search

rgaufman / live555

A mirror of the live555 source code.
GNU Lesser General Public License v3.0
768 stars 370 forks source link

Heap-use-after-free bug #38

Open mirzamomen opened 2 years ago

mirzamomen commented 2 years ago

There is a Heap Use After Free bug in Live555 in this repository. (This bug is fixed in the last version of Live555 in 2022 )

The ASAN output is: ==1089==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800000bfa8 at pc 0x0000004df57d bp 0x7fff9326ad20 sp 0x7fff9326ad10
READ of size 8 at 0x60800000bfa8 thread T0

0 0x4df57c in MatroskaDemux::newDemuxedTrackByTrackNumber(unsigned int) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x4df57c)

#1 0x45a60c in MatroskaFileServerDemux::newDemuxedTrack(unsigned int, unsigned int) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x45a60c)                                                                                                        
#2 0x45ab32 in MatroskaFileServerMediaSubsession::createNewStreamSource(unsigned int, unsigned int&) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x45ab32)                                                                                       
#3 0x4d6577 in OnDemandServerMediaSubsession::getStreamParameters(unsigned int, unsigned int, Port const&, Port const&, int, unsigned char, unsigned char, unsigned int&, unsigned char&, unsigned char&, Port&, Port&, void*&) (/home/ubuntu/experiments/live555-cov/testP$

ogs/testOnDemandRTSPServer+0x4d6577)

4 0x416ae2 in RTSPServer::RTSPClientSession::handleCmd_SETUP(RTSPServer::RTSPClientConnection, char const, char const, char const) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x416ae2)

#5 0x41067a in RTSPServer::RTSPClientConnection::handleRequestBytes(int) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x41067a)                                                                                                                   
#6 0x40ae4d in GenericMediaServer::ClientConnection::incomingRequestHandler() (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x40ae4d)                                                                                                              
#7 0x40af10 in GenericMediaServer::ClientConnection::incomingRequestHandler(void*, int) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x40af10)                                                                                                    
#8 0x514415 in BasicTaskScheduler::SingleStep(unsigned int) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x514415)                                                                                                                                
#9 0x518f0f in BasicTaskScheduler0::doEventLoop(char volatile*) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x518f0f)                                                                                                                            
#10 0x404bd9 in main (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x404bd9)                                                                                                                                                                       
#11 0x7f6b73bd783f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)                                                                                                                                                                                           
#12 0x407108 in _start (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x407108)

0x60800000bfa8 is located 8 bytes inside of 88-byte region [0x60800000bfa0,0x60800000bff8)
freed by thread T0 here:

0 0x7f6b747beb2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)

#1 0x4e0080 in MatroskaDemux::~MatroskaDemux() (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x4e0080)

previously allocated by thread T0 here:

0 0x7f6b747be532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)

#1 0x4df3ba in MatroskaFile::newDemux() (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x4df3ba)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 MatroskaDemux::newDemuxedTrackByTrackNumber(unsigned int) Shadow bytes around the buggy address: 0x0c107fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff97e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c107fff97f0: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fa 0x0c107fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==1089==ABORTING

To reproduce:

  1. Copy attached test.webm file into testProgs/test.webm
  2. run the server
  3. Get connected to the server and try to play the multimedia.

live_HUAF_bug1_test.webm