hotkeys: use after free
Quitting VLC
^C[000060e000000040] main libvlc debug: exiting
[000060e000000040] main libvlc debug: removing all interfaces
[000060600005eb20] main interface debug: removing module "cli"
[000060600005e9a0] main interface debug: removing module "xcb_hotkeys"
[000060600005e880] main interface debug: removing module "hotkeys"
[000060600005e1c0] main interface debug: removing module "dbus"
[000060600005cfc0] main keystore debug: removing module "memory"
[000061c000020080] main decoder debug: killing decoder fourcc `mpgv'
[000061c000020080] main decoder debug: removing module "avcodec"
=================================================================
==140429==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600005e8e0 at pc 0x7fd901298317 bp 0x7fd8efdfc670 sp 0x7fd8efdfc668
READ of size 8 at 0x60600005e8e0 thread T14
[000061700005e880] main filter debug: removing module "swscale"
[0000616000083a80] main vout display debug: Filter 0x61700005e880 removed from chain
[0000617000070080] main filter debug: removing module "deinterlace"
[0000619000080280] main video output debug: Filter 0x617000070080 removed from chain
[0000617000003880] main player debug: saving a free vout
[0000616000043580] main packetizer debug: removing module "mpegvideo"
[000061e000001880] main input debug: ES track unselected: 'video/auto/0' (fourcc: 'mpgv')
[00006110000205c0] main demux debug: removing module "ps"
[00006110000205c0] main demux debug: attempt to destroy nonexistent variable "module-name"
[000061e000001880] main input debug: ES track deleted: 'video/auto/0' (fourcc: 'mpgv')
[000061e000001880] main input debug: ES track deleted: 'spu/auto/3' (fourcc: 'spu ')
[000061e000001880] main input debug: ES track deleted: 'spu/auto/4' (fourcc: 'spu ')
[000061e000001880] main input debug: ES track deleted: 'audio/auto/1' (fourcc: 'a52 ')
[000061e000001880] main input debug: ES track deleted: 'audio/auto/2' (fourcc: 'a52 ')
[000061e000001880] main input debug: Program doesn't contain anymore ES
[0000611000020480] main stream filter debug: removing module "record"
[0000611000020200] main stream filter debug: removing module "cache_read"
[000061100001ff80] main access debug: removing module "filesystem"
#0 0x7fd901298316 in MouseMovedCallback ../../modules/control/hotkeys.c:1149
#1 0x7fd90bc1554a in TriggerCallback ../../src/misc/variables.c:252
#2 0x7fd90bc1deb9 in var_SetChecked ../../src/misc/variables.c:712
#3 0x7fd90baf13b1 in var_SetCoords ../../include/vlc_variables.h:320
#4 0x7fd90baf7784 in vout_MouseState ../../src/video_output/video_output.c:297
#5 0x7fd90bb4cad1 in vout_display_window_MouseEvent ../../src/video_output/video_window.c:168
#6 0x7fd8f2b21338 in vout_window_SendMouseEvent ../../include/vlc_vout_window.h:637
#7 0x7fd8f2b214e9 in vout_window_ReportMouseMoved ../../include/vlc_vout_window.h:656
#8 0x7fd8f2b23815 in ProcessEvent ../../modules/video_output/xcb/window.c:278
#9 0x7fd8f2b241a1 in Thread ../../modules/video_output/xcb/window.c:365
#10 0x7fd90aacfd7f in start_thread nptl/pthread_create.c:481
#11 0x7fd90a9e976e in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfa76e)
0x60600005e8e0 is located 0 bytes inside of 56-byte region [0x60600005e8e0,0x60600005e918)
freed by thread T0 here:
#0 0x7fd90c6794d7 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x7fd901299710 in Close ../../modules/control/hotkeys.c:1268
#2 0x7fd90b8e1ca2 in module_unneed ../../src/modules/modules.c:304
#3 0x7fd90b902b08 in intf_DestroyAll ../../src/interface/interface.c:303
#4 0x7fd90b88e8dd in libvlc_InternalCleanup ../../src/libvlc.c:351
#5 0x7fd90c4f8e92 in libvlc_release ../../lib/core.c:85
#6 0x55795579a589 in main ../../bin/vlc.c:273
#7 0x7fd90a9127fc in __libc_start_main ../csu/libc-start.c:332
previously allocated by thread T0 here:
#0 0x7fd90c6797cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7fd901298fa4 in Open ../../modules/control/hotkeys.c:1233
#2 0x7fd90b8e193a in generic_start ../../src/modules/modules.c:275
#3 0x7fd90b8e154f in vlc_module_load ../../src/modules/modules.c:243
#4 0x7fd90b8e1a70 in module_need ../../src/modules/modules.c:286
#5 0x7fd90b901b50 in intf_Create ../../src/interface/interface.c:172
#6 0x7fd901299739 in AutoRun ../../modules/control/hotkeys.c:1273
#7 0x7fd90b9025e3 in libvlc_AutoRun ../../src/interface/interface.c:253
#8 0x7fd90b9026f6 in libvlc_InternalAddIntf ../../src/interface/interface.c:270
#9 0x7fd90c4fef78 in libvlc_add_intf ../../lib/playlist.c:41
#10 0x55795579a3a6 in main ../../bin/vlc.c:239
#11 0x7fd90a9127fc in __libc_start_main ../csu/libc-start.c:332
Thread T14 created by T12 (vlc-decoder) here:
#0 0x7fd90c621716 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7fd90bc562fb in vlc_clone_attr ../../src/posix/thread.c:179
#2 0x7fd90bc564df in vlc_clone ../../src/posix/thread.c:190
#3 0x7fd8f2b26dc9 in OpenCommon ../../modules/video_output/xcb/window.c:683
#4 0x7fd8f2b27763 in Open ../../modules/video_output/xcb/window.c:755
#5 0x7fd90bb4f739 in vout_window_start ../../src/video_output/window.c:59
#6 0x7fd90b8e154f in vlc_module_load ../../src/modules/modules.c:243
#7 0x7fd90bb4ff7a in vout_window_New ../../src/video_output/window.c:92
#8 0x7fd90bb4f112 in vout_display_window_New ../../src/video_output/video_window.c:327
#9 0x7fd90bb0e8d8 in vout_Create ../../src/video_output/video_output.c:1965
#10 0x7fd90ba8b910 in RequestVoutRsc ../../src/input/resource.c:431
#11 0x7fd90ba8be47 in input_resource_RequestVout ../../src/input/resource.c:468
#12 0x7fd90b96f8a5 in CreateVoutIfNeeded ../../src/input/decoder.c:596
#13 0x7fd90b96ff0a in ModuleThread_GetDecoderDevice ../../src/input/decoder.c:628
#14 0x7fd8f939712c in decoder_GetDecoderDevice ../../include/vlc_codec.h:335
#15 0x7fd8f93a4403 in lavc_UpdateVideoFormat ../../modules/codec/avcodec/video.c:284
#16 0x7fd8f93bce79 in ffmpeg_GetFormat ../../modules/codec/avcodec/video.c:1716
#17 0x7fd8f816bb18 (/usr/lib/x86_64-linux-gnu/libavcodec.so.58+0x27cb18)
Thread T12 (vlc-decoder) created by T11 (vlc-input) here:
#0 0x7fd90c621716 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7fd90bc562fb in vlc_clone_attr ../../src/posix/thread.c:179
#2 0x7fd90bc564df in vlc_clone ../../src/posix/thread.c:190
#3 0x7fd90b986093 in decoder_New ../../src/input/decoder.c:2126
#4 0x7fd90b9861d2 in vlc_input_decoder_New ../../src/input/decoder.c:2147
#5 0x7fd90b9c0e82 in EsOutCreateDecoder ../../src/input/es_out.c:2359
#6 0x7fd90b9c32ba in EsOutSelectEs ../../src/input/es_out.c:2489
#7 0x7fd90b9c699a in EsOutSelect ../../src/input/es_out.c:2775
#8 0x7fd90b9bf141 in EsOutAddLocked ../../src/input/es_out.c:2245
#9 0x7fd90b9bf300 in EsOutAdd ../../src/input/es_out.c:2261
#10 0x7fd90b9f27d9 in CmdExecuteAdd ../../src/input/es_out_timeshift.c:1455
#11 0x7fd90b9e3f44 in Add ../../src/input/es_out_timeshift.c:466
#12 0x7fd8f9edc14e in es_out_Add ../../include/vlc_es_out.h:150
#13 0x7fd8f9ee77c9 in CreateOrUpdateES ../../modules/demux/mpeg/ps.c:138
#14 0x7fd8f9eeeb15 in Demux ../../modules/demux/mpeg/ps.c:591
#15 0x7fd90b9962ce in demux_Demux ../../src/input/demux.c:212
#16 0x7fd90ba054c5 in MainLoopDemux ../../src/input/input.c:498
#17 0x7fd90ba07ab6 in MainLoop ../../src/input/input.c:645
#18 0x7fd90ba04c52 in Run ../../src/input/input.c:428
#19 0x7fd90aacfd7f in start_thread nptl/pthread_create.c:481
Thread T11 (vlc-input) created by T0 here:
#0 0x7fd90c621716 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7fd90bc562fb in vlc_clone_attr ../../src/posix/thread.c:179
#2 0x7fd90bc564df in vlc_clone ../../src/posix/thread.c:190
#3 0x7fd90ba01359 in input_Start ../../src/input/input.c:130
#4 0x7fd90ba4b411 in vlc_player_input_Start ../../src/player/input.c:96
#5 0x7fd90ba3f7e0 in vlc_player_Start ../../src/player/player.c:1176
#6 0x7fd90b918630 in vlc_playlist_Start ../../src/playlist/player.c:176
#7 0x7fd90b90237d in libvlc_InternalPlay ../../src/interface/interface.c:238
#8 0x7fd90c4fef06 in libvlc_playlist_play ../../lib/playlist.c:36
#9 0x55795579a477 in main ../../bin/vlc.c:245
#10 0x7fd90a9127fc in __libc_start_main ../csu/libc-start.c:332
SUMMARY: AddressSanitizer: heap-use-after-free ../../modules/control/hotkeys.c:1149 in MouseMovedCallback
Shadow bytes around the buggy address:
0x0c0c80003cc0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c80003cd0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c80003ce0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c80003cf0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c80003d00: fa fa fa fa 00 00 00 00 00 00 00 07 fa fa fa fa
=>0x0c0c80003d10: fd fd fd fd fd fd fd fd fa fa fa fa[fd]fd fd fd
0x0c0c80003d20: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c80003d30: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c80003d40: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c80003d50: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c80003d60: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==140429==ABORTING