<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:DengXian;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:"\@DengXian";
        panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:716585086;
        mso-list-type:hybrid;
        mso-list-template-ids:280162240 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Dear Ross Finlayson,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There may be an assertion violation bug.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">When sending multiple SETUP and PLAY commands, the live555 may violate this assertion: liveMedia/FramedSource.cpp:65<o:p></o:p></p>
<p class="MsoNormal">Then it outputs “FramedSource[0x610000000440]::getNextFrame(): attempting to read more than once at the same time!” and aborts itself.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The call stack of the exit point:<o:p></o:p></p>
<p class="MsoNormal">    #6 0x64fafa in UsageEnvironment::internalError() /home/ubuntu/experiments/live555-libfuzzer/UsageEnvironment/UsageEnvironment.cpp:42:3<o:p></o:p></p>
<p class="MsoNormal">    #7 0x5502d5 in FramedSource::getNextFrame(unsigned char*, unsigned int, void (*)(void*, unsigned int, unsigned int, timeval, unsigned int), void*, void (*)(void*), void*) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/FramedSource.cpp:65:13<o:p></o:p></p>
<p class="MsoNormal">    #8 0x613e63 in StreamParser::ensureValidBytes1(unsigned int) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/StreamParser.cpp:156:17<o:p></o:p></p>
<p class="MsoNormal">    #9 0x558f35 in StreamParser::ensureValidBytes(unsigned int) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/./StreamParser.hh:125:5<o:p></o:p></p>
<p class="MsoNormal">    #10 0x558f35 in StreamParser::test4Bytes() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/./StreamParser.hh:54:5<o:p></o:p></p>
<p class="MsoNormal">    #11 0x558f35 in MPEGProgramStreamParser::parsePackHeader() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2Demux.cpp:397:19<o:p></o:p></p>
<p class="MsoNormal">    #12 0x557b6e in MPEGProgramStreamParser::parse() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2Demux.cpp:358:2<o:p></o:p></p>
<p class="MsoNormal">    #13 0x557b6e in MPEG1or2Demux::continueReadProcessing() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2Demux.cpp:236:50<o:p></o:p></p>
<p class="MsoNormal">    #14 0x55c946 in MPEG1or2DemuxedElementaryStream::doGetNextFrame() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2DemuxedElementaryStream.cpp:45:19<o:p></o:p></p>
<p class="MsoNormal">    #15 0x613e63 in StreamParser::ensureValidBytes1(unsigned int) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/StreamParser.cpp:156:17<o:p></o:p></p>
<p class="MsoNormal">    #16 0x572bb6 in StreamParser::ensureValidBytes(unsigned int) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/./StreamParser.hh:125:5<o:p></o:p></p>
<p class="MsoNormal">    #17 0x572bb6 in StreamParser::test4Bytes() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/./StreamParser.hh:54:5<o:p></o:p></p>
<p class="MsoNormal">    #18 0x572bb6 in MPEG1or2AudioStreamParser::parse(unsigned int&) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2AudioStreamFramer.cpp:184:34<o:p></o:p></p>
<p class="MsoNormal">    #19 0x571f8f in MPEG1or2AudioStreamFramer::continueReadProcessing() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2AudioStreamFramer.cpp:134:41<o:p></o:p></p>
<p class="MsoNormal">    #20 0x571f8f in MPEG1or2AudioStreamFramer::doGetNextFrame() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MPEG1or2AudioStreamFramer.cpp:94:3<o:p></o:p></p>
<p class="MsoNormal">    #21 0x5d1ac4 in MultiFramedRTPSink::packFrame() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MultiFramedRTPSink.cpp:223:14<o:p></o:p></p>
<p class="MsoNormal">    #22 0x5d11b4 in MultiFramedRTPSink::buildAndSendPacket(unsigned char) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MultiFramedRTPSink.cpp:199:3<o:p></o:p></p>
<p class="MsoNormal">    #23 0x5d11b4 in MultiFramedRTPSink::continuePlaying() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/MultiFramedRTPSink.cpp:159:3<o:p></o:p></p>
<p class="MsoNormal">    #24 0x5e8085 in StreamState::startPlaying(Destinations*, unsigned int, void (*)(void*), void*, void (*)(void*, unsigned char), void*) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/OnDemandServerMediaSubsession.cpp:558:17<o:p></o:p></p>
<p class="MsoNormal">    #25 0x5e7796 in OnDemandServerMediaSubsession::startStream(unsigned int, void*, void (*)(void*), void*, unsigned short&, unsigned int&, void (*)(void*, unsigned char), void*) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/OnDemandServerMediaSubsession.cpp:215:18<o:p></o:p></p>
<p class="MsoNormal">    #26 0x4e75c0 in RTSPServer::RTSPClientSession::handleCmd_PLAY(RTSPServer::RTSPClientConnection*, ServerMediaSubsession*, char const*) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/RTSPServer.cpp:1861:36<o:p></o:p></p>
<p class="MsoNormal">    #27 0x4e569e in RTSPServer::RTSPClientSession::handleCmd_withinSession(RTSPServer::RTSPClientConnection*, char const*, char const*, char const*, char const*) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/RTSPServer.cpp<o:p></o:p></p>
<p class="MsoNormal">    #28 0x4dffc6 in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/RTSPServer.cpp:927:22<o:p></o:p></p>
<p class="MsoNormal">    #29 0x4d1e2e in GenericMediaServer::ClientConnection::incomingRequestHandler() /home/ubuntu/experiments/live555-libfuzzer/liveMedia/GenericMediaServer.cpp:291:3<o:p></o:p></p>
<p class="MsoNormal">    #30 0x4d1e2e in GenericMediaServer::ClientConnection::incomingRequestHandler(void*, int) /home/ubuntu/experiments/live555-libfuzzer/liveMedia/GenericMediaServer.cpp:284:15<o:p></o:p></p>
<p class="MsoNormal">    #31 0x645f85 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live555-libfuzzer/BasicUsageEnvironment/BasicTaskScheduler.cpp:171:2<o:p></o:p></p>
<p class="MsoNormal">    #32 0x64e4aa in BasicTaskScheduler0::doEventLoop(char volatile*) /home/ubuntu/experiments/live555-libfuzzer/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">To reproduce it, please download the attachment:<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">Build the docker image:
<o:p></o:p></li></ol>
<p class="MsoListParagraph" style="text-indent:.5in">docker build . -t live555_bug<o:p></o:p></p>
<ol style="margin-top:0in" start="2" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">Start a container on the image and open two terminals.<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">In one terminal, run the live555:
<o:p></o:p></li></ol>
<p class="MsoNormal" style="margin-left:.5in;text-indent:.5in">cd live/testProgs/; ./testOnDemandRTSPServer<o:p></o:p></p>
<ol style="margin-top:0in" start="4" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">On the other terminal, run the poc:         
<o:p></o:p></li></ol>
<p class="MsoListParagraph" style="margin-left:1.0in">python3 poc.py<o:p></o:p></p>
<p class="MsoNormal">                Then the testOnDemandRTSPServer aborts.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best regards,<o:p></o:p></p>
<p class="MsoNormal">Jinsheng Ba<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>