Opened 6 months ago

Closed 5 months ago

#6413 closed defect (fixed)

libssh sftp demuxer crashes (SIGSEGV) if the server asks for a password (with no pubkey auth)

Reported by: thebombzen Owned by:
Priority: normal Component: avformat
Version: git-master Keywords: avformat, libssh, sftp, crash
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
The SFTP demuxer in libavformat, provided by the external library libssh, will crash via segmentation fault if the SSH server doesn't have public key set up and asks for a password. It works as expected if the user has public key SSH set up.

What should happen:
Either ffmpeg should ask the user for the password, or exit gracefully with failure (and probably an error message on stderr as well). It should not segfault.

In order to reproduce this, try adding a new user and then connecting to localhost over SSH. Here is my log of this phenomenon:

leo@gauss ~/Programs/ffmpeg-basic :) $ ./ffmpeg -v 9 -loglevel 99 -i "sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv"
ffmpeg version N-86209-gc3547dcbc3 Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 6.3.1 (GCC) 20170306
  configuration: --enable-libssh
  libavutil      55. 63.100 / 55. 63.100
  libavcodec     57. 96.101 / 57. 96.101
  libavformat    57. 72.101 / 57. 72.101
  libavdevice    57.  7.100 / 57.  7.100
  libavfilter     6. 90.100 /  6. 90.100
  libswscale      4.  7.101 /  4.  7.101
  libswresample   2.  8.100 /  2.  8.100
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'.
Reading option '-i' ... matched as input url with argument 'sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv'.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input url sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv.
Successfully parsed a group of options.
Opening an input file: sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv.
[sftp @ 0x564e48fbbcc0] No default whitelist set
[libssh @ 0x564e48fbbe40] Authentication successful with auto selected key.
Probing matroska,webm score:100 size:2048
[matroska,webm @ 0x564e48fbb360] Format matroska,webm probed with size=2048 and score=100
st:0 removing common factor 1000000 from timebase
st:1 removing common factor 1000000 from timebase
st:2 removing common factor 1000000 from timebase
[matroska,webm @ 0x564e48fbb360] Before avformat_find_stream_info() pos: 228024 bytes read:261930 seeks:2 nb_streams:4
[h264 @ 0x564e48fc4560] nal_unit_type: 7, nal_ref_idc: 3
[h264 @ 0x564e48fc4560] nal_unit_type: 8, nal_ref_idc: 3
[h264 @ 0x564e48fc4560] nal_unit_type: 7, nal_ref_idc: 3
[h264 @ 0x564e48fc4560] nal_unit_type: 8, nal_ref_idc: 3
[h264 @ 0x564e48fc4560] user data:"x264 - core 120 r2120 0c7dab9 - H.264/MPEG-4 AVC codec - Copyleft 2003-2011 - http://www.videolan.org/x264.html - options: cabac=1 ref=6 deblock=1:1:1 analyse=0x3:0x113 me=umh subme=8 psy=1 psy_rd=0.40:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=2 b_bias=0 direct=3 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=23 scenecut=40 intra_refresh=0 rc_lookahead=50 rc=2pass mbtree=1 bitrate=1776 ratetol=1.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 cplxblur=20.0 qblur=0.5 vbv_maxrate=3552 vbv_bufsize=8880 nal_hrd=none ip_ratio=1.40 aq=1:0.60"
[h264 @ 0x564e48fc4560] nal_unit_type: 7, nal_ref_idc: 3
[h264 @ 0x564e48fc4560] nal_unit_type: 8, nal_ref_idc: 3
[h264 @ 0x564e48fc4560] nal_unit_type: 6, nal_ref_idc: 0
[h264 @ 0x564e48fc4560] nal_unit_type: 5, nal_ref_idc: 3
[h264 @ 0x564e48fc4560] user data:"x264 - core 120 r2120 0c7dab9 - H.264/MPEG-4 AVC codec - Copyleft 2003-2011 - http://www.videolan.org/x264.html - options: cabac=1 ref=6 deblock=1:1:1 analyse=0x3:0x113 me=umh subme=8 psy=1 psy_rd=0.40:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=2 b_bias=0 direct=3 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=23 scenecut=40 intra_refresh=0 rc_lookahead=50 rc=2pass mbtree=1 bitrate=1776 ratetol=1.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 cplxblur=20.0 qblur=0.5 vbv_maxrate=3552 vbv_bufsize=8880 nal_hrd=none ip_ratio=1.40 aq=1:0.60"
[h264 @ 0x564e48fc4560] Reinit context to 1280x720, pix_fmt: yuv420p
[h264 @ 0x564e48fc4560] no picture 
[matroska,webm @ 0x564e48fbb360] All info found
[matroska,webm @ 0x564e48fbb360] stream 0: start_time: 0.000 duration: -9223372036854776.000
[matroska,webm @ 0x564e48fbb360] stream 1: start_time: 0.000 duration: -9223372036854776.000
[matroska,webm @ 0x564e48fbb360] stream 2: start_time: 0.000 duration: 1435.318
[matroska,webm @ 0x564e48fbb360] stream 3: start_time: 0.000 duration: 1435.318
[matroska,webm @ 0x564e48fbb360] format: start_time: 0.000 duration: 1435.318 bitrate=1905 kb/s
[matroska,webm @ 0x564e48fbb360] After avformat_find_stream_info() pos: 1754501 bytes read:1803854 seeks:2 frames:12
Input #0, matroska,webm, from 'sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv':
  Metadata:
    encoder         : no_variable_data
    creation_time   : 1970-01-01T00:00:00.000000Z
  Duration: 00:23:55.32, start: 0.000000, bitrate: 1905 kb/s
    Stream #0:0, 4, 1/1000: Video: h264 (High), 1 reference frame, yuv420p(progressive, left), 1280x720 [SAR 1:1 DAR 16:9], 0/1, 23.81 fps, 23.81 tbr, 1k tbn, 47.95 tbc (default)
    Metadata:
      BPS             : 1773921
      BPS-eng         : 1773921
      DURATION        : 00:23:55.143000000
      DURATION-eng    : 00:23:55.143000000
      NUMBER_OF_FRAMES: 34410
      NUMBER_OF_FRAMES-eng: 34410
      NUMBER_OF_BYTES : 318228822
      NUMBER_OF_BYTES-eng: 318228822
      _STATISTICS_WRITING_APP: no_variable_data
      _STATISTICS_WRITING_APP-eng: no_variable_data
      _STATISTICS_WRITING_DATE_UTC: 1970-01-01 00:00:00
      _STATISTICS_WRITING_DATE_UTC-eng: 1970-01-01 00:00:00
      _STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
      _STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
    Stream #0:1(jpn), 8, 1/1000: Audio: aac (LC), 44100 Hz, stereo, fltp (default)
    Metadata:
      BPS             : 128000
      BPS-eng         : 128000
      DURATION        : 00:23:55.318000000
      DURATION-eng    : 00:23:55.318000000
      NUMBER_OF_FRAMES: 61814
      NUMBER_OF_FRAMES-eng: 61814
      NUMBER_OF_BYTES : 22965092
      NUMBER_OF_BYTES-eng: 22965092
      _STATISTICS_WRITING_APP: no_variable_data
      _STATISTICS_WRITING_APP-eng: no_variable_data
      _STATISTICS_WRITING_DATE_UTC: 1970-01-01 00:00:00
      _STATISTICS_WRITING_DATE_UTC-eng: 1970-01-01 00:00:00
      _STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
      _STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
    Stream #0:2(eng), 0, 1/1000: Subtitle: ass (default)
    Metadata:
      BPS             : 112
      BPS-eng         : 112
      DURATION        : 00:23:36.670000000
      DURATION-eng    : 00:23:36.670000000
      NUMBER_OF_FRAMES: 307
      NUMBER_OF_FRAMES-eng: 307
      NUMBER_OF_BYTES : 19990
      NUMBER_OF_BYTES-eng: 19990
      _STATISTICS_WRITING_APP: no_variable_data
      _STATISTICS_WRITING_APP-eng: no_variable_data
      _STATISTICS_WRITING_DATE_UTC: 1970-01-01 00:00:00
      _STATISTICS_WRITING_DATE_UTC-eng: 1970-01-01 00:00:00
      _STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
      _STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
    Stream #0:3, 0, 1/90000: Attachment: ttf
    Metadata:
      filename        : OpenSans-Semibold.ttf
      mimetype        : application/x-truetype-font
Successfully opened the file.
At least one output file must be specified
[AVIOContext @ 0x564e48fc2c80] Statistics: 1803854 bytes read, 2 seeks
leo@gauss ~/Programs/ffmpeg-basic :( $ sudo rm /home/public/.ssh/authorized_keys 
leo@gauss ~/Programs/ffmpeg-basic :) $ ./ffmpeg -v 9 -loglevel 99 -i "sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv"
ffmpeg version N-86209-gc3547dcbc3 Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 6.3.1 (GCC) 20170306
  configuration: --enable-libssh
  libavutil      55. 63.100 / 55. 63.100
  libavcodec     57. 96.101 / 57. 96.101
  libavformat    57. 72.101 / 57. 72.101
  libavdevice    57.  7.100 / 57.  7.100
  libavfilter     6. 90.100 /  6. 90.100
  libswscale      4.  7.101 /  4.  7.101
  libswresample   2.  8.100 /  2.  8.100
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'.
Reading option '-i' ... matched as input url with argument 'sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv'.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input url sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv.
Successfully parsed a group of options.
Opening an input file: sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv.
[sftp @ 0x559b6aed1cc0] No default whitelist set
Segmentation fault (core dumped)
leo@gauss ~/Programs/ffmpeg-basic :( $ 

I ran Valgrind on a debug build. Here's the output of Valgrind:

leo@gauss ~/Programs/ffmpeg-basic :) $ valgrind ./ffmpeg -v 9 -loglevel 99 -i "sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv"
==29927== Memcheck, a memory error detector
==29927== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==29927== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==29927== Command: ./ffmpeg -v 9 -loglevel 99 -i sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv
==29927== 
ffmpeg version N-86209-gc3547dcbc3 Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 6.3.1 (GCC) 20170306
  configuration: --enable-debug=3 --disable-stripping --disable-optimizations --enable-libssh
  libavutil      55. 63.100 / 55. 63.100
  libavcodec     57. 96.101 / 57. 96.101
  libavformat    57. 72.101 / 57. 72.101
  libavdevice    57.  7.100 / 57.  7.100
  libavfilter     6. 90.100 /  6. 90.100
  libswscale      4.  7.101 /  4.  7.101
  libswresample   2.  8.100 /  2.  8.100
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'.
Reading option '-i' ... matched as input url with argument 'sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv'.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input url sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv.
Successfully parsed a group of options.
Opening an input file: sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv.
[sftp @ 0x97055a0] No default whitelist set
==29927== Invalid read of size 1
==29927==    at 0x4C2E112: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29927==    by 0x5ABDB47: ??? (in /usr/lib/libssh.so.4.4.2)
==29927==    by 0x5ABDEC1: ??? (in /usr/lib/libssh.so.4.4.2)
==29927==    by 0x5ABAFC3: ssh_userauth_password (in /usr/lib/libssh.so.4.4.2)
==29927==    by 0x64E06D: libssh_authentication (libssh.c:107)
==29927==    by 0x64E5A4: libssh_connect (libssh.c:220)
==29927==    by 0x64E676: libssh_open (libssh.c:235)
==29927==    by 0x486E4F: ffurl_connect (avio.c:209)
==29927==    by 0x487615: ffurl_open_whitelist (avio.c:347)
==29927==    by 0x48B4E6: ffio_open_whitelist (aviobuf.c:1073)
==29927==    by 0x589D66: io_open_default (options.c:112)
==29927==    by 0x5FF60E: init_input (utils.c:416)
==29927==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==29927== 
==29927== 
==29927== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==29927==  Access not within mapped region at address 0x0
==29927==    at 0x4C2E112: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29927==    by 0x5ABDB47: ??? (in /usr/lib/libssh.so.4.4.2)
==29927==    by 0x5ABDEC1: ??? (in /usr/lib/libssh.so.4.4.2)
==29927==    by 0x5ABAFC3: ssh_userauth_password (in /usr/lib/libssh.so.4.4.2)
==29927==    by 0x64E06D: libssh_authentication (libssh.c:107)
==29927==    by 0x64E5A4: libssh_connect (libssh.c:220)
==29927==    by 0x64E676: libssh_open (libssh.c:235)
==29927==    by 0x486E4F: ffurl_connect (avio.c:209)
==29927==    by 0x487615: ffurl_open_whitelist (avio.c:347)
==29927==    by 0x48B4E6: ffio_open_whitelist (aviobuf.c:1073)
==29927==    by 0x589D66: io_open_default (options.c:112)
==29927==    by 0x5FF60E: init_input (utils.c:416)
==29927==  If you believe this happened as a result of a stack
==29927==  overflow in your program's main thread (unlikely but
==29927==  possible), you can try to increase the size of the
==29927==  main thread stack using the --main-stacksize= flag.
==29927==  The main thread stack size used in this run was 8388608.
==29927== 
==29927== HEAP SUMMARY:
==29927==     in use at exit: 19,128 bytes in 138 blocks
==29927==   total heap usage: 638 allocs, 500 frees, 204,002 bytes allocated
==29927== 
==29927== LEAK SUMMARY:
==29927==    definitely lost: 0 bytes in 0 blocks
==29927==    indirectly lost: 0 bytes in 0 blocks
==29927==      possibly lost: 0 bytes in 0 blocks
==29927==    still reachable: 19,128 bytes in 138 blocks
==29927==         suppressed: 0 bytes in 0 blocks
==29927== Rerun with --leak-check=full to see details of leaked memory
==29927== 
==29927== For counts of detected and suppressed errors, rerun with: -v
==29927== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
leo@gauss ~/Programs/ffmpeg-basic :( $ 

Not entirely sure if this is a libssh bug, or if this is a problem with the way the api called (e.g. lack of error checking). Also, I listed the component as avformat because valgrind pointed to libavformat/avio.c.

Change History (1)

comment:1 Changed 5 months ago by jamrial

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.