[Live-devel] Potential use-after-free vulnerabilities in LIVE555 (2026.02.26)
Ross Finlayson
finlayson at live555.com
Sat Mar 21 22:30:39 PDT 2026
Tianyang,
Thanks for the report, but unfortunately I was not able to reproduce either of the “use-after-free” occurrences that GDB reported for you.
When I built the code exactly as you described, I found that I couldn’t link the server (“testOnDemandRTSPServer”), because of the following errors:
/usr/bin/ld: cannot find /usr/lib64/clang/11.1.0/lib/linux/libclang_rt.asan-x86_64.a: No such file or directory
/usr/bin/ld: cannot find /usr/lib64/clang/11.1.0/lib/linux/libclang_rt.asan_cxx-x86_64.a: No such file or directory
So instead, I removed the “-fsanitize=address” flag from both “CPPFLAGS” and “LDFLAGS” - i.e.
CPPFLAGS="-O0 -g -fno-omit-frame-pointer" LDFLAGS="-O0 -g -fno-omit-frame-pointer” make
When I did this, I was able to link the server, and run it under GDB, but when I ran either of your two RTSP client scripts:
python3 replay.py vul/1.raw
python3 replay.py vul/2.raw
GDB didn’t report any problem.
Ross Finlayson
Live Networks, Inc.
http://www.live555.com/
More information about the live-devel
mailing list