Open TuanTranBPK opened 1 month ago
I can't reproduce:
$ ./app.py /tmp/tmp/buffer_overflow/server_config.ini
WARNING: this python wrapper is for GPAC ABI 12.14 but native libgpac ABI is 12.15
Undefined behavior or crashes might happen, please update libgpac.py
[DVB-FLUTE] IP audio_dash_track1_init.mp4 is not a multicast address
Filter routeout failed to setup: Bad Parameter
[Dasher] Couldn't create output file audio_dash_track1_init.mp4: Bad Parameter
[DVB-FLUTE] IP video_dash_track2_init.mp4 is not a multicast address
Filter routeout failed to setup: Bad Parameter
[Dasher] Couldn't create output file video_dash_track2_init.mp4: Bad Parameter
Attempt to allocate a packet on a NULL PID
Neither @soheibthriber nor myself can reproduce. Which platforms are you on? Maybe we should organize a short call to make sure we replicate this.
DASH to be deleted @sla] Buffer overflow causing string: https://akamaibroadcasteruseast.akamaized.net/cmaf/live/657078/akasource/1721610001/chunk-stream_1- size: 99
=================================================================
==13846==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffd8b5e5d4 at pc 0x7ffff78f94d3 bp 0x7fffffffc2e0 sp 0x7fffffffba88
WRITE of size 2 at 0x7fffd8b5e5d4 thread T0
#0 0x7ffff78f94d2 in memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115
#1 0x7ffff0aae97d in gf_dash_group_timeline_setup_single media_tools/dash_client.c:856
#2 0x7ffff0ac32d2 in gf_dash_group_timeline_setup media_tools/dash_client.c:1488
#3 0x7ffff0aeb972 in gf_dash_resolve_url media_tools/dash_client.c:3497
#4 0x7ffff0b068fa in gf_dash_download_init_segment media_tools/dash_client.c:4891
#5 0x7ffff0b4d860 in dash_setup_period_and_groups media_tools/dash_client.c:7854
#6 0x7ffff0b532c7 in gf_dash_process_internal media_tools/dash_client.c:8159
#7 0x7ffff0b5442a in gf_dash_process media_tools/dash_client.c:8230
#8 0x7ffff1953ef4 in dashdmx_process filters/dmx_dash.c:3237
#9 0x7ffff168a49c in gf_filter_process_task filter_core/filter.c:3171
#10 0x7ffff1626955 in gf_fs_thread_proc filter_core/filter_session.c:2171
#11 0x7ffff162a46b in gf_fs_run filter_core/filter_session.c:2478
#12 0x55555556204f in gpac_main /home/sohaib/gpac/gpac_public/applications/gpac/gpac.c:1598
#13 0x555555562484 in main /home/sohaib/gpac/gpac_public/applications/gpac/gpac.c:1854
#14 0x7fffeb22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#15 0x7fffeb22a28a in __libc_start_main_impl ../csu/libc-start.c:360
#16 0x55555555d314 in _start (/home/sohaib/gpac/gpac_public/bin/gcc/gpac+0x9314) (BuildId: a2ccdb6707fa9d1833bff7f1275b9b173982460a)
Address 0x7fffd8b5e5d4 is located in stack of thread T0 at offset 468 in frame
#0 0x7ffff0aa8bb1 in gf_dash_group_timeline_setup_single media_tools/dash_client.c:621
This frame has 11 object(s):
[32, 36) 'tpl_use_time' (line 832)
[48, 56) 'sr' (line 805)
[80, 88) 'seg_dur_ms' (line 805)
[112, 120) 'seg_url' (line 808)
[144, 152) 'number' (line 849)
[176, 184) 'utc' (line 992)
[208, 216) 'utc' (line 1048)
[240, 248) 'gtime1' (line 1098)
[272, 280) 'gtime2' (line 1098)
[304, 324) 'szFmt' (line 858)
[368, 468) 'szTemplate' (line 850) <== Memory access at offset 468 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115 in memcpy
Shadow bytes around the buggy address:
0x7fffd8b5e300: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x7fffd8b5e380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fffd8b5e400: f1 f1 f1 f1 04 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2
0x7fffd8b5e480: f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2
0x7fffd8b5e500: f2 f2 00 f2 f2 f2 00 00 04 f2 f2 f2 f2 f2 00 00
=>0x7fffd8b5e580: 00 00 00 00 00 00 00 00 00 00[04]f3 f3 f3 f3 f3
0x7fffd8b5e600: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x7fffd8b5e680: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x7fffd8b5e700: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 00 00 00 00
0x7fffd8b5e780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fffd8b5e800: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13846==ABORTING
[1] + Done "/usr/bin/gdb" --interpreter=mi --tty=${DbgTerm} 0<"/tmp/Microsoft-MIEngine-In-vzvlyp3p.y2k" 1>"/tmp/Microsoft-MIEngine-Out-tdeh4xl1.dse"
I did reproduce and i think the buffer overflow is produced because of a static declaration of the szTemplate variable in dash_client.c. i will propose a modification in gpac code
fix proposed in this pull request: https://github.com/gpac/gpac/pull/2940
If we can test (i tested from my end) , than merge i think we can close this issue.
The issue happens in both unicast repair config activated/deactivated in GPAC multicast gateway. On server, it also happens whether low-latency is enabled or not. Stream E is used to deliver in multicast.
Please see attached for all possible logs as well as pcap capture from multicast server. buffer_overflow.zip