Opened 7 years ago
Closed 7 years ago
#6413 closed defect (fixed)
libssh sftp demuxer crashes (SIGSEGV) if the server asks for a password (with no pubkey auth)
Reported by: | Leo Izen | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | avformat |
Version: | git-master | Keywords: | avformat, libssh, sftp, crash |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Summary of the bug:
The SFTP demuxer in libavformat, provided by the external library libssh, will crash via segmentation fault if the SSH server doesn't have public key set up and asks for a password. It works as expected if the user has public key SSH set up.
What should happen:
Either ffmpeg should ask the user for the password, or exit gracefully with failure (and probably an error message on stderr as well). It should not segfault.
In order to reproduce this, try adding a new user and then connecting to localhost over SSH. Here is my log of this phenomenon:
leo@gauss ~/Programs/ffmpeg-basic :) $ ./ffmpeg -v 9 -loglevel 99 -i "sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv" ffmpeg version N-86209-gc3547dcbc3 Copyright (c) 2000-2017 the FFmpeg developers built with gcc 6.3.1 (GCC) 20170306 configuration: --enable-libssh libavutil 55. 63.100 / 55. 63.100 libavcodec 57. 96.101 / 57. 96.101 libavformat 57. 72.101 / 57. 72.101 libavdevice 57. 7.100 / 57. 7.100 libavfilter 6. 90.100 / 6. 90.100 libswscale 4. 7.101 / 4. 7.101 libswresample 2. 8.100 / 2. 8.100 Splitting the commandline. Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'. Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'. Reading option '-i' ... matched as input url with argument 'sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv'. Finished splitting the commandline. Parsing a group of options: global . Applying option v (set logging level) with argument 9. Successfully parsed a group of options. Parsing a group of options: input url sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv. Successfully parsed a group of options. Opening an input file: sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv. [sftp @ 0x564e48fbbcc0] No default whitelist set [libssh @ 0x564e48fbbe40] Authentication successful with auto selected key. Probing matroska,webm score:100 size:2048 [matroska,webm @ 0x564e48fbb360] Format matroska,webm probed with size=2048 and score=100 st:0 removing common factor 1000000 from timebase st:1 removing common factor 1000000 from timebase st:2 removing common factor 1000000 from timebase [matroska,webm @ 0x564e48fbb360] Before avformat_find_stream_info() pos: 228024 bytes read:261930 seeks:2 nb_streams:4 [h264 @ 0x564e48fc4560] nal_unit_type: 7, nal_ref_idc: 3 [h264 @ 0x564e48fc4560] nal_unit_type: 8, nal_ref_idc: 3 [h264 @ 0x564e48fc4560] nal_unit_type: 7, nal_ref_idc: 3 [h264 @ 0x564e48fc4560] nal_unit_type: 8, nal_ref_idc: 3 [h264 @ 0x564e48fc4560] user data:"x264 - core 120 r2120 0c7dab9 - H.264/MPEG-4 AVC codec - Copyleft 2003-2011 - http://www.videolan.org/x264.html - options: cabac=1 ref=6 deblock=1:1:1 analyse=0x3:0x113 me=umh subme=8 psy=1 psy_rd=0.40:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=2 b_bias=0 direct=3 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=23 scenecut=40 intra_refresh=0 rc_lookahead=50 rc=2pass mbtree=1 bitrate=1776 ratetol=1.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 cplxblur=20.0 qblur=0.5 vbv_maxrate=3552 vbv_bufsize=8880 nal_hrd=none ip_ratio=1.40 aq=1:0.60" [h264 @ 0x564e48fc4560] nal_unit_type: 7, nal_ref_idc: 3 [h264 @ 0x564e48fc4560] nal_unit_type: 8, nal_ref_idc: 3 [h264 @ 0x564e48fc4560] nal_unit_type: 6, nal_ref_idc: 0 [h264 @ 0x564e48fc4560] nal_unit_type: 5, nal_ref_idc: 3 [h264 @ 0x564e48fc4560] user data:"x264 - core 120 r2120 0c7dab9 - H.264/MPEG-4 AVC codec - Copyleft 2003-2011 - http://www.videolan.org/x264.html - options: cabac=1 ref=6 deblock=1:1:1 analyse=0x3:0x113 me=umh subme=8 psy=1 psy_rd=0.40:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=2 b_bias=0 direct=3 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=23 scenecut=40 intra_refresh=0 rc_lookahead=50 rc=2pass mbtree=1 bitrate=1776 ratetol=1.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 cplxblur=20.0 qblur=0.5 vbv_maxrate=3552 vbv_bufsize=8880 nal_hrd=none ip_ratio=1.40 aq=1:0.60" [h264 @ 0x564e48fc4560] Reinit context to 1280x720, pix_fmt: yuv420p [h264 @ 0x564e48fc4560] no picture [matroska,webm @ 0x564e48fbb360] All info found [matroska,webm @ 0x564e48fbb360] stream 0: start_time: 0.000 duration: -9223372036854776.000 [matroska,webm @ 0x564e48fbb360] stream 1: start_time: 0.000 duration: -9223372036854776.000 [matroska,webm @ 0x564e48fbb360] stream 2: start_time: 0.000 duration: 1435.318 [matroska,webm @ 0x564e48fbb360] stream 3: start_time: 0.000 duration: 1435.318 [matroska,webm @ 0x564e48fbb360] format: start_time: 0.000 duration: 1435.318 bitrate=1905 kb/s [matroska,webm @ 0x564e48fbb360] After avformat_find_stream_info() pos: 1754501 bytes read:1803854 seeks:2 frames:12 Input #0, matroska,webm, from 'sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv': Metadata: encoder : no_variable_data creation_time : 1970-01-01T00:00:00.000000Z Duration: 00:23:55.32, start: 0.000000, bitrate: 1905 kb/s Stream #0:0, 4, 1/1000: Video: h264 (High), 1 reference frame, yuv420p(progressive, left), 1280x720 [SAR 1:1 DAR 16:9], 0/1, 23.81 fps, 23.81 tbr, 1k tbn, 47.95 tbc (default) Metadata: BPS : 1773921 BPS-eng : 1773921 DURATION : 00:23:55.143000000 DURATION-eng : 00:23:55.143000000 NUMBER_OF_FRAMES: 34410 NUMBER_OF_FRAMES-eng: 34410 NUMBER_OF_BYTES : 318228822 NUMBER_OF_BYTES-eng: 318228822 _STATISTICS_WRITING_APP: no_variable_data _STATISTICS_WRITING_APP-eng: no_variable_data _STATISTICS_WRITING_DATE_UTC: 1970-01-01 00:00:00 _STATISTICS_WRITING_DATE_UTC-eng: 1970-01-01 00:00:00 _STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES _STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES Stream #0:1(jpn), 8, 1/1000: Audio: aac (LC), 44100 Hz, stereo, fltp (default) Metadata: BPS : 128000 BPS-eng : 128000 DURATION : 00:23:55.318000000 DURATION-eng : 00:23:55.318000000 NUMBER_OF_FRAMES: 61814 NUMBER_OF_FRAMES-eng: 61814 NUMBER_OF_BYTES : 22965092 NUMBER_OF_BYTES-eng: 22965092 _STATISTICS_WRITING_APP: no_variable_data _STATISTICS_WRITING_APP-eng: no_variable_data _STATISTICS_WRITING_DATE_UTC: 1970-01-01 00:00:00 _STATISTICS_WRITING_DATE_UTC-eng: 1970-01-01 00:00:00 _STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES _STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES Stream #0:2(eng), 0, 1/1000: Subtitle: ass (default) Metadata: BPS : 112 BPS-eng : 112 DURATION : 00:23:36.670000000 DURATION-eng : 00:23:36.670000000 NUMBER_OF_FRAMES: 307 NUMBER_OF_FRAMES-eng: 307 NUMBER_OF_BYTES : 19990 NUMBER_OF_BYTES-eng: 19990 _STATISTICS_WRITING_APP: no_variable_data _STATISTICS_WRITING_APP-eng: no_variable_data _STATISTICS_WRITING_DATE_UTC: 1970-01-01 00:00:00 _STATISTICS_WRITING_DATE_UTC-eng: 1970-01-01 00:00:00 _STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES _STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES Stream #0:3, 0, 1/90000: Attachment: ttf Metadata: filename : OpenSans-Semibold.ttf mimetype : application/x-truetype-font Successfully opened the file. At least one output file must be specified [AVIOContext @ 0x564e48fc2c80] Statistics: 1803854 bytes read, 2 seeks leo@gauss ~/Programs/ffmpeg-basic :( $ sudo rm /home/public/.ssh/authorized_keys leo@gauss ~/Programs/ffmpeg-basic :) $ ./ffmpeg -v 9 -loglevel 99 -i "sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv" ffmpeg version N-86209-gc3547dcbc3 Copyright (c) 2000-2017 the FFmpeg developers built with gcc 6.3.1 (GCC) 20170306 configuration: --enable-libssh libavutil 55. 63.100 / 55. 63.100 libavcodec 57. 96.101 / 57. 96.101 libavformat 57. 72.101 / 57. 72.101 libavdevice 57. 7.100 / 57. 7.100 libavfilter 6. 90.100 / 6. 90.100 libswscale 4. 7.101 / 4. 7.101 libswresample 2. 8.100 / 2. 8.100 Splitting the commandline. Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'. Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'. Reading option '-i' ... matched as input url with argument 'sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv'. Finished splitting the commandline. Parsing a group of options: global . Applying option v (set logging level) with argument 9. Successfully parsed a group of options. Parsing a group of options: input url sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv. Successfully parsed a group of options. Opening an input file: sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv. [sftp @ 0x559b6aed1cc0] No default whitelist set Segmentation fault (core dumped) leo@gauss ~/Programs/ffmpeg-basic :( $
I ran Valgrind on a debug build. Here's the output of Valgrind:
leo@gauss ~/Programs/ffmpeg-basic :) $ valgrind ./ffmpeg -v 9 -loglevel 99 -i "sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv" ==29927== Memcheck, a memory error detector ==29927== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==29927== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info ==29927== Command: ./ffmpeg -v 9 -loglevel 99 -i sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv ==29927== ffmpeg version N-86209-gc3547dcbc3 Copyright (c) 2000-2017 the FFmpeg developers built with gcc 6.3.1 (GCC) 20170306 configuration: --enable-debug=3 --disable-stripping --disable-optimizations --enable-libssh libavutil 55. 63.100 / 55. 63.100 libavcodec 57. 96.101 / 57. 96.101 libavformat 57. 72.101 / 57. 72.101 libavdevice 57. 7.100 / 57. 7.100 libavfilter 6. 90.100 / 6. 90.100 libswscale 4. 7.101 / 4. 7.101 libswresample 2. 8.100 / 2. 8.100 Splitting the commandline. Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'. Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'. Reading option '-i' ... matched as input url with argument 'sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv'. Finished splitting the commandline. Parsing a group of options: global . Applying option v (set logging level) with argument 9. Successfully parsed a group of options. Parsing a group of options: input url sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv. Successfully parsed a group of options. Opening an input file: sftp://public@127.0.0.1:2304/OP_Episodes/One_Piece_789.mkv. [sftp @ 0x97055a0] No default whitelist set ==29927== Invalid read of size 1 ==29927== at 0x4C2E112: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==29927== by 0x5ABDB47: ??? (in /usr/lib/libssh.so.4.4.2) ==29927== by 0x5ABDEC1: ??? (in /usr/lib/libssh.so.4.4.2) ==29927== by 0x5ABAFC3: ssh_userauth_password (in /usr/lib/libssh.so.4.4.2) ==29927== by 0x64E06D: libssh_authentication (libssh.c:107) ==29927== by 0x64E5A4: libssh_connect (libssh.c:220) ==29927== by 0x64E676: libssh_open (libssh.c:235) ==29927== by 0x486E4F: ffurl_connect (avio.c:209) ==29927== by 0x487615: ffurl_open_whitelist (avio.c:347) ==29927== by 0x48B4E6: ffio_open_whitelist (aviobuf.c:1073) ==29927== by 0x589D66: io_open_default (options.c:112) ==29927== by 0x5FF60E: init_input (utils.c:416) ==29927== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==29927== ==29927== ==29927== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==29927== Access not within mapped region at address 0x0 ==29927== at 0x4C2E112: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==29927== by 0x5ABDB47: ??? (in /usr/lib/libssh.so.4.4.2) ==29927== by 0x5ABDEC1: ??? (in /usr/lib/libssh.so.4.4.2) ==29927== by 0x5ABAFC3: ssh_userauth_password (in /usr/lib/libssh.so.4.4.2) ==29927== by 0x64E06D: libssh_authentication (libssh.c:107) ==29927== by 0x64E5A4: libssh_connect (libssh.c:220) ==29927== by 0x64E676: libssh_open (libssh.c:235) ==29927== by 0x486E4F: ffurl_connect (avio.c:209) ==29927== by 0x487615: ffurl_open_whitelist (avio.c:347) ==29927== by 0x48B4E6: ffio_open_whitelist (aviobuf.c:1073) ==29927== by 0x589D66: io_open_default (options.c:112) ==29927== by 0x5FF60E: init_input (utils.c:416) ==29927== If you believe this happened as a result of a stack ==29927== overflow in your program's main thread (unlikely but ==29927== possible), you can try to increase the size of the ==29927== main thread stack using the --main-stacksize= flag. ==29927== The main thread stack size used in this run was 8388608. ==29927== ==29927== HEAP SUMMARY: ==29927== in use at exit: 19,128 bytes in 138 blocks ==29927== total heap usage: 638 allocs, 500 frees, 204,002 bytes allocated ==29927== ==29927== LEAK SUMMARY: ==29927== definitely lost: 0 bytes in 0 blocks ==29927== indirectly lost: 0 bytes in 0 blocks ==29927== possibly lost: 0 bytes in 0 blocks ==29927== still reachable: 19,128 bytes in 138 blocks ==29927== suppressed: 0 bytes in 0 blocks ==29927== Rerun with --leak-check=full to see details of leaked memory ==29927== ==29927== For counts of detected and suppressed errors, rerun with: -v ==29927== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault (core dumped) leo@gauss ~/Programs/ffmpeg-basic :( $
Not entirely sure if this is a libssh bug, or if this is a problem with the way the api called (e.g. lack of error checking). Also, I listed the component as avformat because valgrind pointed to libavformat/avio.c.
Fixed in 8ddb6820bd52df6ed616abc3d8be200b126aa8c1