[FFmpeg-trac] #6413(avformat:new): libssh sftp demuxer crashes (SIGSEGV) if the server asks for a password (with no pubkey auth)
FFmpeg
trac at avcodec.org
Tue May 23 10:40:41 EEST 2017
#6413: libssh sftp demuxer crashes (SIGSEGV) if the server asks for a password
(with no pubkey auth)
-------------------------------------+-------------------------------------
Reporter: thebombzen | Type: defect
Status: new | Priority: normal
Component: avformat | Version: git-
Keywords: avformat, | master
libssh, sftp, crash | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug:
The SFTP demuxer in libavformat, provided by the external library libssh,
will crash via segmentation fault if the SSH server doesn't have public
key set up and asks for a password. It works as expected if the user has
public key SSH set up.
What should happen:
Either ffmpeg should ask the user for the password, or exit gracefully
with failure (and probably an error message on stderr as well). It should
not segfault.
In order to reproduce this, try adding a new user and then connecting to
localhost over SSH. Here is my log of this phenomenon:
{{{
leo at gauss ~/Programs/ffmpeg-basic :) $ ./ffmpeg -v 9 -loglevel 99 -i
"sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv"
ffmpeg version N-86209-gc3547dcbc3 Copyright (c) 2000-2017 the FFmpeg
developers
built with gcc 6.3.1 (GCC) 20170306
configuration: --enable-libssh
libavutil 55. 63.100 / 55. 63.100
libavcodec 57. 96.101 / 57. 96.101
libavformat 57. 72.101 / 57. 72.101
libavdevice 57. 7.100 / 57. 7.100
libavfilter 6. 90.100 / 6. 90.100
libswscale 4. 7.101 / 4. 7.101
libswresample 2. 8.100 / 2. 8.100
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging
level) with argument '99'.
Reading option '-i' ... matched as input url with argument
'sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv'.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input url
sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv.
Successfully parsed a group of options.
Opening an input file:
sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv.
[sftp @ 0x564e48fbbcc0] No default whitelist set
[libssh @ 0x564e48fbbe40] Authentication successful with auto selected
key.
Probing matroska,webm score:100 size:2048
[matroska,webm @ 0x564e48fbb360] Format matroska,webm probed with
size=2048 and score=100
st:0 removing common factor 1000000 from timebase
st:1 removing common factor 1000000 from timebase
st:2 removing common factor 1000000 from timebase
[matroska,webm @ 0x564e48fbb360] Before avformat_find_stream_info() pos:
228024 bytes read:261930 seeks:2 nb_streams:4
[h264 @ 0x564e48fc4560] nal_unit_type: 7, nal_ref_idc: 3
[h264 @ 0x564e48fc4560] nal_unit_type: 8, nal_ref_idc: 3
[h264 @ 0x564e48fc4560] nal_unit_type: 7, nal_ref_idc: 3
[h264 @ 0x564e48fc4560] nal_unit_type: 8, nal_ref_idc: 3
[h264 @ 0x564e48fc4560] user data:"x264 - core 120 r2120 0c7dab9 -
H.264/MPEG-4 AVC codec - Copyleft 2003-2011 -
http://www.videolan.org/x264.html - options: cabac=1 ref=6 deblock=1:1:1
analyse=0x3:0x113 me=umh subme=8 psy=1 psy_rd=0.40:0.00 mixed_ref=1
me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11
fast_pskip=1 chroma_qp_offset=-2 threads=4 sliced_threads=0 nr=0
decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3
b_pyramid=2 b_adapt=2 b_bias=0 direct=3 weightb=1 open_gop=0 weightp=2
keyint=250 keyint_min=23 scenecut=40 intra_refresh=0 rc_lookahead=50
rc=2pass mbtree=1 bitrate=1776 ratetol=1.0 qcomp=0.60 qpmin=0 qpmax=69
qpstep=4 cplxblur=20.0 qblur=0.5 vbv_maxrate=3552 vbv_bufsize=8880
nal_hrd=none ip_ratio=1.40 aq=1:0.60"
[h264 @ 0x564e48fc4560] nal_unit_type: 7, nal_ref_idc: 3
[h264 @ 0x564e48fc4560] nal_unit_type: 8, nal_ref_idc: 3
[h264 @ 0x564e48fc4560] nal_unit_type: 6, nal_ref_idc: 0
[h264 @ 0x564e48fc4560] nal_unit_type: 5, nal_ref_idc: 3
[h264 @ 0x564e48fc4560] user data:"x264 - core 120 r2120 0c7dab9 -
H.264/MPEG-4 AVC codec - Copyleft 2003-2011 -
http://www.videolan.org/x264.html - options: cabac=1 ref=6 deblock=1:1:1
analyse=0x3:0x113 me=umh subme=8 psy=1 psy_rd=0.40:0.00 mixed_ref=1
me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11
fast_pskip=1 chroma_qp_offset=-2 threads=4 sliced_threads=0 nr=0
decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3
b_pyramid=2 b_adapt=2 b_bias=0 direct=3 weightb=1 open_gop=0 weightp=2
keyint=250 keyint_min=23 scenecut=40 intra_refresh=0 rc_lookahead=50
rc=2pass mbtree=1 bitrate=1776 ratetol=1.0 qcomp=0.60 qpmin=0 qpmax=69
qpstep=4 cplxblur=20.0 qblur=0.5 vbv_maxrate=3552 vbv_bufsize=8880
nal_hrd=none ip_ratio=1.40 aq=1:0.60"
[h264 @ 0x564e48fc4560] Reinit context to 1280x720, pix_fmt: yuv420p
[h264 @ 0x564e48fc4560] no picture
[matroska,webm @ 0x564e48fbb360] All info found
[matroska,webm @ 0x564e48fbb360] stream 0: start_time: 0.000 duration:
-9223372036854776.000
[matroska,webm @ 0x564e48fbb360] stream 1: start_time: 0.000 duration:
-9223372036854776.000
[matroska,webm @ 0x564e48fbb360] stream 2: start_time: 0.000 duration:
1435.318
[matroska,webm @ 0x564e48fbb360] stream 3: start_time: 0.000 duration:
1435.318
[matroska,webm @ 0x564e48fbb360] format: start_time: 0.000 duration:
1435.318 bitrate=1905 kb/s
[matroska,webm @ 0x564e48fbb360] After avformat_find_stream_info() pos:
1754501 bytes read:1803854 seeks:2 frames:12
Input #0, matroska,webm, from
'sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv':
Metadata:
encoder : no_variable_data
creation_time : 1970-01-01T00:00:00.000000Z
Duration: 00:23:55.32, start: 0.000000, bitrate: 1905 kb/s
Stream #0:0, 4, 1/1000: Video: h264 (High), 1 reference frame,
yuv420p(progressive, left), 1280x720 [SAR 1:1 DAR 16:9], 0/1, 23.81 fps,
23.81 tbr, 1k tbn, 47.95 tbc (default)
Metadata:
BPS : 1773921
BPS-eng : 1773921
DURATION : 00:23:55.143000000
DURATION-eng : 00:23:55.143000000
NUMBER_OF_FRAMES: 34410
NUMBER_OF_FRAMES-eng: 34410
NUMBER_OF_BYTES : 318228822
NUMBER_OF_BYTES-eng: 318228822
_STATISTICS_WRITING_APP: no_variable_data
_STATISTICS_WRITING_APP-eng: no_variable_data
_STATISTICS_WRITING_DATE_UTC: 1970-01-01 00:00:00
_STATISTICS_WRITING_DATE_UTC-eng: 1970-01-01 00:00:00
_STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
_STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
Stream #0:1(jpn), 8, 1/1000: Audio: aac (LC), 44100 Hz, stereo, fltp
(default)
Metadata:
BPS : 128000
BPS-eng : 128000
DURATION : 00:23:55.318000000
DURATION-eng : 00:23:55.318000000
NUMBER_OF_FRAMES: 61814
NUMBER_OF_FRAMES-eng: 61814
NUMBER_OF_BYTES : 22965092
NUMBER_OF_BYTES-eng: 22965092
_STATISTICS_WRITING_APP: no_variable_data
_STATISTICS_WRITING_APP-eng: no_variable_data
_STATISTICS_WRITING_DATE_UTC: 1970-01-01 00:00:00
_STATISTICS_WRITING_DATE_UTC-eng: 1970-01-01 00:00:00
_STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
_STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
Stream #0:2(eng), 0, 1/1000: Subtitle: ass (default)
Metadata:
BPS : 112
BPS-eng : 112
DURATION : 00:23:36.670000000
DURATION-eng : 00:23:36.670000000
NUMBER_OF_FRAMES: 307
NUMBER_OF_FRAMES-eng: 307
NUMBER_OF_BYTES : 19990
NUMBER_OF_BYTES-eng: 19990
_STATISTICS_WRITING_APP: no_variable_data
_STATISTICS_WRITING_APP-eng: no_variable_data
_STATISTICS_WRITING_DATE_UTC: 1970-01-01 00:00:00
_STATISTICS_WRITING_DATE_UTC-eng: 1970-01-01 00:00:00
_STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
_STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
Stream #0:3, 0, 1/90000: Attachment: ttf
Metadata:
filename : OpenSans-Semibold.ttf
mimetype : application/x-truetype-font
Successfully opened the file.
At least one output file must be specified
[AVIOContext @ 0x564e48fc2c80] Statistics: 1803854 bytes read, 2 seeks
leo at gauss ~/Programs/ffmpeg-basic :( $ sudo rm
/home/public/.ssh/authorized_keys
leo at gauss ~/Programs/ffmpeg-basic :) $ ./ffmpeg -v 9 -loglevel 99 -i
"sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv"
ffmpeg version N-86209-gc3547dcbc3 Copyright (c) 2000-2017 the FFmpeg
developers
built with gcc 6.3.1 (GCC) 20170306
configuration: --enable-libssh
libavutil 55. 63.100 / 55. 63.100
libavcodec 57. 96.101 / 57. 96.101
libavformat 57. 72.101 / 57. 72.101
libavdevice 57. 7.100 / 57. 7.100
libavfilter 6. 90.100 / 6. 90.100
libswscale 4. 7.101 / 4. 7.101
libswresample 2. 8.100 / 2. 8.100
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging
level) with argument '99'.
Reading option '-i' ... matched as input url with argument
'sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv'.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input url
sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv.
Successfully parsed a group of options.
Opening an input file:
sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv.
[sftp @ 0x559b6aed1cc0] No default whitelist set
Segmentation fault (core dumped)
leo at gauss ~/Programs/ffmpeg-basic :( $
}}}
I ran Valgrind on a debug build. Here's the output of Valgrind:
{{{
leo at gauss ~/Programs/ffmpeg-basic :) $ valgrind ./ffmpeg -v 9 -loglevel 99
-i "sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv"
==29927== Memcheck, a memory error detector
==29927== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==29927== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright
info
==29927== Command: ./ffmpeg -v 9 -loglevel 99 -i
sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv
==29927==
ffmpeg version N-86209-gc3547dcbc3 Copyright (c) 2000-2017 the FFmpeg
developers
built with gcc 6.3.1 (GCC) 20170306
configuration: --enable-debug=3 --disable-stripping --disable-
optimizations --enable-libssh
libavutil 55. 63.100 / 55. 63.100
libavcodec 57. 96.101 / 57. 96.101
libavformat 57. 72.101 / 57. 72.101
libavdevice 57. 7.100 / 57. 7.100
libavfilter 6. 90.100 / 6. 90.100
libswscale 4. 7.101 / 4. 7.101
libswresample 2. 8.100 / 2. 8.100
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with
argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging
level) with argument '99'.
Reading option '-i' ... matched as input url with argument
'sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv'.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input url
sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv.
Successfully parsed a group of options.
Opening an input file:
sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv.
[sftp @ 0x97055a0] No default whitelist set
==29927== Invalid read of size 1
==29927== at 0x4C2E112: strlen (in /usr/lib/valgrind
/vgpreload_memcheck-amd64-linux.so)
==29927== by 0x5ABDB47: ??? (in /usr/lib/libssh.so.4.4.2)
==29927== by 0x5ABDEC1: ??? (in /usr/lib/libssh.so.4.4.2)
==29927== by 0x5ABAFC3: ssh_userauth_password (in
/usr/lib/libssh.so.4.4.2)
==29927== by 0x64E06D: libssh_authentication (libssh.c:107)
==29927== by 0x64E5A4: libssh_connect (libssh.c:220)
==29927== by 0x64E676: libssh_open (libssh.c:235)
==29927== by 0x486E4F: ffurl_connect (avio.c:209)
==29927== by 0x487615: ffurl_open_whitelist (avio.c:347)
==29927== by 0x48B4E6: ffio_open_whitelist (aviobuf.c:1073)
==29927== by 0x589D66: io_open_default (options.c:112)
==29927== by 0x5FF60E: init_input (utils.c:416)
==29927== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==29927==
==29927==
==29927== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==29927== Access not within mapped region at address 0x0
==29927== at 0x4C2E112: strlen (in /usr/lib/valgrind
/vgpreload_memcheck-amd64-linux.so)
==29927== by 0x5ABDB47: ??? (in /usr/lib/libssh.so.4.4.2)
==29927== by 0x5ABDEC1: ??? (in /usr/lib/libssh.so.4.4.2)
==29927== by 0x5ABAFC3: ssh_userauth_password (in
/usr/lib/libssh.so.4.4.2)
==29927== by 0x64E06D: libssh_authentication (libssh.c:107)
==29927== by 0x64E5A4: libssh_connect (libssh.c:220)
==29927== by 0x64E676: libssh_open (libssh.c:235)
==29927== by 0x486E4F: ffurl_connect (avio.c:209)
==29927== by 0x487615: ffurl_open_whitelist (avio.c:347)
==29927== by 0x48B4E6: ffio_open_whitelist (aviobuf.c:1073)
==29927== by 0x589D66: io_open_default (options.c:112)
==29927== by 0x5FF60E: init_input (utils.c:416)
==29927== If you believe this happened as a result of a stack
==29927== overflow in your program's main thread (unlikely but
==29927== possible), you can try to increase the size of the
==29927== main thread stack using the --main-stacksize= flag.
==29927== The main thread stack size used in this run was 8388608.
==29927==
==29927== HEAP SUMMARY:
==29927== in use at exit: 19,128 bytes in 138 blocks
==29927== total heap usage: 638 allocs, 500 frees, 204,002 bytes
allocated
==29927==
==29927== LEAK SUMMARY:
==29927== definitely lost: 0 bytes in 0 blocks
==29927== indirectly lost: 0 bytes in 0 blocks
==29927== possibly lost: 0 bytes in 0 blocks
==29927== still reachable: 19,128 bytes in 138 blocks
==29927== suppressed: 0 bytes in 0 blocks
==29927== Rerun with --leak-check=full to see details of leaked memory
==29927==
==29927== For counts of detected and suppressed errors, rerun with: -v
==29927== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
leo at gauss ~/Programs/ffmpeg-basic :( $
}}}
Not entirely sure if this is a libssh bug, or if this is a problem with
the way the api called (e.g. lack of error checking). Also, I listed the
component as avformat because valgrind pointed to libavformat/avio.c.
--
Ticket URL: <https://trac.ffmpeg.org/ticket/6413>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list