4.0 regression: ancillary data crashes wall splitter
vlc -Irc video.mpg --dec-dev --video-splitter wall -vv...
=================================================================
==2390944==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f0ffe582900 at pc 0x7f101cd43567 bp 0x7f0ffe582620 sp 0x7f0ffe582618
READ of size 8 at 0x7f0ffe582900 thread T24 (vlc-vout)
#0 0x7f101cd43566 in vlc_ancillary_array_Dup ../../src/misc/ancillary.c:117
#1 0x7f101cd67359 in picture_CopyProperties ../../src/misc/picture.c:409
#2 0x7f101cd678c4 in picture_Copy ../../src/misc/picture.c:426
#3 0x7f10021a959d in Filter ../../modules/video_splitter/wall.c:280
#4 0x7f10021c55aa in video_splitter_Filter ../../include/vlc_video_splitter.h:130
#5 0x7f10021c5888 in vlc_vidsplit_Prepare ../../modules/video_output/splitter.c:63
#6 0x7f101cc9a9ea in RenderPicture ../../src/video_output/video_output.c:1260
#7 0x7f101cc9c981 in DisplayPicture ../../src/video_output/video_output.c:1449
#8 0x7f101cca1d04 in Thread ../../src/video_output/video_output.c:1755
#9 0x7f101bc5dd7f in start_thread nptl/pthread_create.c:481
#10 0x7f101bb7776e in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfa76e)
Address 0x7f0ffe582900 is located in stack of thread T24 (vlc-vout) at offset 432 in frame
#0 0x7f10021a875f in Filter ../../modules/video_splitter/wall.c:250
This frame has 1 object(s):
[32, 416) 'tmp' (line 270) <== Memory access at offset 432 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
Thread T24 (vlc-vout) created by T12 (vlc-decoder) here:
#0 0x7f101d7c6716 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7f101cdf07f9 in vlc_clone_attr ../../src/posix/thread.c:179
#2 0x7f101cdf09dd in vlc_clone ../../src/posix/thread.c:190
#3 0x7f101cca7830 in vout_Request ../../src/video_output/video_output.c:2141
#4 0x7f101cc21965 in input_resource_RequestVout ../../src/input/resource.c:497
#5 0x7f101cb023d6 in ModuleThread_UpdateVideoFormat ../../src/input/decoder.c:512
#6 0x7f101cb27e09 in decoder_UpdateVideoOutput ../../src/input/decoder_helpers.c:151
#7 0x7f100a618598 in lavc_GetFrame ../../modules/codec/avcodec/video.c:1560
#8 0x7f10093ca45a in ff_get_buffer src/libavcodec/decode.c:1944
Thread T12 (vlc-decoder) created by T11 (vlc-input) here:
#0 0x7f101d7c6716 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7f101cdf07f9 in vlc_clone_attr ../../src/posix/thread.c:179
#2 0x7f101cdf09dd in vlc_clone ../../src/posix/thread.c:190
#3 0x7f101cb1b1a0 in decoder_New ../../src/input/decoder.c:2134
#4 0x7f101cb1b2df in vlc_input_decoder_New ../../src/input/decoder.c:2156
#5 0x7f101cb5645c in EsOutCreateDecoder ../../src/input/es_out.c:2358
#6 0x7f101cb58894 in EsOutSelectEs ../../src/input/es_out.c:2488
#7 0x7f101cb5bf74 in EsOutSelect ../../src/input/es_out.c:2774
#8 0x7f101cb5471b in EsOutAddLocked ../../src/input/es_out.c:2244
#9 0x7f101cb548da in EsOutAdd ../../src/input/es_out.c:2260
#10 0x7f101cb87dbc in CmdExecuteAdd ../../src/input/es_out_timeshift.c:1455
#11 0x7f101cb7953a in Add ../../src/input/es_out_timeshift.c:466
#12 0x7f100b0dc15c in es_out_Add ../../include/vlc_es_out.h:150
#13 0x7f100b0e77d7 in CreateOrUpdateES ../../modules/demux/mpeg/ps.c:138
#14 0x7f100b0eeb23 in Demux ../../modules/demux/mpeg/ps.c:591
#15 0x7f101cb2b58a in demux_Demux ../../src/input/demux.c:212
#16 0x7f101cb9aab6 in MainLoopDemux ../../src/input/input.c:498
#17 0x7f101cb9d0a7 in MainLoop ../../src/input/input.c:645
#18 0x7f101cb9a243 in Run ../../src/input/input.c:428
#19 0x7f101bc5dd7f in start_thread nptl/pthread_create.c:481
Thread T11 (vlc-input) created by T0 here:
#0 0x7f101d7c6716 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7f101cdf07f9 in vlc_clone_attr ../../src/posix/thread.c:179
#2 0x7f101cdf09dd in vlc_clone ../../src/posix/thread.c:190
#3 0x7f101cb9694a in input_Start ../../src/input/input.c:130
#4 0x7f101cbe0a45 in vlc_player_input_Start ../../src/player/input.c:96
#5 0x7f101cbd4e06 in vlc_player_Start ../../src/player/player.c:1176
#6 0x7f101caac77e in vlc_playlist_Start ../../src/playlist/player.c:176
#7 0x7f101ca96477 in libvlc_InternalPlay ../../src/interface/interface.c:238
#8 0x7f101d6a3f5a in libvlc_playlist_play ../../lib/playlist.c:36
#9 0x560ea1f5a477 in main ../../bin/vlc.c:245
#10 0x7f101baa07fc in __libc_start_main ../csu/libc-start.c:332
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../src/misc/ancillary.c:117 in vlc_ancillary_array_Dup
Shadow bytes around the buggy address:
0x0fe27fca84d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe27fca84e0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
0x0fe27fca84f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe27fca8500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe27fca8510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3
=>0x0fe27fca8520:[f3]f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
0x0fe27fca8530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe27fca8540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe27fca8550: 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 01 f2 00 f2
0x0fe27fca8560: f2 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
0x0fe27fca8570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2390944==ABORTINGEdited by Rémi Denis-Courmont