[FFmpeg-trac] #10825(undetermined:new): heap-use-after-free in hls_read_header

FFmpeg trac at avcodec.org
Fri Jan 26 05:35:44 EET 2024 

#10825: heap-use-after-free in hls_read_header
-------------------------------------+-------------------------------------
             Reporter:  kasper93     |                    Owner:  (none)
                 Type:  defect       |                   Status:  new
             Priority:  normal       |                Component:
                                     |  undetermined
              Version:  unspecified  |               Resolution:
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
Description changed by kasper93:

Old description:

> Summary of the bug:
>
> Look at the ASAN report. I trimmed unrelated frames, it is all in lavf.
>
> The issues seems to be pretty straightforward
> 1. current segment is assigned `seg = current_segment(pls);`
> 2. av_probe_input_buffer frees all previous segments
> `free_segment_dynarray(prev_segments, prev_n_segments);`
> 3. freed `seg` is referenced
> 4. poof
>
> {{{
> =================================================================
> ==527548==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x119a589d7768 at pc 0x7ffae8ee704f bp 0x005983cff1e0 sp 0x005983cff228
> READ of size 4 at 0x119a589d7768 thread T19
>     #0 0x7ffae8ee704e in hls_read_header
> F:\dev\ffmpeg\libavformat\hls.c:2127
>     #1 0x7ffae8d66d4b in avformat_open_input
> F:\dev\ffmpeg\libavformat\demux.c:316
>
> 0x119a589d7768 is located 104 bytes inside of 143-byte region
> [0x119a589d7700,0x119a589d778f)
> freed by thread T19 here:
>     #0 0x7ffae5813f31 in free (C:\MSYS\clang64\bin\libclang_rt
> .asan_dynamic-x86_64.dll+0x180043f31)
>     #1 0x7ffb20af32d5  (C:\WINDOWS\System32\ucrtbase.dll+0x1800132d5)
>     #2 0x7ffae8f04d74 in free_segment_dynarray
> F:\dev\ffmpeg\libavformat\hls.c:240
>     #3 0x7ffae8ef11d1 in parse_playlist
> F:\dev\ffmpeg\libavformat\hls.c:1031
>     #4 0x7ffae8ef9802 in read_data F:\dev\ffmpeg\libavformat\hls.c:1512
>     #5 0x7ffae8ca7bea in fill_buffer
> F:\dev\ffmpeg\libavformat\aviobuf.c:595
>     #6 0x7ffae8cab237 in avio_read
> F:\dev\ffmpeg\libavformat\aviobuf.c:690
>     #7 0x7ffae8e74ef4 in av_probe_input_buffer2
> F:\dev\ffmpeg\libavformat\format.c:292
>     #8 0x7ffae8e75852 in av_probe_input_buffer
> F:\dev\ffmpeg\libavformat\format.c:347
>     #9 0x7ffae8ee23bf in hls_read_header
> F:\dev\ffmpeg\libavformat\hls.c:2112
>     #10 0x7ffae8d66d4b in avformat_open_input
> F:\dev\ffmpeg\libavformat\demux.c:316
>
> previously allocated by thread T19 here:
>     #0 0x7ffae5814051 in malloc (C:\MSYS\clang64\bin\libclang_rt
> .asan_dynamic-x86_64.dll+0x180044051)
>     #1 0x7ffb20af1a18  (C:\WINDOWS\System32\ucrtbase.dll+0x180011a18)
>     #2 0x7ffa70facfee in av_malloc F:\dev\ffmpeg\libavutil\mem.c:108
>     #3 0x7ffae8ef2597 in parse_playlist
> F:\dev\ffmpeg\libavformat\hls.c:945
>     #4 0x7ffae8ee04a7 in hls_read_header
> F:\dev\ffmpeg\libavformat\hls.c:1963
>     #5 0x7ffae8d66d4b in avformat_open_input
> F:\dev\ffmpeg\libavformat\demux.c:316
>
> Thread T19 created by T0 here:
>     #0 0x7ffae58235b6 in CreateThread (C:\MSYS\clang64\bin\libclang_rt
> .asan_dynamic-x86_64.dll+0x1800535b6)
>
> SUMMARY: AddressSanitizer: heap-use-after-free
> F:\dev\ffmpeg\libavformat\hls.c:2127 in hls_read_header
> Shadow bytes around the buggy address:
>   0x119a589d7480: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
>   0x119a589d7500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x119a589d7580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x119a589d7600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x119a589d7680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x119a589d7700: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
>   0x119a589d7780: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x119a589d7800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x119a589d7880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x119a589d7900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x119a589d7980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==527548==ABORTING
> }}}
>
> How to reproduce:
> I could reproduce with some random live stream, but I think ASAN report
> tells it all, no? I haven't dig further than that. Let me know if
> something is unclear.
>
> Thanks.

New description:

 Summary of the bug:

 Look at the ASAN report (from ac06190a5). I trimmed unrelated frames, it
 is all in lavf.

 The issues seems to be pretty straightforward
 1. current segment is assigned `seg = current_segment(pls);`
 2. av_probe_input_buffer frees all previous segments
 `free_segment_dynarray(prev_segments, prev_n_segments);`
 3. freed `seg` is referenced
 4. poof

 {{{
 =================================================================
 ==527548==ERROR: AddressSanitizer: heap-use-after-free on address
 0x119a589d7768 at pc 0x7ffae8ee704f bp 0x005983cff1e0 sp 0x005983cff228
 READ of size 4 at 0x119a589d7768 thread T19
     #0 0x7ffae8ee704e in hls_read_header
 F:\dev\ffmpeg\libavformat\hls.c:2127
     #1 0x7ffae8d66d4b in avformat_open_input
 F:\dev\ffmpeg\libavformat\demux.c:316

 0x119a589d7768 is located 104 bytes inside of 143-byte region
 [0x119a589d7700,0x119a589d778f)
 freed by thread T19 here:
     #0 0x7ffae5813f31 in free (C:\MSYS\clang64\bin\libclang_rt
 .asan_dynamic-x86_64.dll+0x180043f31)
     #1 0x7ffb20af32d5  (C:\WINDOWS\System32\ucrtbase.dll+0x1800132d5)
     #2 0x7ffae8f04d74 in free_segment_dynarray
 F:\dev\ffmpeg\libavformat\hls.c:240
     #3 0x7ffae8ef11d1 in parse_playlist
 F:\dev\ffmpeg\libavformat\hls.c:1031
     #4 0x7ffae8ef9802 in read_data F:\dev\ffmpeg\libavformat\hls.c:1512
     #5 0x7ffae8ca7bea in fill_buffer
 F:\dev\ffmpeg\libavformat\aviobuf.c:595
     #6 0x7ffae8cab237 in avio_read F:\dev\ffmpeg\libavformat\aviobuf.c:690
     #7 0x7ffae8e74ef4 in av_probe_input_buffer2
 F:\dev\ffmpeg\libavformat\format.c:292
     #8 0x7ffae8e75852 in av_probe_input_buffer
 F:\dev\ffmpeg\libavformat\format.c:347
     #9 0x7ffae8ee23bf in hls_read_header
 F:\dev\ffmpeg\libavformat\hls.c:2112
     #10 0x7ffae8d66d4b in avformat_open_input
 F:\dev\ffmpeg\libavformat\demux.c:316

 previously allocated by thread T19 here:
     #0 0x7ffae5814051 in malloc (C:\MSYS\clang64\bin\libclang_rt
 .asan_dynamic-x86_64.dll+0x180044051)
     #1 0x7ffb20af1a18  (C:\WINDOWS\System32\ucrtbase.dll+0x180011a18)
     #2 0x7ffa70facfee in av_malloc F:\dev\ffmpeg\libavutil\mem.c:108
     #3 0x7ffae8ef2597 in parse_playlist
 F:\dev\ffmpeg\libavformat\hls.c:945
     #4 0x7ffae8ee04a7 in hls_read_header
 F:\dev\ffmpeg\libavformat\hls.c:1963
     #5 0x7ffae8d66d4b in avformat_open_input
 F:\dev\ffmpeg\libavformat\demux.c:316

 Thread T19 created by T0 here:
     #0 0x7ffae58235b6 in CreateThread (C:\MSYS\clang64\bin\libclang_rt
 .asan_dynamic-x86_64.dll+0x1800535b6)

 SUMMARY: AddressSanitizer: heap-use-after-free
 F:\dev\ffmpeg\libavformat\hls.c:2127 in hls_read_header
 Shadow bytes around the buggy address:
   0x119a589d7480: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
   0x119a589d7500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x119a589d7580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x119a589d7600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x119a589d7680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 =>0x119a589d7700: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
   0x119a589d7780: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x119a589d7800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x119a589d7880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x119a589d7900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x119a589d7980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
 ==527548==ABORTING
 }}}

 How to reproduce:
 I could reproduce with some random live stream, but I think ASAN report
 tells it all, no? I haven't dig further than that. Let me know if
 something is unclear.

 Thanks.

--
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/10825#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list