#8503 closed defect (worksforme)
heap-use-after-free (libavformat)
| Reported by: | satbaby | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | undetermined |
| Version: | git-master | Keywords: | |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
[hls @ 0x61b0000b7580] Skip ('#EXT-X-PROGRAM-DATE-TIME:2020-01-30T12:19:55Z')
[hls @ 0x61b0000b7580] Skip ('#EXT-X-PROGRAM-DATE-TIME:2020-01-30T12:19:57Z')
[hls @ 0x61b0000b7580] Skip ('#EXT-X-PROGRAM-DATE-TIME:2020-01-30T12:19:59Z')
[hls @ 0x61b0000b7580] Skip ('#EXT-X-PROGRAM-DATE-TIME:2020-01-30T12:20:01Z')
[hls @ 0x61b0000b7580] Skip ('#EXT-X-PROGRAM-DATE-TIME:2020-01-30T12:20:03Z')
[hls @ 0x61b0000b7580] Opening 'https://zdf-hls-02.akamaized.net/hls/live/2002461-b/de/db2a160db8fa0578f9d55391f18d47c1/7/77031.aac' for reading
[hls @ 0x61b0000b7580] Opening 'https://zdf-hls-02.akamaized.net/hls/live/2002461-b/de/db2a160db8fa0578f9d55391f18d47c1/7/77032.aac' for reading
=================================================================
==26433==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0001786c0 at pc 0x7fa210658bf5 bp 0x7ffff0105260 sp 0x7ffff0104a08
READ of size 2 at 0x60b0001786c0 thread T0
Invalid return value 0 for stream protocol
#0 0x7fa210658bf4 (/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5+0x6abf4)
#1 0x5590326e6c82 in av_match_ext libavformat/format.c:45
#2 0x5590326e7121 in av_probe_input_format3 libavformat/format.c:168
#3 0x5590326e7311 in av_probe_input_format2 libavformat/format.c:208
#4 0x5590326e7479 in av_probe_input_buffer2 libavformat/format.c:280
#5 0x5590326e7668 in av_probe_input_buffer libavformat/format.c:316
#6 0x55903275e777 in hls_read_header libavformat/hls.c:1945
#7 0x559032707aa1 in avformat_open_input libavformat/utils.c:631
...
0x60b0001786c0 is located 0 bytes inside of 100-byte region [0x60b0001786c0,0x60b000178724)
freed by thread T0 here:
#0 0x7fa2106f9e4f in interceptor_free (/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5+0x10be4f)
#1 0x55903275b357 in free_segment_dynarray libavformat/hls.c:223
#2 0x55903275b357 in parse_playlist libavformat/hls.c:950
previously allocated by thread T0 here:
#0 0x7fa2106fa669 in realloc (/usr/lib/gcc/x86_64-pc-linux-gnu/9.2.0/libasan.so.5+0x10c669)
#1 0x559033149454 in av_strdup libavutil/mem.c:256
#2 0x2d736c682d666479 (<unknown module>)
How to reproduce:
AVFormatContext *ifcx = NULL;
if (avformat_open_input(&ifcx, "http://zdf-hls-02.akamaized.net/hls/live/2002461/de/high/master.m3u8", NULL, NULL) != 0) {
Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.
Change History (4)
comment:1 by , 5 years ago
follow-up: 3 comment:2 by , 5 years ago
#include <string>
extern "C" {
#include <libavformat/avformat.h>
}
int main()
{
std::string name = "http://zdf-hls-02.akamaized.net/hls/live/2002461/de/high/master.m3u8";
AVFormatContext *ifcx = NULL;
if (avformat_open_input(&ifcx, name.c_str(), NULL, NULL) != 0) {
return -1;
}
if (ifcx) {
avformat_close_input(&ifcx);
}
return 0;
}
c++ -g -lavutil -lavformat -lavcodec test.cpp -fsanitize=address -fno-omit-frame-pointer
comment:3 by , 5 years ago
| Resolution: | → worksforme |
|---|---|
| Status: | new → closed |
Works fine here, a crash in avformat_open_input() should be easily reproducible including with ffmpeg.
comment:4 by , 5 years ago
| Component: | avformat → undetermined |
|---|
Is the issue you see reproducible with
ffmpeg, the command line application? If not, please provide sample code that allows compilation.