x5d1188 in MultiFramedRTPSink::sendPacketIfNecessary() /home/ubuntu/experiments/live/liveMedia/MultiFramedRTPSink.cpp:395:21
#4 0x5d07d1 in MultiFramedRTPSink::afterGettingFrame1(unsigned int, unsigned int, timeval, unsigned int) /home/ubuntu/experiments/live/liveMedia/MultiF
ramedRTPSink.cpp
#5 0x5fa8b9 in MatroskaFileParser::parse() /home/ubuntu/experiments/live/liveMedia/MatroskaFileParser.cpp:191:4
#6 0x5f90ba in MatroskaFileParser::continueParsing() /home/ubuntu/experiments/live/liveMedia/MatroskaFileParser.cpp:118:10
#7 0x5cf854 in MultiFramedRTPSink::packFrame() /home/ubuntu/experiments/live/liveMedia/MultiFramedRTPSink.cpp:223:14
#8 0x653902 in AlarmHandler::handleTimeout() /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler0.cpp:34:5
#9 0x64a06c in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler.cpp:212:15
#10 0x6522ea in BasicTaskScheduler0::doEventLoop(char volatile*) /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler0.cpp:82:5
#11 0x4ccec4 in main /home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer.cpp:462:24
0x62e000f3a0e8 is located 40168 bytes inside of 40328-byte region [0x62e000f30400,0x62e000f3a188)
freed by thread T0 here:
#0 0x4c80fd in operator delete(void*) (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x4c80fd)
#1 0x4dccb0 in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp:1014:51
#2 0x5d6a3a in SocketDescriptor::~SocketDescriptor() /home/ubuntu/experiments/live/liveMedia/RTPInterface.cpp:476:5
#3 0x5d6c78 in SocketDescriptor::~SocketDescriptor() /home/ubuntu/experiments/live/liveMedia/RTPInterface.cpp:447:39
#4 0x649d1c in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler.cpp:153:7
#5 0x6522ea in BasicTaskScheduler0::doEventLoop(char volatile*) /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler0.cpp:82:5
#6 0x4ccec4 in main /home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer.cpp:462:24
previously allocated by thread T0 here:
#0 0x4c789d in operator new(unsigned long) (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x4c789d)
#1 0x4e4955 in RTSPServer::createNewClientConnection(int, sockaddr_storage const&) /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp:2031:10
#2 0x5e5a92 in GenericMediaServer::incomingConnectionHandlerOnSocket(int) /home/ubuntu/experiments/live/liveMedia/GenericMediaServer.cpp:251:9
#3 0x649d1c in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler.cpp:153:7
#4 0x6522ea in BasicTaskScheduler0::doEventLoop(char volatile*) /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler0.cpp:82:5
#5 0x4ccec4 in main /home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer.cpp:462:24
SUMMARY: AddressSanitizer: heap-use-after-free /home/ubuntu/experiments/live/liveMedia/RTPInterface.cpp:394:51 in RTPInterface::sendDataOverTCP(int, TLSSta
te*, unsigned char const*, unsigned int, unsigned char)
Shadow bytes around the buggy address:
0x0c5c801df3c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c801df3d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c801df3e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c801df3f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c801df400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5c801df410: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c5c801df420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c801df430: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c801df440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c801df450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c801df460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==17==ABORTING
------
Kind Regards,
Ruijie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20230623/157ec885/attachment-0001.htm>
More information about the live-devel
mailing list