[vlc-devel] [PATCH] demux/subtitle: TextLoad + TextUnload: prevent double-free
Filip Roséen
filip at atch.se
Thu Mar 2 17:46:06 CET 2017
I forgot to include logs of the relevant case, see further down in
this email.
On 2017-03-02 17:40, Filip Roséen wrote:
> There is a relationshop between the value of txt->i_line_count and
> txt->line stating that the value of txt->line is undefined if
> txt->i_line_count is zero.
>
> As the above might seem simple enough, it leads to a case double-free
> if one does not pay attention and check the value of txt->i_line_count
> prior to working with txt->line; as in TextUnload.
>
> These changes make sure that we do not read from txt->line unless we
> know that it is safe.
> ---
==11375==ERROR: AddressSanitizer: attempting double-free on 0x621000048900 in thread T7:
#0 0x7fd8cb2abae0 in __interceptor_free /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:45
#1 0x7fd8a687e294 in TextUnload /home/refp/work/videolan/vlc/git/modules/demux/subtitle.c:848
#2 0x7fd8a6886a18 in Open /home/refp/work/videolan/vlc/git/modules/demux/subtitle.c:563
#3 0x7fd8cab8b7cc in generic_start /home/refp/work/videolan/vlc/git/src/modules/modules.c:349
#4 0x7fd8cab8b99d in module_load /home/refp/work/videolan/vlc/git/src/modules/modules.c:183
#5 0x7fd8cab8c535 in vlc_module_load /home/refp/work/videolan/vlc/git/src/modules/modules.c:275
#6 0x7fd8cab8cd15 in module_need /home/refp/work/videolan/vlc/git/src/modules/modules.c:364
#7 0x7fd8cabd5295 in demux_NewAdvanced /home/refp/work/videolan/vlc/git/src/input/demux.c:260
#8 0x7fd8cabfe842 in InputDemuxNew /home/refp/work/videolan/vlc/git/src/input/input.c:2365
#9 0x7fd8cabfe842 in InputSourceNew /home/refp/work/videolan/vlc/git/src/input/input.c:2475
#10 0x7fd8cabfe9b8 in input_SlaveSourceAdd /home/refp/work/videolan/vlc/git/src/input/input.c:3112
#11 0x7fd8cac05a0b in LoadSlaves /home/refp/work/videolan/vlc/git/src/input/input.c:1138
#12 0x7fd8cac05a0b in Init /home/refp/work/videolan/vlc/git/src/input/input.c:1330
#13 0x7fd8cac07870 in Run /home/refp/work/videolan/vlc/git/src/input/input.c:486
#14 0x7fd8c9d42453 in start_thread (/usr/lib/libpthread.so.0+0x7453)
#15 0x7fd8c9a857de in __GI___clone (/usr/lib/libc.so.6+0xe87de)
0x621000048900 is located 0 bytes inside of 4000-byte region [0x621000048900,0x6210000498a0)
freed by thread T7 here:
#0 0x7fd8cb2abae0 in __interceptor_free /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:45
#1 0x7fd8a68868f4 in TextLoad /home/refp/work/videolan/vlc/git/modules/demux/subtitle.c:836
#2 0x7fd8a68868f4 in Open /home/refp/work/videolan/vlc/git/modules/demux/subtitle.c:537
#3 0x7fd8cab8b7cc in generic_start /home/refp/work/videolan/vlc/git/src/modules/modules.c:349
#4 0x7fd8cab8b99d in module_load /home/refp/work/videolan/vlc/git/src/modules/modules.c:183
#5 0x7fd8cab8c535 in vlc_module_load /home/refp/work/videolan/vlc/git/src/modules/modules.c:275
#6 0x7fd8cab8cd15 in module_need /home/refp/work/videolan/vlc/git/src/modules/modules.c:364
#7 0x7fd8cabd5295 in demux_NewAdvanced /home/refp/work/videolan/vlc/git/src/input/demux.c:260
#8 0x7fd8cabfe842 in InputDemuxNew /home/refp/work/videolan/vlc/git/src/input/input.c:2365
#9 0x7fd8cabfe842 in InputSourceNew /home/refp/work/videolan/vlc/git/src/input/input.c:2475
#10 0x7fd8cabfe9b8 in input_SlaveSourceAdd /home/refp/work/videolan/vlc/git/src/input/input.c:3112
#11 0x7fd8cac05a0b in LoadSlaves /home/refp/work/videolan/vlc/git/src/input/input.c:1138
#12 0x7fd8cac05a0b in Init /home/refp/work/videolan/vlc/git/src/input/input.c:1330
#13 0x7fd8cac07870 in Run /home/refp/work/videolan/vlc/git/src/input/input.c:486
#14 0x7fd8c9d42453 in start_thread (/usr/lib/libpthread.so.0+0x7453)
#15 0x7fd8c9a857de in __GI___clone (/usr/lib/libc.so.6+0xe87de)
previously allocated by thread T7 here:
#0 0x7fd8cb2ac000 in __interceptor_calloc /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:70
#1 0x7fd8a6886757 in TextLoad /home/refp/work/videolan/vlc/git/modules/demux/subtitle.c:810
#2 0x7fd8a6886757 in Open /home/refp/work/videolan/vlc/git/modules/demux/subtitle.c:537
#3 0x7fd8cab8b7cc in generic_start /home/refp/work/videolan/vlc/git/src/modules/modules.c:349
#4 0x7fd8cab8b99d in module_load /home/refp/work/videolan/vlc/git/src/modules/modules.c:183
#5 0x7fd8cab8c535 in vlc_module_load /home/refp/work/videolan/vlc/git/src/modules/modules.c:275
#6 0x7fd8cab8cd15 in module_need /home/refp/work/videolan/vlc/git/src/modules/modules.c:364
#7 0x7fd8cabd5295 in demux_NewAdvanced /home/refp/work/videolan/vlc/git/src/input/demux.c:260
#8 0x7fd8cabfe842 in InputDemuxNew /home/refp/work/videolan/vlc/git/src/input/input.c:2365
#9 0x7fd8cabfe842 in InputSourceNew /home/refp/work/videolan/vlc/git/src/input/input.c:2475
#10 0x7fd8cabfe9b8 in input_SlaveSourceAdd /home/refp/work/videolan/vlc/git/src/input/input.c:3112
#11 0x7fd8cac05a0b in LoadSlaves /home/refp/work/videolan/vlc/git/src/input/input.c:1138
#12 0x7fd8cac05a0b in Init /home/refp/work/videolan/vlc/git/src/input/input.c:1330
#13 0x7fd8cac07870 in Run /home/refp/work/videolan/vlc/git/src/input/input.c:486
#14 0x7fd8c9d42453 in start_thread (/usr/lib/libpthread.so.0+0x7453)
#15 0x7fd8c9a857de in __GI___clone (/usr/lib/libc.so.6+0xe87de)
Thread T7 created by T2 here:
#0 0x7fd8cb216468 in __interceptor_pthread_create /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_interceptors.cc:236
#1 0x7fd8cac957ca in vlc_clone_attr /home/refp/work/videolan/vlc/git/src/posix/thread.c:482
#2 0x7fd8cac96159 in vlc_clone /home/refp/work/videolan/vlc/git/src/posix/thread.c:494
#3 0x7fd8cabfb707 in input_Start /home/refp/work/videolan/vlc/git/src/input/input.c:180
#4 0x7fd8cab9dbe1 in PlayItem /home/refp/work/videolan/vlc/git/src/playlist/thread.c:215
#5 0x7fd8cab9dbe1 in Next /home/refp/work/videolan/vlc/git/src/playlist/thread.c:478
#6 0x7fd8cab9dbe1 in Thread /home/refp/work/videolan/vlc/git/src/playlist/thread.c:501
#7 0x7fd8c9d42453 in start_thread (/usr/lib/libpthread.so.0+0x7453)
Thread T2 created by T0 here:
#0 0x7fd8cb216468 in __interceptor_pthread_create /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_interceptors.cc:236
#1 0x7fd8cac957ca in vlc_clone_attr /home/refp/work/videolan/vlc/git/src/posix/thread.c:482
#2 0x7fd8cac96159 in vlc_clone /home/refp/work/videolan/vlc/git/src/posix/thread.c:494
#3 0x7fd8cab9a821 in playlist_Activate /home/refp/work/videolan/vlc/git/src/playlist/thread.c:54
#4 0x7fd8cab9fd40 in playlist_Create /home/refp/work/videolan/vlc/git/src/playlist/engine.c:285
#5 0x7fd8cab988a8 in intf_GetPlaylist /home/refp/work/videolan/vlc/git/src/interface/interface.c:148
#6 0x7fd8cab988a8 in intf_InsertItem /home/refp/work/videolan/vlc/git/src/interface/interface.c:169
#7 0x7fd8cab6d9aa in GetFilenames /home/refp/work/videolan/vlc/git/src/libvlc.c:603
#8 0x7fd8cab6d9aa in libvlc_InternalInit /home/refp/work/videolan/vlc/git/src/libvlc.c:483
#9 0x7fd8cafaf000 in libvlc_new /home/refp/work/videolan/vlc/git/lib/core.c:59
#10 0x40195d in main /home/refp/work/videolan/vlc/git/bin/vlc.c:228
#11 0x7fd8c99bd290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
SUMMARY: AddressSanitizer: double-free /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:45 in __interceptor_free
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20170302/699e753e/attachment.html>
More information about the vlc-devel
mailing list