-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Buffer overlow when launching GPAC multicast gateway #6
Comments
I can't reproduce:
|
Neither @soheibthriber nor myself can reproduce. Which platforms are you on? Maybe we should organize a short call to make sure we replicate this. |
DASH to be deleted @sla] Buffer overflow causing string: https://akamaibroadcasteruseast.akamaized.net/cmaf/live/657078/akasource/1721610001/chunk-stream_1- size: 99
=================================================================
==13846==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffd8b5e5d4 at pc 0x7ffff78f94d3 bp 0x7fffffffc2e0 sp 0x7fffffffba88
WRITE of size 2 at 0x7fffd8b5e5d4 thread T0
#0 0x7ffff78f94d2 in memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115
#1 0x7ffff0aae97d in gf_dash_group_timeline_setup_single media_tools/dash_client.c:856
#2 0x7ffff0ac32d2 in gf_dash_group_timeline_setup media_tools/dash_client.c:1488
#3 0x7ffff0aeb972 in gf_dash_resolve_url media_tools/dash_client.c:3497
#4 0x7ffff0b068fa in gf_dash_download_init_segment media_tools/dash_client.c:4891
#5 0x7ffff0b4d860 in dash_setup_period_and_groups media_tools/dash_client.c:7854
#6 0x7ffff0b532c7 in gf_dash_process_internal media_tools/dash_client.c:8159
#7 0x7ffff0b5442a in gf_dash_process media_tools/dash_client.c:8230
#8 0x7ffff1953ef4 in dashdmx_process filters/dmx_dash.c:3237
#9 0x7ffff168a49c in gf_filter_process_task filter_core/filter.c:3171
#10 0x7ffff1626955 in gf_fs_thread_proc filter_core/filter_session.c:2171
#11 0x7ffff162a46b in gf_fs_run filter_core/filter_session.c:2478
#12 0x55555556204f in gpac_main /home/sohaib/gpac/gpac_public/applications/gpac/gpac.c:1598
#13 0x555555562484 in main /home/sohaib/gpac/gpac_public/applications/gpac/gpac.c:1854
#14 0x7fffeb22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#15 0x7fffeb22a28a in __libc_start_main_impl ../csu/libc-start.c:360
#16 0x55555555d314 in _start (/home/sohaib/gpac/gpac_public/bin/gcc/gpac+0x9314) (BuildId: a2ccdb6707fa9d1833bff7f1275b9b173982460a)
Address 0x7fffd8b5e5d4 is located in stack of thread T0 at offset 468 in frame
#0 0x7ffff0aa8bb1 in gf_dash_group_timeline_setup_single media_tools/dash_client.c:621
This frame has 11 object(s):
[32, 36) 'tpl_use_time' (line 832)
[48, 56) 'sr' (line 805)
[80, 88) 'seg_dur_ms' (line 805)
[112, 120) 'seg_url' (line 808)
[144, 152) 'number' (line 849)
[176, 184) 'utc' (line 992)
[208, 216) 'utc' (line 1048)
[240, 248) 'gtime1' (line 1098)
[272, 280) 'gtime2' (line 1098)
[304, 324) 'szFmt' (line 858)
[368, 468) 'szTemplate' (line 850) <== Memory access at offset 468 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115 in memcpy
Shadow bytes around the buggy address:
0x7fffd8b5e300: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x7fffd8b5e380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fffd8b5e400: f1 f1 f1 f1 04 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2
0x7fffd8b5e480: f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2
0x7fffd8b5e500: f2 f2 00 f2 f2 f2 00 00 04 f2 f2 f2 f2 f2 00 00
=>0x7fffd8b5e580: 00 00 00 00 00 00 00 00 00 00[04]f3 f3 f3 f3 f3
0x7fffd8b5e600: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x7fffd8b5e680: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x7fffd8b5e700: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 00 00 00 00
0x7fffd8b5e780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fffd8b5e800: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13846==ABORTING
[1] + Done "/usr/bin/gdb" --interpreter=mi --tty=${DbgTerm} 0<"/tmp/Microsoft-MIEngine-In-vzvlyp3p.y2k" 1>"/tmp/Microsoft-MIEngine-Out-tdeh4xl1.dse" I did reproduce and i think the buffer overflow is produced because of a static declaration of the szTemplate variable in dash_client.c. i will propose a modification in gpac code |
fix proposed in this pull request: gpac/gpac#2940 If we can test (i tested from my end) , than merge i think we can close this issue. |
The PR was merge. Can someone test it is gone please? |
The issue happens in both unicast repair config activated/deactivated in GPAC multicast gateway. On server, it also happens whether low-latency is enabled or not. Stream E is used to deliver in multicast.
Please see attached for all possible logs as well as pcap capture from multicast server.
buffer_overflow.zip
The text was updated successfully, but these errors were encountered: