Context Navigation

#10825 closed defect (fixed)

heap-use-after-free in hls_read_header

Reported by:	kasper93	Owned by:
Priority:	normal	Component:	undetermined
Version:	unspecified	Keywords:
Cc:		Blocked By:
Blocking:		Reproduced by developer:	yes
Analyzed by developer:	no

Description (last modified by kasper93)

Summary of the bug:

Look at the ASAN report (from ac06190a5). I trimmed unrelated frames, it is all in lavf.

The issues seems to be pretty straightforward

current segment is assigned seg = current_segment(pls);
av_probe_input_buffer frees all previous segments free_segment_dynarray(prev_segments, prev_n_segments);
freed seg is referenced
poof

=================================================================
==527548==ERROR: AddressSanitizer: heap-use-after-free on address 0x119a589d7768 at pc 0x7ffae8ee704f bp 0x005983cff1e0 sp 0x005983cff228
READ of size 4 at 0x119a589d7768 thread T19
    #0 0x7ffae8ee704e in hls_read_header F:\dev\ffmpeg\libavformat\hls.c:2127
    #1 0x7ffae8d66d4b in avformat_open_input F:\dev\ffmpeg\libavformat\demux.c:316

0x119a589d7768 is located 104 bytes inside of 143-byte region [0x119a589d7700,0x119a589d778f)
freed by thread T19 here:
    #0 0x7ffae5813f31 in free (C:\MSYS\clang64\bin\libclang_rt.asan_dynamic-x86_64.dll+0x180043f31)
    #1 0x7ffb20af32d5  (C:\WINDOWS\System32\ucrtbase.dll+0x1800132d5)
    #2 0x7ffae8f04d74 in free_segment_dynarray F:\dev\ffmpeg\libavformat\hls.c:240
    #3 0x7ffae8ef11d1 in parse_playlist F:\dev\ffmpeg\libavformat\hls.c:1031
    #4 0x7ffae8ef9802 in read_data F:\dev\ffmpeg\libavformat\hls.c:1512
    #5 0x7ffae8ca7bea in fill_buffer F:\dev\ffmpeg\libavformat\aviobuf.c:595
    #6 0x7ffae8cab237 in avio_read F:\dev\ffmpeg\libavformat\aviobuf.c:690
    #7 0x7ffae8e74ef4 in av_probe_input_buffer2 F:\dev\ffmpeg\libavformat\format.c:292
    #8 0x7ffae8e75852 in av_probe_input_buffer F:\dev\ffmpeg\libavformat\format.c:347
    #9 0x7ffae8ee23bf in hls_read_header F:\dev\ffmpeg\libavformat\hls.c:2112
    #10 0x7ffae8d66d4b in avformat_open_input F:\dev\ffmpeg\libavformat\demux.c:316

previously allocated by thread T19 here:
    #0 0x7ffae5814051 in malloc (C:\MSYS\clang64\bin\libclang_rt.asan_dynamic-x86_64.dll+0x180044051)
    #1 0x7ffb20af1a18  (C:\WINDOWS\System32\ucrtbase.dll+0x180011a18)
    #2 0x7ffa70facfee in av_malloc F:\dev\ffmpeg\libavutil\mem.c:108
    #3 0x7ffae8ef2597 in parse_playlist F:\dev\ffmpeg\libavformat\hls.c:945
    #4 0x7ffae8ee04a7 in hls_read_header F:\dev\ffmpeg\libavformat\hls.c:1963
    #5 0x7ffae8d66d4b in avformat_open_input F:\dev\ffmpeg\libavformat\demux.c:316

Thread T19 created by T0 here:
    #0 0x7ffae58235b6 in CreateThread (C:\MSYS\clang64\bin\libclang_rt.asan_dynamic-x86_64.dll+0x1800535b6)

SUMMARY: AddressSanitizer: heap-use-after-free F:\dev\ffmpeg\libavformat\hls.c:2127 in hls_read_header
Shadow bytes around the buggy address:
  0x119a589d7480: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x119a589d7500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x119a589d7580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x119a589d7600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x119a589d7680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x119a589d7700: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x119a589d7780: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x119a589d7800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x119a589d7880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x119a589d7900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x119a589d7980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==527548==ABORTING

How to reproduce:
I could reproduce with some random twitch live stream, but I think ASAN report tells it all, no? I haven't dig further than that. Let me know if something is unclear.

Thanks.

Change History (4)

comment:1 by kasper93, 10 months ago

Description:	modified (diff)

comment:2 by kasper93, 10 months ago

Description:	modified (diff)

comment:3 by kasper93, 9 months ago

I've sent a patch https://patchwork.ffmpeg.org/project/ffmpeg/patch/20240317023628.1936-1-kasper93@gmail.com/

comment:4 by jdek, 6 months ago

Reproduced by developer:	set
Resolution:	→ fixed
Status:	new → closed

Fixed in b2b23f353aa1d4f88bcf00646bf952f0f7f8b033, thanks for patch.

Note: See TracTickets for help on using tickets.

Download in other formats: