Opened 5 years ago

Closed 5 years ago

#7527 closed defect (fixed)

segfault in libavformat/hlsenc.c hls_delete_old_segments()

Reported by: caspy Owned by:
Priority: important Component: avformat
Version: git-master Keywords: hls crash
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:

ffmpeg will segfault when output as HLS with hls_flag +delete_segments and strftime_mkdir/use_localtime_mkdir.

How to reproduce:

% ffmpeg -i rtmp://127.0.0.1/test/test -c copy -f hls -hls_time 1 -hls_list_size 1 -use_localtime 1 -use_localtime_mkdir 1 -hls_flags "delete_segments" -hls_segment_filename "/tmp/%s/%s.ts" /tmp/index.m3u8

ffmpeg version: found in release/4.0, but git-master branch share same code

Notes:

in libavformat/hlsenc.c:
in hls_delete_old_segments():
'dirname' is created as NULL
then, few lines bellow, it is assigned only if 'if (segment && !hls->use_localtime_mkdir) { .. dirname = .. }'
and few more lines bellow it is accessed (crash is here) as 'av_stristr(dirname, "%v")'

Change History (8)

comment:1 by Carl Eugen Hoyos, 5 years ago

Keywords: crash added; delete_segments strftime_mkdir use_localtime_mkdir removed

Please provide the complete, uncut console output including backtrace, disassembly and register dump as explained on https://ffmpeg.org/bugreports.html

comment:3 by caspy, 5 years ago

this patch fixes the issue.

ps: purely for experience, why this condition was implemented originally?

in reply to:  3 comment:4 by Steven Liu, 5 years ago

Replying to caspy:

this patch fixes the issue.

ps: purely for experience, why this condition was implemented originally?

reference this commit :9ec52a0a9b086d8a916a580ad594c126cd810a45
or maybe need check the option for var_stream_map.

Last edited 5 years ago by Steven Liu (previous) (diff)

comment:5 by Steven Liu, 5 years ago

https://patchwork.ffmpeg.org/patch/10889/

This is better than the first patch.

in reply to:  5 ; comment:6 by caspy, 5 years ago

Replying to stevenliu:

https://patchwork.ffmpeg.org/patch/10889/

This is better than the first patch.

this patch fixes the issue too.

please, take a look few lines bellow, there is one more unconditional access to 'dirname' in subtitles block:

if ((segment->sub_filename[0] != '\0')) {
...
av_strlcpy(sub_path, dirname, sub_path_size);
av_strlcat(sub_path, segment->sub_filename, sub_path_size);

but i do not use subtitles and know nothing about them. so, i will not be able to test this part.

in reply to:  6 comment:7 by Steven Liu, 5 years ago

Replying to caspy:

Replying to stevenliu:

https://patchwork.ffmpeg.org/patch/10889/

This is better than the first patch.

this patch fixes the issue too.

please, take a look few lines bellow, there is one more unconditional access to 'dirname' in subtitles block:

if ((segment->sub_filename[0] != '\0')) {
...
av_strlcpy(sub_path, dirname, sub_path_size);
av_strlcat(sub_path, segment->sub_filename, sub_path_size);

yes you are right, let me think about how to fix it.

but i do not use subtitles and know nothing about them. so, i will not be able to test this part.

comment:8 by Steven Liu, 5 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.