Heap Use After Free (#2) bug

[mirzamomen]

There is a Heap Use After Free bug in Live555 in this repository. (This bug is fixed in the last version of Live555 in 2022 ) Here is the ASAN output: `==2355==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b000007250 at pc 0x000000467da7 bp 0x7ffc991884d0 sp 0x7ffc991884c0
READ of size 4 at 0x62b000007250 thread T0

0 0x467da6 in MPEG1or2Demux::newElementaryStream(unsigned char) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x467da6)

#1 0x44803f in MPEG1or2FileServerDemux::newElementaryStream(unsigned int, unsigned char) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x44803f)                                                                                                   
#2 0x4485d0 in MPEG1or2DemuxedServerMediaSubsession::createNewStreamSource(unsigned int, unsigned int&) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x4485d0)                                                                                    
#3 0x4d6577 in OnDemandServerMediaSubsession::getStreamParameters(unsigned int, unsigned int, Port const&, Port const&, int, unsigned char, unsigned char, unsigned int&, unsigned char&, unsigned char&, Port&, Port&, void*&) (/home/ubuntu/experiments/live555-cov/testPr

ogs/testOnDemandRTSPServer+0x4d6577)

4 0x416ae2 in RTSPServer::RTSPClientSession::handleCmd_SETUP(RTSPServer::RTSPClientConnection, char const, char const, char const) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x416ae2)

#5 0x41067a in RTSPServer::RTSPClientConnection::handleRequestBytes(int) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x41067a)                                                                                                                   
#6 0x40ae4d in GenericMediaServer::ClientConnection::incomingRequestHandler() (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x40ae4d)                                                                                                              
#7 0x40af10 in GenericMediaServer::ClientConnection::incomingRequestHandler(void*, int) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x40af10)                                                                                                    
#8 0x514415 in BasicTaskScheduler::SingleStep(unsigned int) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x514415)                                                                                                                                
#9 0x518f0f in BasicTaskScheduler0::doEventLoop(char volatile*) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x518f0f)                                                                                                                            
#10 0x404bd9 in main (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x404bd9)                                                                                                                                                                       
#11 0x7f2a149c283f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)                                                                                                                                                                                           
#12 0x407108 in _start (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x407108)                                                                                                                                                                     

0x62b000007250 is located 80 bytes inside of 24680-byte region [0x62b000007200,0x62b00000d268)
freed by thread T0 here:

0 0x7f2a155a9b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)

#1 0x4675d0 in MPEG1or2Demux::~MPEG1or2Demux() (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x4675d0)                                                                                                                                             

previously allocated by thread T0 here:

0 0x7f2a155a9532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)

#1 0x467a83 in MPEG1or2Demux::createNew(UsageEnvironment&, FramedSource*, unsigned char) (/home/ubuntu/experiments/live555-cov/testProgs/testOnDemandRTSPServer+0x467a83)                                                                                                   

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 MPEG1or2Demux::newElementaryStream(unsigned char) Shadow bytes around the buggy address: 0x0c567fff8df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c567fff8e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c567fff8e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c567fff8e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c567fff8e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c567fff8e40: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd 0x0c567fff8e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8e60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8e70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8e90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==2355==ABORTING `

To reproduce:

1. Copy attached test.webm file into testProgs/test.webm
2. run the server Get connected to the server and try to play the multimedia.

live_HUAF_bug2_test.webm