Heap Use-After-Free in VLC 2.1.5 dirac packetizer
Running an ASAN-ified VLC 2.1.5, I have found a Heap Use-After-Free in Packetize -> dirac_TimeGenPush -> dirac_GetBlockEncap when parsing a specially crafted .drc file (attached).
Free occurs at modules/packetizer/dirac.c:1311 Use occurs at modules/packetizer/dirac.c:1234
ASAN output:
==7690== ERROR: AddressSanitizer: heap-use-after-free on address 0x60100000f178 at pc 0x7fffdd879cc9 bp 0x7fffe1be1940 sp 0x7fffe1be1938
READ of size 8 at 0x60100000f178 thread T5
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7fffdd879cc8 (/usr/local/lib/vlc/plugins/packetizer/libpacketizer_dirac_plugin.so+0x3cc8)
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7fffdd87f1e0 (/usr/local/lib/vlc/plugins/packetizer/libpacketizer_dirac_plugin.so+0x91e0)
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7fffdd87f8a3 (/usr/local/lib/vlc/plugins/packetizer/libpacketizer_dirac_plugin.so+0x98a3)
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7fffdfb144b4 (/usr/local/lib/vlc/plugins/demux/libdirac_plugin.so+0x24b4)
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7ffff3e14eac (/usr/local/lib/libvlccore.so.7.0.0+0xd1eac)
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7ffff3e17b30 (/usr/local/lib/libvlccore.so.7.0.0+0xd4b30)
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7ffff3e18f60 (/usr/local/lib/libvlccore.so.7.0.0+0xd5f60)
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7ffff3e1771c (/usr/local/lib/libvlccore.so.7.0.0+0xd471c)
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7ffff4e63b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x18b97)
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7ffff49f9181 (/lib/x86_64-linux-gnu/libpthread-2.19.so+0x8181)
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7ffff4521fbc (/lib/x86_64-linux-gnu/libc-2.19.so+0xfafbc)
0x60100000f178 is located 88 bytes inside of 96-byte region [0x60100000f120,0x60100000f180)
freed by thread T5 here:
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7ffff4e6033a (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1533a)
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7fffdd8798ba (/usr/local/lib/vlc/plugins/packetizer/libpacketizer_dirac_plugin.so+0x38ba)
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7fffdd877565 (/usr/local/lib/vlc/plugins/packetizer/libpacketizer_dirac_plugin.so+0x1565)
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7fffdd8801cb (/usr/local/lib/vlc/plugins/packetizer/libpacketizer_dirac_plugin.so+0xa1cb)
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7fffdfb144b4 (/usr/local/lib/vlc/plugins/demux/libdirac_plugin.so+0x24b4)
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7ffff3e14eac (/usr/local/lib/libvlccore.so.7.0.0+0xd1eac)
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7ffff3e17b30 (/usr/local/lib/libvlccore.so.7.0.0+0xd4b30)
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7ffff3e18f60 (/usr/local/lib/libvlccore.so.7.0.0+0xd5f60)
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7ffff3e1771c (/usr/local/lib/libvlccore.so.7.0.0+0xd471c)
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7ffff4e63b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x18b97)
previously allocated by thread T5 here:
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7ffff4e604e5 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x154e5)
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7fffdd8774ff (/usr/local/lib/vlc/plugins/packetizer/libpacketizer_dirac_plugin.so+0x14ff)
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7fffdd8798db (/usr/local/lib/vlc/plugins/packetizer/libpacketizer_dirac_plugin.so+0x38db)
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7fffdd87e773 (/usr/local/lib/vlc/plugins/packetizer/libpacketizer_dirac_plugin.so+0x8773)
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7fffdd87f857 (/usr/local/lib/vlc/plugins/packetizer/libpacketizer_dirac_plugin.so+0x9857)
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7fffdfb144b4 (/usr/local/lib/vlc/plugins/demux/libdirac_plugin.so+0x24b4)
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7ffff3e14eac (/usr/local/lib/libvlccore.so.7.0.0+0xd1eac)
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7ffff3e17b30 (/usr/local/lib/libvlccore.so.7.0.0+0xd4b30)
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7ffff3e18f60 (/usr/local/lib/libvlccore.so.7.0.0+0xd5f60)
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7ffff3e1771c (/usr/local/lib/libvlccore.so.7.0.0+0xd471c)
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7ffff4e63b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x18b97)
Thread T5 created by T2 here:
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7ffff4e55b5b (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xab5b)
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7ffff3efb698 (/usr/local/lib/libvlccore.so.7.0.0+0x1b8698)
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7ffff3efb791 (/usr/local/lib/libvlccore.so.7.0.0+0x1b8791)
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7ffff3e1533a (/usr/local/lib/libvlccore.so.7.0.0+0xd233a)
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7ffff3dafa2c (/usr/local/lib/libvlccore.so.7.0.0+0x6ca2c)
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7ffff3db1407 (/usr/local/lib/libvlccore.so.7.0.0+0x6e407)
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7ffff3db1771 (/usr/local/lib/libvlccore.so.7.0.0+0x6e771)
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7ffff4e63b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x18b97)
Thread T2 created by T0 here:
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7ffff4e55b5b (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xab5b)
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7ffff3efb698 (/usr/local/lib/libvlccore.so.7.0.0+0x1b8698)
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7ffff3efb791 (/usr/local/lib/libvlccore.so.7.0.0+0x1b8791)
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7ffff3daea33 (/usr/local/lib/libvlccore.so.7.0.0+0x6ba33)
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7ffff3db48a6 (/usr/local/lib/libvlccore.so.7.0.0+0x718a6)
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7ffff3db51bd (/usr/local/lib/libvlccore.so.7.0.0+0x721bd)
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7ffff3d92742 (/usr/local/lib/libvlccore.so.7.0.0+0x4f742)
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7ffff3d92046 (/usr/local/lib/libvlccore.so.7.0.0+0x4f046)
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7ffff4c1a76a (/usr/local/lib/libvlc.so.5.4.0+0xb76a)
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x401c59 (/usr/local/bin/vlc+0x401c59)
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7ffff4448ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
Shadow bytes around the buggy address:
0x0c027fff9dd0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c027fff9de0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c027fff9df0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c027fff9e00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c027fff9e10: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c027fff9e20: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd[fd]
0x0c027fff9e30:fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c027fff9e40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c027fff9e50: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c027fff9e60: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c027fff9e70: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==7690== ABORTING
GDB bt full:
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x00007ffff445dbb9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
resultvar = 0
pid = 7690
selftid = 7695
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x00007ffff4460fc8 in __GI_abort () at abort.c:89
save_stage = 2
act = {__sigaction_handler = {sa_handler = 0x6, sa_sigaction = 0x6}, sa_mask = {__val = {13204876926592, 13204876926592, 140737351947607, 140733193388037, 0, 8192,
140737291410728, 8, 13204876926592, 140737302153374, 140737351976213, 0, 18446744073709551615, 18446744073709551615, 0, 140737354047488}}, sa_flags = -186202377,
sa_restorer = 0x7ffff4e6c6f7}
sigs = {__val = {32, 0 <repeats 15 times>}}
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x00007ffff4e66829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
No symbol table info available.
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x00007ffff4e5d3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
No symbol table info available.
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x00007ffff4e64012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
No symbol table info available.
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x00007ffff4e63121 in __asan_report_error () from /usr/lib/x86_64-linux-gnu/libasan.so.0
No symbol table info available.
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x00007ffff4e5d734 in __asan_report_load8 () from /usr/lib/x86_64-linux-gnu/libasan.so.0
No symbol table info available.
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x00007fffdd879cc9 in dirac_GetBlockEncap (p_block=0x60100000f120) at dirac.c:264
No locals.
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x00007fffdd87f1e1 in dirac_TimeGenPush (p_dec=0x60440005f118, p_block_in=0x60100000ed20) at dirac.c:1153
p_sys = 0x60420003ec00
p_dbe = 0x600400050030
u_picnum = 10
p_block = 0x60100000f120
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x00007fffdd87f8a4 in Packetize (p_dec=0x60440005f118, pp_block=0x7fffe1be1bc0) at dirac.c:1234
p_sys = 0x60420003ec00
p_block = 0x60100000ed20
i_flushing = 0
p_output = 0x606200077580
pp_output = 0x7fffe1be1ad0
__PRETTY_FUNCTION__ = "Packetize"
i_count = 10
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x00007fffdfb144b5 in Demux (p_demux=0x60280004f758) at dirac.c:183
p_sys = 0x60080003bf90
p_block_in = 0x0
p_block_out = 0x0
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x00007ffff3e14ead in demux_Demux (p_demux=0x60280004f758) at input/demux.h:44
No locals.
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x00007ffff3e17b31 in MainLoopDemux (p_input=0x60220003fd38, pb_changed=0x7fffe1be1d70, pb_demux_polled=0x7fffe1be1db0, i_start_mdate=359995299382) at input/input.c:562
i_ret = 32767
[#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x00007ffff3e18f61 in MainLoop (p_input=0x60220003fd38, b_interactive=true) at input/input.c:738
b_force_update = false
val = {i_int = 0, b_bool = false, f_float = 0, psz_string = 0x0, p_address = 0x0, p_object = 0x0, p_list = 0x0, i_time = 0, coords = {x = 0, y = 0}}
i_current = 359995303540
i_wakeup = 0
b_paused = false
b_demux_polled = true
i_start_mdate = 359995299382
i_intf_update = 359995549462
i_statistic_update = 359996299462
i_last_seek_mdate = 0
b_pause_after_eof = false
[#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x00007ffff3e1771d in Run (obj=0x60220003fd38) at input/input.c:524
p_input = 0x60220003fd38
canc = 0
b_abort = false
[#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0x00007ffff4e63b98 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
No symbol table info available.
[#16](https://code.videolan.org/videolan/vlc/-/issues/16) 0x00007ffff49f9182 in start_thread (arg=0x7fffe1be2700) at pthread_create.c:312
__res = <optimized out>
pd = 0x7fffe1be2700
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140736980723456, 8694313083685984749, 0, 0, 140736980724160, 140736980723456, -8694299327970780691, -8694323805319308819},
mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = <optimized out>
pagesize_m1 = <optimized out>
sp = <optimized out>
freesize = <optimized out>
__PRETTY_FUNCTION__ = "start_thread"#17 (closed) 0x00007ffff4521fbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 No locals. }}}
Activity
Because of the 500KB size limit, I have uploaded the DRC file on my Google Drive: https://drive.google.com/file/d/0B52EFul-UCEIbE5KSzEwTnRBOUk/edit?usp=sharing
Reproducible with 2.2.0's HEAD.
Btw. for sharing larger files, http://streams.videolan.org/upload/ could be your friend :)
changed milestone to %2.2.0
The same with valgrind on git HEAD:
==10319== Thread 7: ==10319== Invalid read of size 8 ==10319== at 0x16650DEB: Packetize (dirac.c:264) ==10319== by 0x14BBBCAF: Demux (dirac.c:184) ==10319== by 0x588B20F: MainLoop (demux.h:44) ==10319== by 0x588BA54: Run (input.c:520) ==10319== by 0x505E181: start_thread (pthread_create.c:312) ==10319== by 0x5572FBC: clone (clone.S:111) ==10319== Address 0x648fdc8 is 88 bytes inside a block of size 96 free'd ==10319== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==10319== by 0x16653F7E: Packetize (vlc_block.h:166) ==10319== by 0x14BBBCAF: Demux (dirac.c:184) ==10319== by 0x588B20F: MainLoop (demux.h:44) ==10319== by 0x588BA54: Run (input.c:520) ==10319== by 0x505E181: start_thread (pthread_create.c:312) ==10319== by 0x5572FBC: clone (clone.S:111) ==10319==
commit fa551675 Author: Francois Cartegnie fcvlcdev@free.fr Date: Mon Sep 22 20:12:18 2014 +0200
packetizer: dirac: block sanitizing must clean reordering (fix [#12051](https://code.videolan.org/videolan/vlc/-/issues/12051))added Status::fixed label
Please register or sign in to reply