[vlc-devel] [PATCH] demux: adaptive: fix null-pointer dereference and race condition

Zhao Zhili quinkblack at foxmail.com
Tue Aug 7 13:20:49 CEST 2018 

The crash can be reproduced with the following m3u8

#EXTM3U
#EXT-X-TARGETDURATION:6
#EXTINF:6,
http://www.videolan.org/1.abc
#EXTINF:6,
http://www.videolan.org/2.abc
#EXTINF:6,
http://www.videolan.org/3.abc
#EXT-X-ENDLIST

#0  0x00007fffbafc2f67 in 
adaptive::http::HTTPChunkSource::getContentType[abi:cxx11]() const 
(this=0x7fffb4000e40) at ../../modules/demux/adaptive/http/Chunk.cpp:221
#1  0x00007fffbafc26d1 in 
adaptive::http::AbstractChunk::getContentType[abi:cxx11]() 
(this=0x7fffb4000c70) at ../../modules/demux/adaptive/http/Chunk.cpp:80
#2  0x00007fffbafe0e46 in 
adaptive::AbstractStream::getContentType[abi:cxx11]() 
(this=0x7fffd0011790) at ../../modules/demux/adaptive/Streams.cpp:457
#3  0x00007fffbafd498b in 
adaptive::ChunksSourceStream::getContentType[abi:cxx11]() 
(this=0x7fffd0011990) at 
../../modules/demux/adaptive/plumbing/SourceStream.cpp:75
#4  0x00007fffbafd46cc in adaptive::ChunksSourceStream::control_Callback 
(s=0x7fffb4000a50, i_query=262, args=0x7fffbae6b8a0) at 
../../modules/demux/adaptive/plumbing/SourceStream.cpp:149
#5  0x00007ffff78f8cfa in vlc_stream_vaControl (s=0x7fffb4000a50, 
cmd=262, args=0x7fffbae6b8a0) at ../../src/input/stream.c:704
#6  0x00007fffbafd1aa5 in vlc_stream_Control (s=0x7fffb4000a50, 
query=262) at ../../include/vlc_stream.h:308
#7  0x00007fffbafd0ef0 in stream_ContentType (s=0x7fffb4000a50) at 
../../include/vlc_stream.h:371
#8  0x00007fffbafd0d55 in adaptive::MimeDemuxer::create 
(this=0x7fffb4000940) at 
../../modules/demux/adaptive/plumbing/Demuxer.cpp:103
#9  0x00007fffbafe02bd in adaptive::AbstractStream::createDemux 
(this=0x7fffd0011790, format=...) at 
../../modules/demux/adaptive/Streams.cpp:578
#10 0x00007fffbafe0086 in adaptive::AbstractStream::startDemux 
(this=0x7fffd0011790) at ../../modules/demux/adaptive/Streams.cpp:231
#11 0x00007fffbafe0764 in adaptive::AbstractStream::doBufferize 
(this=0x7fffd0011790, nz_deadline=0, i_min_buffering=6000000, 
i_extra_buffering=54000000) at ../../modules/demux/adaptive/Streams.cpp:337
#12 0x00007fffbafe04ef in adaptive::AbstractStream::bufferize 
(this=0x7fffd0011790, nz_deadline=0, i_min_buffering=6000000, 
i_extra_buffering=54000000) at ../../modules/demux/adaptive/Streams.cpp:300
#13 0x00007fffbafd6a9d in adaptive::PlaylistManager::bufferize 
(this=0x7fffd000db40, i_nzdeadline=0, i_min_buffering=6000000, 
i_extra_buffering=54000000) at 
../../modules/demux/adaptive/PlaylistManager.cpp:
238
#14 0x00007fffbafd83c5 in adaptive::PlaylistManager::Run 
(this=0x7fffd000db40) at 
../../modules/demux/adaptive/PlaylistManager.cpp:645
#15 0x00007fffbafd66b5 in adaptive::PlaylistManager::managerThread 
(opaque=0x7fffd000db40) at 
../../modules/demux/adaptive/PlaylistManager.cpp:676
#16 0x00007ffff6ccb6ba in start_thread (arg=0x7fffbae6c700) at 
pthread_create.c:333
#17 0x00007ffff6a0141d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:109

On 2018年08月07日 11:12, Zhao Zhili wrote:
> ---
>   modules/demux/adaptive/http/Chunk.cpp | 9 ++++++++-
>   modules/demux/adaptive/http/Chunk.h   | 3 +++
>   2 files changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/modules/demux/adaptive/http/Chunk.cpp b/modules/demux/adaptive/http/Chunk.cpp
> index a4269e3..d8bc0f3 100644
> --- a/modules/demux/adaptive/http/Chunk.cpp
> +++ b/modules/demux/adaptive/http/Chunk.cpp
> @@ -136,6 +136,7 @@ HTTPChunkSource::HTTPChunkSource(const std::string& url, AbstractConnectionManag
>       prepared = false;
>       eof = false;
>       sourceid = id;
> +    vlc_mutex_init(&contentTypeLock);
>       setUseAccess(access);
>       if(!init(url))
>           eof = true;
> @@ -145,6 +146,7 @@ HTTPChunkSource::~HTTPChunkSource()
>   {
>       if(connection)
>           connection->setUsed(false);
> +    vlc_mutex_destroy(&contentTypeLock);
>   }
>   
>   bool HTTPChunkSource::init(const std::string &url)
> @@ -218,7 +220,8 @@ block_t * HTTPChunkSource::read(size_t readsize)
>   
>   std::string HTTPChunkSource::getContentType() const
>   {
> -    return connection->getContentType();
> +    vlc_mutex_locker locker(const_cast<vlc_mutex_t *>(&contentTypeLock));
> +    return contentType;
>   }
>   
>   bool HTTPChunkSource::prepare()
> @@ -261,6 +264,10 @@ bool HTTPChunkSource::prepare()
>                  from content length */
>           contentLength = connection->getContentLength();
>           prepared = true;
> +        {
> +            vlc_mutex_locker locker(&contentTypeLock);
> +            contentType = connection->getContentType();
> +        }
>           return true;
>       }
>   
> diff --git a/modules/demux/adaptive/http/Chunk.h b/modules/demux/adaptive/http/Chunk.h
> index 3bf3b44..1ec5671 100644
> --- a/modules/demux/adaptive/http/Chunk.h
> +++ b/modules/demux/adaptive/http/Chunk.h
> @@ -109,6 +109,9 @@ namespace adaptive
>               private:
>                   bool init(const std::string &);
>                   ConnectionParams    params;
> +
> +                vlc_mutex_t contentTypeLock;
> +                std::string contentType;
>           };
>   
>           class HTTPChunkBufferedSource : public HTTPChunkSource

More information about the vlc-devel mailing list