[Live-devel] UAF-live.2023.05.10
Hello, While running testOnDemandRTSPServer from live.2023.05.10 in Ubuntu 20.04, we found one use-after-free. The following is the bug report from the address sanitizer: ==90==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fffe6494810 at pc 0x00497a95 bp 0x735dd380 sp 0x735dcb48 WRITE of size 270 at 0x7fffe6494810 thread T0 #0 0x497a94 in __asan_memmove (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x497a94) #1 0x6066a0 in StreamParser::testBytes(unsigned char*, unsigned int) /home/ubuntu/experiments/live/liveMedia/./StreamParser.hh:96:5 #2 0x6066a0 in StreamParser::getBytes(unsigned char*, unsigned int) /home/ubuntu/experiments/live/liveMedia/./StreamParser.hh:90:5 #3 0x6066a0 in MatroskaFileParser::deliverFrameBytes() /home/ubuntu/experiments/live/liveMedia/MatroskaFileParser.cpp:1251:7 #4 0x5fa759 in MatroskaFileParser::parse() /home/ubuntu/experiments/live/liveMedia/MatroskaFileParser.cpp:184:4 #5 0x5f8fda in MatroskaFileParser::continueParsing() /home/ubuntu/experiments/live/liveMedia/MatroskaFileParser.cpp:111:10 #6 0x5cf7b4 in MultiFramedRTPSink::packFrame() /home/ubuntu/experiments/live/liveMedia/MultiFramedRTPSink.cpp:223:14 #7 0x5ceea4 in MultiFramedRTPSink::buildAndSendPacket(unsigned char) /home/ubuntu/experiments/live/liveMedia/MultiFramedRTPSink.cpp:199:3 #8 0x5ceea4 in MultiFramedRTPSink::continuePlaying() /home/ubuntu/experiments/live/liveMedia/MultiFramedRTPSink.cpp:159:3 #9 0x5ebb9e in StreamState::startPlaying(Destinations*, unsigned int, void (*)(void*), void*, void (*)(void*, unsigned char), void*) /home/ubuntu/experiments/live/liveMedia/OnDemandServerMediaSubsession.cpp:575:17 #10 0x5eb216 in OnDemandServerMediaSubsession::startStream(unsigned int, void*, void (*)(void*), void*, unsigned short&, unsigned int&, void (*)(void*, unsigned char), void*) /home/ubuntu/experiments/live/liveMedia/OnDemandServerMediaSubsession.cpp:229:18 #11 0x4e3aa0 in RTSPServer::RTSPClientSession::handleCmd_PLAY(RTSPServer::RTSPClientConnection*, ServerMediaSubsession*, char const*) /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp:1943:36 #12 0x4e1b7e in RTSPServer::RTSPClientSession::handleCmd_withinSession(RTSPServer::RTSPClientConnection*, char const*, char const*, char const*, char const*) /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp #13 0x4dc30d in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp:996:22 #14 0x5e695a in GenericMediaServer::ClientConnection::incomingRequestHandler() /home/ubuntu/experiments/live/liveMedia/GenericMediaServer.cpp:324:3 #15 0x649f55 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler.cpp:171:2 #16 0x6524aa in BasicTaskScheduler0::doEventLoop(char volatile*) /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler0.cpp:82:5 #17 0x598cb5 in AC3AudioStreamParser::readAndSaveAFrame() /home/ubuntu/experiments/live/liveMedia/AC3AudioStreamFramer.cpp:314:41 #18 0x598cb5 in AC3AudioStreamFramer::samplingRate() /home/ubuntu/experiments/live/liveMedia/AC3AudioStreamFramer.cpp:112:14 #19 0x5283f6 in AC3AudioFileServerMediaSubsession::createNewRTPSink(Groupsock*, unsigned char, FramedSource*) /home/ubuntu/experiments/live/liveMedia/AC3AudioFileServerMediaSubsession.cpp:60:22 #20 0x5ea403 in OnDemandServerMediaSubsession::getStreamParameters(unsigned int, sockaddr_storage const&, Port const&, Port const&, int, unsigned char, unsigned char, TLSState*, sockaddr_storage&, unsigned char&, unsigned char&, Port&, Port&, void*&) /home/ubuntu/experiments/live/liveMedia/OnDemandServerMediaSubsession.cpp:177:6 #21 0x4e008d in RTSPServer::RTSPClientSession::handleCmd_SETUP_afterLookup2(ServerMediaSession*) /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp:1585:17 #22 0x4dc0a8 in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp:887:19 #23 0x5e695a in GenericMediaServer::ClientConnection::incomingRequestHandler() /home/ubuntu/experiments/live/liveMedia/GenericMediaServer.cpp:324:3 #24 0x649f55 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler.cpp:171:2 #25 0x6524aa in BasicTaskScheduler0::doEventLoop(char volatile*) /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler0.cpp:82:5 #26 0x598cb5 in AC3AudioStreamParser::readAndSaveAFrame() /home/ubuntu/experiments/live/liveMedia/AC3AudioStreamFramer.cpp:314:41 #27 0x598cb5 in AC3AudioStreamFramer::samplingRate() /home/ubuntu/experiments/live/liveMedia/AC3AudioStreamFramer.cpp:112:14 #28 0x5283f6 in AC3AudioFileServerMediaSubsession::createNewRTPSink(Groupsock*, unsigned char, FramedSource*) /home/ubuntu/experiments/live/liveMedia/AC3AudioFileServerMediaSubsession.cpp:60:22
Re: [Live-devel] UAF-live.2023.05.10
Hey, Here is the link to the media files: https://github.com/aflnet/aflnet/tree/master/tutorials/live555/sample_media_sources. All of our runnings are using these files. --- Kind Regards, Jerry Testing On Wed, 7 Jun 2023 at 10:36, jerry testing wrote: > Hello, > > While running testOnDemandRTSPServer from live.2023.05.10 in Ubuntu 20.04, > we found one use-after-free. The following is the bug report from the > address sanitizer: > > ==90==ERROR: AddressSanitizer: heap-use-after-free on address > 0x7fffe6494810 at pc 0x00497a95 bp 0x735dd380 sp 0x735dcb48 > > WRITE of size 270 at 0x7fffe6494810 thread T0 > > #0 0x497a94 in __asan_memmove > (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x497a94) > > #1 0x6066a0 in StreamParser::testBytes(unsigned char*, unsigned int) > /home/ubuntu/experiments/live/liveMedia/./StreamParser.hh:96:5 > > #2 0x6066a0 in StreamParser::getBytes(unsigned char*, unsigned int) > /home/ubuntu/experiments/live/liveMedia/./StreamParser.hh:90:5 > > #3 0x6066a0 in MatroskaFileParser::deliverFrameBytes() > /home/ubuntu/experiments/live/liveMedia/MatroskaFileParser.cpp:1251:7 > > #4 0x5fa759 in MatroskaFileParser::parse() > /home/ubuntu/experiments/live/liveMedia/MatroskaFileParser.cpp:184:4 > > #5 0x5f8fda in MatroskaFileParser::continueParsing() > /home/ubuntu/experiments/live/liveMedia/MatroskaFileParser.cpp:111:10 > > #6 0x5cf7b4 in MultiFramedRTPSink::packFrame() > /home/ubuntu/experiments/live/liveMedia/MultiFramedRTPSink.cpp:223:14 > > #7 0x5ceea4 in MultiFramedRTPSink::buildAndSendPacket(unsigned char) > /home/ubuntu/experiments/live/liveMedia/MultiFramedRTPSink.cpp:199:3 > > #8 0x5ceea4 in MultiFramedRTPSink::continuePlaying() > /home/ubuntu/experiments/live/liveMedia/MultiFramedRTPSink.cpp:159:3 > > #9 0x5ebb9e in StreamState::startPlaying(Destinations*, unsigned int, > void (*)(void*), void*, void (*)(void*, unsigned char), void*) > /home/ubuntu/experiments/live/liveMedia/OnDemandServerMediaSubsession.cpp:575:17 > > #10 0x5eb216 in OnDemandServerMediaSubsession::startStream(unsigned > int, void*, void (*)(void*), void*, unsigned short&, unsigned int&, void > (*)(void*, unsigned char), void*) > /home/ubuntu/experiments/live/liveMedia/OnDemandServerMediaSubsession.cpp:229:18 > > #11 0x4e3aa0 in > RTSPServer::RTSPClientSession::handleCmd_PLAY(RTSPServer::RTSPClientConnection*, > ServerMediaSubsession*, char const*) > /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp:1943:36 > #12 0x4e1b7e in > RTSPServer::RTSPClientSession::handleCmd_withinSession(RTSPServer::RTSPClientConnection*, > char const*, char const*, char const*, char const*) > /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp > > #13 0x4dc30d in > RTSPServer::RTSPClientConnection::handleRequestBytes(int) > /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp:996:22 > #14 0x5e695a in > GenericMediaServer::ClientConnection::incomingRequestHandler() > /home/ubuntu/experiments/live/liveMedia/GenericMediaServer.cpp:324:3 > #15 0x649f55 in BasicTaskScheduler::SingleStep(unsigned int) > /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler.cpp:171:2 > #16 0x6524aa in BasicTaskScheduler0::doEventLoop(char volatile*) > /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler0.cpp:82:5 > #17 0x598cb5 in AC3AudioStreamParser::readAndSaveAFrame() > /home/ubuntu/experiments/live/liveMedia/AC3AudioStreamFramer.cpp:314:41 > #18 0x598cb5 in AC3AudioStreamFramer::samplingRate() > /home/ubuntu/experiments/live/liveMedia/AC3AudioStreamFramer.cpp:112:14 > #19 0x5283f6 in > AC3AudioFileServerMediaSubsession::createNewRTPSink(Groupsock*, unsigned > char, FramedSource*) > /home/ubuntu/experiments/live/liveMedia/AC3AudioFileServerMediaSubsession.cpp:60:22 > #20 0x5ea403 in > OnDemandServerMediaSubsession::getStreamParameters(unsigned int, > sockaddr_storage const&, Port const&, Port const&, int, unsigned char, > unsigned char, TLSState*, sockaddr_storage&, unsigned char&, unsigned > char&, Port&, Port&, void*&) > /home/ubuntu/experiments/live/liveMedia/OnDemandServerMediaSubsession.cpp:177:6 > #21 0x4e008d in > RTSPServer::RTSPClientSession::handleCmd_SETUP_afterLookup2(ServerMediaSession*) > /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp:1585:17 > #22 0x4dc0a8 in > RTSPServer::RTSPClientConnection::handleRequestBytes(int) > /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp:887:19 > #23 0x5e695a in > GenericMediaServer::ClientConnection::incomingRequestHandler() > /home/ubuntu/experiments/live/liveMedia/GenericMediaServer.cpp:324:3 > #24 0
