-
-
Save meme/30c5cf45dc9b10761ba53fd068c04b30 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| With no valgrind nor asan, the following line is what crashes (note that the abort() is therefore never triggered) | |
| while (av_read_frame(input_format_context, &packet) >= 0) { | |
| abort(); | |
| // ... | |
| } | |
| The crash is the following: | |
| HLS request for url '<URL>.mp4', offset 353161, playlist 0 | |
| Opening '<URL>.mp4' for reading | |
| fish: “./a.out” terminated by signal SIGSEGV (Address boundary error) | |
| With valgrind, with the abort: | |
| AVIndex stream 0, sample 430, offset 56003, dts 439296, size 902, distance 0, keyframe 1 | |
| <blah blah blah, internal FFmpeg trace logging> | |
| ==15049== | |
| ==15049== Process terminating with default action of signal 6 (SIGABRT): dumping core | |
| With asan with the abort: | |
| AVIndex stream 0, sample 430, offset 56003, dts 439296, size 902, distance 0, keyframe 1 | |
| <blah blah blah, internal FFmpeg trace logging, same as valgrind> | |
| fish: “./a.out.asan” terminated by signal SIGABRT (Abort) | |
| --- | |
| Now, without the abort: | |
| while (av_read_frame(input_format_context, &packet) >= 0) { | |
| // abort(); | |
| // ... | |
| } | |
| Without asan, valgrind, same crash as above. | |
| With asan without the abort, | |
| <blah blah blah, internal FFmpeg trace logging, yet makes it further into my code, i.e.: the av_read_frame doesn't crash> | |
| ================================================================= | |
| ==16111==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000029f79 at pc 0x55aef4fd9eb0 bp 0x7ffd4428d2f0 sp 0x7ffd4428d2e0 | |
| READ of size 4 at 0x602000029f79 thread T0 | |
| #0 0x55aef4fd9eaf in get_bits libavcodec/get_bits.h:403 | |
| #1 0x55aef4fd9eaf in decode_extension_payload libavcodec/aacdec_template.c:2426 | |
| #2 0x55aef4fd9eaf in aac_decode_frame_int libavcodec/aacdec_template.c:3248 | |
| #3 0x55aef4fc1926 in aac_decode_frame libavcodec/aacdec_template.c:3370 | |
| #4 0x55aef3956119 in decode_simple_internal libavcodec/decode.c:433 | |
| #5 0x55aef3956119 in decode_simple_receive_frame libavcodec/decode.c:629 | |
| #6 0x55aef3956119 in decode_receive_frame_internal libavcodec/decode.c:647 | |
| #7 0x55aef3955a44 in avcodec_send_packet libavcodec/decode.c:705 | |
| // ... | |
| #14 0x55aef378b95d in main entrypoint.cpp:129 | |
| #15 0x7f1f7bc0dce2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2) | |
| #16 0x55aef378b07d in _start (a.out.asan+0x47c07d) | |
| 0x602000029f79 is located 0 bytes to the right of 9-byte region [0x602000029f70,0x602000029f79) | |
| allocated by thread T0 here: | |
| #0 0x7f1f7d23b289 in operator new[](unsigned long) | |
| #1 0x55aef37abbf9 in Host::DecryptForEach() | |
| #2 0x55aef37ac055 in Host::OnInitialized(bool) | |
| // ... | |
| #7 0x55aef378b95d in main entrypoint.cpp:129 | |
| #8 0x7f1f7bc0dce2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2) | |
| SUMMARY: AddressSanitizer: heap-buffer-overflow libavcodec/get_bits.h:403 in get_bits | |
| Shadow bytes around the buggy address: | |
| 0x0c047fffd390: fa fa fd fd fa fa 00 04 fa fa 05 fa fa fa 00 06 | |
| 0x0c047fffd3a0: fa fa 02 fa fa fa 00 06 fa fa fd fa fa fa fd fa | |
| 0x0c047fffd3b0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd | |
| 0x0c047fffd3c0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa | |
| 0x0c047fffd3d0: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa 00 fa | |
| =>0x0c047fffd3e0: fa fa 00 01 fa fa fd fd fa fa 00 01 fa fa 00[01] | |
| 0x0c047fffd3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| 0x0c047fffd400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| 0x0c047fffd410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| 0x0c047fffd420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| 0x0c047fffd430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
| Shadow byte legend (one shadow byte represents 8 application bytes): | |
| Addressable: 00 | |
| Partially addressable: 01 02 03 04 05 06 07 | |
| Heap left redzone: fa | |
| Freed heap region: fd | |
| Stack left redzone: f1 | |
| Stack mid redzone: f2 | |
| Stack right redzone: f3 | |
| Stack after return: f5 | |
| Stack use after scope: f8 | |
| Global redzone: f9 | |
| Global init order: f6 | |
| Poisoned by user: f7 | |
| Container overflow: fc | |
| Array cookie: ac | |
| Intra object redzone: bb | |
| ASan internal: fe | |
| Left alloca redzone: ca | |
| Right alloca redzone: cb | |
| ==16111==ABORTING | |
| With valgrind, without the abort: | |
| <never fails, just runs until the end, program works as would be expected> | |
| With valgrind `with valgrind -memcheck:freelist-vol=512000000 --free-fill=0xf --malloc-fill=0xf` | |
| <never fails, just runs until the end, program works as would be expected> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment