#9711 closed defect (fixed)
RTMP play command response exposes undefined stack content
| Reported by: | Mattias Wadman | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | avformat |
| Version: | unspecified | Keywords: | rtmp |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
When replying to a "play" command the response might expose undefined stack content.
How to reproduce:
# latest ffmpeg from brew as of 2022-04-04
$ ffmpeg -version
ffmpeg version 5.0 Copyright (c) 2000-2022 the FFmpeg developers
built with Apple clang version 13.0.0 (clang-1300.0.29.30)
configuration: --prefix=/usr/local/Cellar/ffmpeg/5.0 --enable-shared --enable-pthreads --enable-version3 --cc=clang --host-cflags= --host-ldflags= --enable-ffplay --enable-gnutls --enable-gpl --enable-libaom --enable-libbluray --enable-libdav1d --enable-libmp3lame --enable-libopus --enable-librav1e --enable-librist --enable-librubberband --enable-libsnappy --enable-libsrt --enable-libtesseract --enable-libtheora --enable-libvidstab --enable-libvmaf --enable-libvorbis --enable-libvpx --enable-libwebp --enable-libx264 --enable-libx265 --enable-libxml2 --enable-libxvid --enable-lzma --enable-libfontconfig --enable-libfreetype --enable-frei0r --enable-libass --enable-libopencore-amrnb --enable-libopencore-amrwb --enable-libopenjpeg --enable-libspeex --enable-libsoxr --enable-libzmq --enable-libzimg --disable-libjack --disable-indev=jack --enable-videotoolbox
libavutil 57. 17.100 / 57. 17.100
libavcodec 59. 18.100 / 59. 18.100
libavformat 59. 16.100 / 59. 16.100
libavdevice 59. 4.100 / 59. 4.100
libavfilter 8. 24.100 / 8. 24.100
libswscale 6. 4.100 / 6. 4.100
libswresample 4. 3.100 / 4. 3.100
libpostproc 56. 3.100 / 56. 3.100
In three separate terminals:
$ ffmpeg -hide_banner -f lavfi -i sine=sample_rate=44100 -acodec aac -ac 2 -f flv -t 200ms -listen 1 rtmp://127.0.0.1:1935/test_stream
$ ffmpeg -i rtmp://127.0.0.1:1935/test_stream -f null -
$ tcpdump -w rtmp.pcap -i lo0
Inspect pcap:
$ tshark -T json -r rtmp.pcap | grep -C 10 published
"Name: code": {
"amf.stringlength": "4",
"amf.string": "code"
},
"String 'NetStream.Play.Start'": {
"amf.amf0_type": "0x02",
"amf.stringlength": "20",
"amf.string": "NetStream.Play.Start"
}
},
"Property 'description' String '���2 is now published'": {
"Name: description": {
"amf.stringlength": "11",
"amf.string": "description"
},
"String '���2 is now published'": {
"amf.amf0_type": "0x02",
"amf.stringlength": "21",
"amf.string": "���2 is now published"
}
},
"Property 'details' String '���2'": {
"Name: details": {
"amf.stringlength": "7",
"amf.string": "details"
},
"String '���2'": {
"amf.amf0_type": "0x02",
"amf.stringlength": "4",
Or use master version of https://github.com/wader/fq (was adding rtmp support to fq when i found this issue)
$ fq '.tcp_connections[].server_stream.messages? | grep("published") | parent | parent | parent | d({line_bytes: 10})' rtmp.pcap
│00 01 02 03 04 05 06 07 08 09│0123456789│.tcp_connections[0].server_stream.messages[9].arguments[0].value[0:5]:
│ │ │ [0]{}:
0x14│ 00 05 6c 65 76 65 6c │ ..level │ key: "level"
│ │ │ value{}:
0x14│ 02│ .│ type: "string" (2)
0x1e│00 06 73 74 61 74 75 73 │..status │ value: "status"
│ │ │ [1]{}:
0x1e│ 00 04│ ..│ key: "code"
0x28│63 6f 64 65 │code │
│ │ │ value{}:
0x28│ 02 │ . │ type: "string" (2)
0x28│ 00 14 4e 65 74│ ..Net│ value: "NetStream.Play.Start"
0x32│53 74 72 65 61 6d 2e 50 6c 61│Stream.Pla│
0x3c│79 2e 53 74 61 72 74 │y.Start │
│ │ │ [2]{}:
0x3c│ 00 0b 64│ ..d│ key: "description"
0x46│65 73 63 72 69 70 74 69 6f 6e│escription│
│ │ │ value{}:
0x50│02 │. │ type: "string" (2)
0x50│ 00 15 ff ff aa 32 20 69 73│ .....2 is│ value: "���2 is now published"
0x5a│20 6e 6f 77 20 70 75 62 6c 69│ now publi│
0x64│73 68 65 64 │shed │
│ │ │ [3]{}:
0x64│ 00 07 64 65 74 61│ ..deta│ key: "details"
0x6e│69 6c 73 │ils │
│ │ │ value{}:
0x6e│ 02 │ . │ type: "string" (2)
0x6e│ 00 04 ff ff aa 32│ .....2│ value: "���2"
│ │ │ [4]{}:
0x78│00 00 │.. │ key: ""
│ │ │ value{}:
0x78│ 09│ │ .│ │ type: "object_end" (9)
The description and details strings seems to have garbage bytes. Looking at the code for rtmpproto.c:send_invoke_response it seems like the stack variable char filename[128] is read (by write_status) without being initialized in the "play" command case. I think this might expose uninitialized stack content or might cause unintended UB compiler optimizations.
Change History (3)
comment:1 by , 2 years ago
comment:2 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Fixed in 58454749a7e6b854d0120a2f58dff40a3ee7bf40.