[Live-devel] Potential use-after-free vulnerabilities in LIVE555 (2026.02.26)

Tianyang Liu lty23 at mails.tsinghua.edu.cn
Sun Mar 22 10:24:45 PDT 2026 

Dear Ross Finlayson,

Thanks for your reply.

It seems that the problem you met is related to the missing AddressSanitizer runtime libraries on your system. The use-after-free vulnerabilities should be reproduced with the server (“testOnDemandRTSPServer”) being compiled with the “-fsanitize=address” option. Without AddressSanitizer, the issues may not lead to immediate crashes and therefore might not be observable under normal execution or GDB alone.

I have tried the following steps to install the complete clang-11.1.0 (the clang version you are using) on my machine (Ubuntu 20.04), and successfully reproduced the vulnerabilities.

1. Run the following commands to install clang-11.1.0 under “/opt/” and “/usr/local/bin/”: (Note: If possible, you can also try reinstalling clang using apt directly, e.g. "sudo apt-get install --reinstall clang-11")

wget https://github.com/llvm/llvm-project/releases/download/llvmorg-11.1.0/clang+llvm-11.1.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz
tar -xJf clang+llvm-11.1.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz

sudo mv clang+llvm-11.1.0-x86_64-linux-gnu-ubuntu-16.04 /opt/llvm-11.1.0

sudo ln -sf /opt/llvm-11.1.0/bin/clang /usr/local/bin/clang-11
sudo ln -sf /opt/llvm-11.1.0/bin/clang++ /usr/local/bin/clang++-11
sudo ln -sf /opt/llvm-11.1.0/bin/llvm-config /usr/local/bin/llvm-config-11

echo "/opt/llvm-11.1.0/lib" | sudo tee /etc/ld.so.conf.d/llvm-11.conf
sudo ldconfig

2. Download and extract live.2026.02.26, patch the code, and ensure you use clang-11 and clang++-11 as the compilers. Modify “config.linux” as follows:

COMPILE_OPTS =          $(INCLUDES) -I/usr/local/include -I. -O2 -DSOCKLEN_T=socklen_t -D_LARGEFILE_SOURCE=1 -D_FILE_OFFSET_BITS=64
C =                     c
C_COMPILER =            clang-11
C_FLAGS =               $(COMPILE_OPTS) $(CPPFLAGS) $(CFLAGS)
CPP =                   cpp
CPLUSPLUS_COMPILER =    clang++-11
CPLUSPLUS_FLAGS =       $(COMPILE_OPTS) -Wall -DBSD=1 $(CPPFLAGS) $(CXXFLAGS)
OBJ =                   o
LINK =                  clang++-11 -o
LINK_OPTS =             -L. $(LDFLAGS)
CONSOLE_LINK_OPTS =     $(LINK_OPTS)
LIBRARY_LINK =          ar cr 
LIBRARY_LINK_OPTS =
LIB_SUFFIX =                    a
LIBS_FOR_CONSOLE_APPLICATION = -lssl -lcrypto
LIBS_FOR_GUI_APPLICATION =
EXE =

3. Build the server:

./genMakefiles linux
CPPFLAGS="-O0 -g -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-O0 -g -fsanitize=address -fno-omit-frame-pointer" make

4. Reproduce the vulnerabilities with GDB and replay.py. If you want to debug efficiently, please also remember to set the environment variable “ASAN_OPTIONS” to a proper value, e.g.:

export ASAN_OPTIONS='abort_on_error=1:symbolize=1:detect_leaks=0:detect_stack_use_after_return=1:detect_container_overflow=0:poison_array_cookie=0:malloc_fill_byte=0:max_malloc_fill_size=16777216'



If you have Docker installed on your system, you can also try the reproduction steps provided in “reproduction.md”. The Docker image sets up a working environment with the required dependencies.

Please let me know if you need any additional assistance in reproducing the vulnerabilities.

Best regards,

Tianyang Liu



> -----原始邮件-----
> 发件人: "Ross Finlayson" <finlayson at live555.com>
> 发送时间:2026-03-22 13:30:39 (星期日)
> 收件人: "LIVE555 Streaming Media - development & use" <live-devel at us.live555.com>
> 主题: Re: [Live-devel] Potential use-after-free vulnerabilities in LIVE555 (2026.02.26)
> 
> Tianyang,
> 
> Thanks for the report, but unfortunately I was not able to reproduce either of the “use-after-free” occurrences that GDB reported for you.
> 
> When I built the code exactly as you described, I found that I couldn’t link the server (“testOnDemandRTSPServer”), because of the following errors:
> 	/usr/bin/ld: cannot find /usr/lib64/clang/11.1.0/lib/linux/libclang_rt.asan-x86_64.a: No such file or directory
> 	/usr/bin/ld: cannot find /usr/lib64/clang/11.1.0/lib/linux/libclang_rt.asan_cxx-x86_64.a: No such file or directory
> 
> So instead, I removed the “-fsanitize=address” flag from both “CPPFLAGS” and “LDFLAGS” - i.e.
> 	CPPFLAGS="-O0 -g  -fno-omit-frame-pointer" LDFLAGS="-O0 -g -fno-omit-frame-pointer” make
> 
> When I did this, I was able to link the server, and run it under GDB, but when I ran either of your two RTSP client scripts:
> 	python3 replay.py vul/1.raw
> 	python3 replay.py vul/2.raw
> GDB didn’t report any problem.
> 
> 
> Ross Finlayson
> Live Networks, Inc.
> http://www.live555.com/
> 
> 
> _______________________________________________
> live-devel mailing list
> live-devel at lists.live555.com
> http://lists.live555.com/mailman/listinfo/live-devel

More information about the live-devel mailing list