[FFmpeg-trac] #10825(undetermined:new): heap-use-after-free in hls_read_header
FFmpeg
trac at avcodec.org
Fri Jan 26 05:35:44 EET 2024
#10825: heap-use-after-free in hls_read_header
-------------------------------------+-------------------------------------
Reporter: kasper93 | Owner: (none)
Type: defect | Status: new
Priority: normal | Component:
| undetermined
Version: unspecified | Resolution:
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Description changed by kasper93:
Old description:
> Summary of the bug:
>
> Look at the ASAN report. I trimmed unrelated frames, it is all in lavf.
>
> The issues seems to be pretty straightforward
> 1. current segment is assigned `seg = current_segment(pls);`
> 2. av_probe_input_buffer frees all previous segments
> `free_segment_dynarray(prev_segments, prev_n_segments);`
> 3. freed `seg` is referenced
> 4. poof
>
> {{{
> =================================================================
> ==527548==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x119a589d7768 at pc 0x7ffae8ee704f bp 0x005983cff1e0 sp 0x005983cff228
> READ of size 4 at 0x119a589d7768 thread T19
> #0 0x7ffae8ee704e in hls_read_header
> F:\dev\ffmpeg\libavformat\hls.c:2127
> #1 0x7ffae8d66d4b in avformat_open_input
> F:\dev\ffmpeg\libavformat\demux.c:316
>
> 0x119a589d7768 is located 104 bytes inside of 143-byte region
> [0x119a589d7700,0x119a589d778f)
> freed by thread T19 here:
> #0 0x7ffae5813f31 in free (C:\MSYS\clang64\bin\libclang_rt
> .asan_dynamic-x86_64.dll+0x180043f31)
> #1 0x7ffb20af32d5 (C:\WINDOWS\System32\ucrtbase.dll+0x1800132d5)
> #2 0x7ffae8f04d74 in free_segment_dynarray
> F:\dev\ffmpeg\libavformat\hls.c:240
> #3 0x7ffae8ef11d1 in parse_playlist
> F:\dev\ffmpeg\libavformat\hls.c:1031
> #4 0x7ffae8ef9802 in read_data F:\dev\ffmpeg\libavformat\hls.c:1512
> #5 0x7ffae8ca7bea in fill_buffer
> F:\dev\ffmpeg\libavformat\aviobuf.c:595
> #6 0x7ffae8cab237 in avio_read
> F:\dev\ffmpeg\libavformat\aviobuf.c:690
> #7 0x7ffae8e74ef4 in av_probe_input_buffer2
> F:\dev\ffmpeg\libavformat\format.c:292
> #8 0x7ffae8e75852 in av_probe_input_buffer
> F:\dev\ffmpeg\libavformat\format.c:347
> #9 0x7ffae8ee23bf in hls_read_header
> F:\dev\ffmpeg\libavformat\hls.c:2112
> #10 0x7ffae8d66d4b in avformat_open_input
> F:\dev\ffmpeg\libavformat\demux.c:316
>
> previously allocated by thread T19 here:
> #0 0x7ffae5814051 in malloc (C:\MSYS\clang64\bin\libclang_rt
> .asan_dynamic-x86_64.dll+0x180044051)
> #1 0x7ffb20af1a18 (C:\WINDOWS\System32\ucrtbase.dll+0x180011a18)
> #2 0x7ffa70facfee in av_malloc F:\dev\ffmpeg\libavutil\mem.c:108
> #3 0x7ffae8ef2597 in parse_playlist
> F:\dev\ffmpeg\libavformat\hls.c:945
> #4 0x7ffae8ee04a7 in hls_read_header
> F:\dev\ffmpeg\libavformat\hls.c:1963
> #5 0x7ffae8d66d4b in avformat_open_input
> F:\dev\ffmpeg\libavformat\demux.c:316
>
> Thread T19 created by T0 here:
> #0 0x7ffae58235b6 in CreateThread (C:\MSYS\clang64\bin\libclang_rt
> .asan_dynamic-x86_64.dll+0x1800535b6)
>
> SUMMARY: AddressSanitizer: heap-use-after-free
> F:\dev\ffmpeg\libavformat\hls.c:2127 in hls_read_header
> Shadow bytes around the buggy address:
> 0x119a589d7480: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
> 0x119a589d7500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x119a589d7580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x119a589d7600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x119a589d7680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x119a589d7700: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
> 0x119a589d7780: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x119a589d7800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x119a589d7880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x119a589d7900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x119a589d7980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==527548==ABORTING
> }}}
>
> How to reproduce:
> I could reproduce with some random live stream, but I think ASAN report
> tells it all, no? I haven't dig further than that. Let me know if
> something is unclear.
>
> Thanks.
New description:
Summary of the bug:
Look at the ASAN report (from ac06190a5). I trimmed unrelated frames, it
is all in lavf.
The issues seems to be pretty straightforward
1. current segment is assigned `seg = current_segment(pls);`
2. av_probe_input_buffer frees all previous segments
`free_segment_dynarray(prev_segments, prev_n_segments);`
3. freed `seg` is referenced
4. poof
{{{
=================================================================
==527548==ERROR: AddressSanitizer: heap-use-after-free on address
0x119a589d7768 at pc 0x7ffae8ee704f bp 0x005983cff1e0 sp 0x005983cff228
READ of size 4 at 0x119a589d7768 thread T19
#0 0x7ffae8ee704e in hls_read_header
F:\dev\ffmpeg\libavformat\hls.c:2127
#1 0x7ffae8d66d4b in avformat_open_input
F:\dev\ffmpeg\libavformat\demux.c:316
0x119a589d7768 is located 104 bytes inside of 143-byte region
[0x119a589d7700,0x119a589d778f)
freed by thread T19 here:
#0 0x7ffae5813f31 in free (C:\MSYS\clang64\bin\libclang_rt
.asan_dynamic-x86_64.dll+0x180043f31)
#1 0x7ffb20af32d5 (C:\WINDOWS\System32\ucrtbase.dll+0x1800132d5)
#2 0x7ffae8f04d74 in free_segment_dynarray
F:\dev\ffmpeg\libavformat\hls.c:240
#3 0x7ffae8ef11d1 in parse_playlist
F:\dev\ffmpeg\libavformat\hls.c:1031
#4 0x7ffae8ef9802 in read_data F:\dev\ffmpeg\libavformat\hls.c:1512
#5 0x7ffae8ca7bea in fill_buffer
F:\dev\ffmpeg\libavformat\aviobuf.c:595
#6 0x7ffae8cab237 in avio_read F:\dev\ffmpeg\libavformat\aviobuf.c:690
#7 0x7ffae8e74ef4 in av_probe_input_buffer2
F:\dev\ffmpeg\libavformat\format.c:292
#8 0x7ffae8e75852 in av_probe_input_buffer
F:\dev\ffmpeg\libavformat\format.c:347
#9 0x7ffae8ee23bf in hls_read_header
F:\dev\ffmpeg\libavformat\hls.c:2112
#10 0x7ffae8d66d4b in avformat_open_input
F:\dev\ffmpeg\libavformat\demux.c:316
previously allocated by thread T19 here:
#0 0x7ffae5814051 in malloc (C:\MSYS\clang64\bin\libclang_rt
.asan_dynamic-x86_64.dll+0x180044051)
#1 0x7ffb20af1a18 (C:\WINDOWS\System32\ucrtbase.dll+0x180011a18)
#2 0x7ffa70facfee in av_malloc F:\dev\ffmpeg\libavutil\mem.c:108
#3 0x7ffae8ef2597 in parse_playlist
F:\dev\ffmpeg\libavformat\hls.c:945
#4 0x7ffae8ee04a7 in hls_read_header
F:\dev\ffmpeg\libavformat\hls.c:1963
#5 0x7ffae8d66d4b in avformat_open_input
F:\dev\ffmpeg\libavformat\demux.c:316
Thread T19 created by T0 here:
#0 0x7ffae58235b6 in CreateThread (C:\MSYS\clang64\bin\libclang_rt
.asan_dynamic-x86_64.dll+0x1800535b6)
SUMMARY: AddressSanitizer: heap-use-after-free
F:\dev\ffmpeg\libavformat\hls.c:2127 in hls_read_header
Shadow bytes around the buggy address:
0x119a589d7480: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x119a589d7500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x119a589d7580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x119a589d7600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x119a589d7680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x119a589d7700: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x119a589d7780: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x119a589d7800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x119a589d7880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x119a589d7900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x119a589d7980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==527548==ABORTING
}}}
How to reproduce:
I could reproduce with some random live stream, but I think ASAN report
tells it all, no? I haven't dig further than that. Let me know if
something is unclear.
Thanks.
--
--
Ticket URL: <https://trac.ffmpeg.org/ticket/10825#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list