Dear Ross Finlayson, Sorry for many emails and thanks for your reply.
I want to report another memory leak bug in the AC3AudioStreamFramer.
In liveMedia/AC3AudioStreamFramer.cpp:306, fSavedFrame pointer is assigned to a
new allocated heap memory. There are two delete[] operations to free this
memory: AC3AudioStreamParser::parseFrame() and
AC3AudioStreamParser::onSavedFrameClosure1().
However, sometimes, the class destructor function
AC3AudioStreamFramer::~AC3AudioStreamFramer() is executed before the two
delete[] operations and incurs the leak of the heap memory fSavedFrame points
to.
Mass memory leaks may incur DoS attack and crash the server.
The call stack of the memory leak:
Direct leak of 4000 byte(s) in 1 object(s) allocated from:
#0 0x4c751d in operator new[](unsigned long)
(/home/ubuntu/experiments/live555-libfuzzer/testProgs/testOnDemandRTSPServer+0x4c751d)
#1 0x59b65a in AC3AudioStreamParser::readAndSaveAFrame()
/home/ubuntu/experiments/live555-libfuzzer/liveMedia/AC3AudioStreamFramer.cpp:306:17
#2 0x59b65a in AC3AudioStreamFramer::samplingRate()
/home/ubuntu/experiments/live555-libfuzzer/liveMedia/AC3AudioStreamFramer.cpp:112:14
#3 0x52b316 in
AC3AudioFileServerMediaSubsession::createNewRTPSink(Groupsock*, unsigned char,
FramedSource*)
/home/ubuntu/experiments/live555-libfuzzer/liveMedia/AC3AudioFileServerMediaSubsession.cpp:60:22
#4 0x5e5635 in OnDemandServerMediaSubsession::sdpLines(int)
/home/ubuntu/experiments/live555-libfuzzer/liveMedia/OnDemandServerMediaSubsession.cpp:71:29
#5 0x51da33 in ServerMediaSession::generateSDPDescription(int)
/home/ubuntu/experiments/live555-libfuzzer/liveMedia/ServerMediaSession.cpp:254:42
#6 0x4d9682 in
RTSPServer::RTSPClientConnection::handleCmd_DESCRIBE_afterLookup(ServerMediaSession*)
/home/ubuntu/experiments/live555-libfuzzer/liveMedia/RTSPServer.cpp:380:31
#7 0x4d82a7 in RTSPServer::RTSPClientConnection::handleCmd_DESCRIBE(char
const*, char const*, char const*)
/home/ubuntu/experiments/live555-libfuzzer/liveMedia/RTSPServer.cpp:356:14
#8 0x4df930 in RTSPServer::RTSPClientConnection::handleRequestBytes(int)
/home/ubuntu/experiments/live555-libfuzzer/liveMedia/RTSPServer.cpp:796:2
#9 0x4d1e2e in
GenericMediaServer::ClientConnection::incomingRequestHandler()
/home/ubuntu/experiments/live555-libfuzzer/liveMedia/GenericMediaServer.cpp:291:3
#10 0x4d1e2e in
GenericMediaServer::ClientConnection::incomingRequestHandler(void*, int)
/home/ubuntu/experiments/live555-libfuzzer/liveMedia/GenericMediaServer.cpp:284:15
#11 0x645f35 in BasicTaskScheduler::SingleStep(unsigned int)
/home/ubuntu/experiments/live555-libfuzzer/BasicUsageEnvironment/BasicTaskScheduler.cpp:171:2
#12 0x64e45a in BasicTaskScheduler0::doEventLoop(char volatile*)
/home/ubuntu/experiments/live555-libfuzzer/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5
To reproduce it, please download the attachment:
1. Build the docker image:
docker build . -t live555_bug
1. Start a container on the image and open two terminals.
2. In one terminal, run the live555:
cd live/testProgs/; ./testOnDemandRTSPServer
Now we can see the memory usage from the top command:
[cid:image001.png@01D79028.E331EAF0]
1. On the other terminal, run the poc:
./poc.sh
After 20 seconds, the memory usage:
[cid:image002.png@01D79029.870D3E90]
Best regards,
Jinsheng Ba
<<attachment: live555_leak.zip>>
_______________________________________________ live-devel mailing list live-devel@lists.live555.com http://lists.live555.com/mailman/listinfo/live-devel
