Bug#898428: vlc-plugin-base: memory corruption in vlc_module_unload -> avcodec_close

Sebastian Ramacher sramacher at debian.org
Fri May 18 15:04:35 BST 2018 

Control: tags -1 + moreinfo

Hi Vincas

On 2018-05-15 09:59:06, Vincas Dargis wrote:
> I have manged to rebuild vlc and libavcodec packages with address
> sanitizer. I still had problems to make llvm-symbolizer work... but anyway,
> it's double-free:
> 
> ```
> libvlc: removing module "avcodec"
> =================================================================
> ==3782==ERROR: AddressSanitizer: attempting double-free on 0x60a0000e9540
> in thread T413:
> libvlc: picture might be displayed late (missing 3 ms)
> libvlc: picture might be displayed late (missing 2 ms)
> libvlc: picture might be displayed late (missing 1 ms)
> libvlc: picture might be displayed late (missing 10 ms)
> libvlc: picture might be displayed late (missing 14 ms)
> libvlc: picture might be displayed late (missing 10 ms)
>     #0 0x7f38f3e56a10 in free
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
>     #0 0x7f38422478bd in __asan_report_store4 ??:0:0
>     #1 0x7f3842310606 in __asan_report_store4 ??:0:0
>     #3 0x7f38ed09f9ac in vlc_module_unload
> (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x5179ac)
>     #4 0x7f38ecf5a3ac in input_DecoderDelete
> (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x3d23ac)
>     #2 0x7f38ecf73c6d in EsDestroyDecoder ./src/input/es_out.c:1590
>     #3 0x7f38ecf73c6d in EsUnselect ./src/input/es_out.c:1701
>     #4 0x7f38ecf73c6d in ?? ??:0
>     #5 0x7f38ecf894b8 in EsOutControlLocked ./src/input/es_out.c:2189
>     #6 0x7f38ecf894b8 in EsOutControl ./src/input/es_out.c:2718
>     #7 0x7f38ecf894b8 in ?? ??:0
>     #8 0x7f38ecf938e9 in es_out_vaControl ./src/../include/vlc_es_out.h:126
>     #9 0x7f38ecf938e9 in es_out_Control ./src/../include/vlc_es_out.h:135
>     #10 0x7f38ecf938e9 in ?? ??:0
>     #11 0x7f38ecf9d9ac in ControlLocked ./src/input/es_out_timeshift.c:618
>     #12 0x7f38ecf9d9ac in Control ./src/input/es_out_timeshift.c:716
>     #13 0x7f38ecf9d9ac in ?? ??:0
>     #14 0x7f38ecfa4ef9 in es_out_vaControl ./src/../include/vlc_es_out.h:126
>     #15 0x7f38ecfa4ef9 in es_out_Control ./src/../include/vlc_es_out.h:135
>     #16 0x7f38ecfa4ef9 in ?? ??:0
>     #17 0x7f38ecfac942 in es_out_SetMode ./src/input/es_out.h:89
>     #18 0x7f38ecfac942 in End ./src/input/input.c:1354
>     #19 0x7f38ecfac942 in ?? ??:0
>     #20 0x7f38ecfcbd54 in Run ./src/input/input.c:526
>     #21 0x7f38ecfcbd54 in ?? ??:0
>     #12 0x7f38ef615493 in start_thread
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
>     #13 0x7f38edda3ace in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8ace)
> 
> 0x60a0000e9540 is located 0 bytes inside of 88-byte region
> [0x60a0000e9540,0x60a0000e9598)
> freed by thread T422 here:
>     #0 0x7f38f3e56a10 in free
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
>     #22 0x7f384433c79c in ff_get_format
> ./ffmpeg/build/./ffmpeg-2-8-13/libavcodec/utils.c:1242
>     #23 0x7f384433c79c in ?? ??:0
> 
> previously allocated by thread T422 here:
>     #0 0x7f38f3e57760 in posix_memalign
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2760)
>     #24 0x7f384534ec95 in av_malloc
> ./ffmpeg/build/./ffmpeg-2-8-13/libavutil/mem.c:97
>     #25 0x7f384534ec95 in ?? ??:0
> 
> Thread T413 created by T0 here:
>     #0 0x7f38f3dc5f59 in __interceptor_pthread_create
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
>     #1 0x7f38ed1066dc in vlc_clone
> (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x57e6dc)
> 
> Thread T422 created by T413 here:
>     #0 0x7f38f3dc5f59 in __interceptor_pthread_create
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
>     #26 0x7f3843e8f2f1 in ff_frame_thread_init
> ./ffmpeg/build/./ffmpeg-2-8-13/libavcodec/pthread_frame.c:730
>     #27 0x7f3843e8f2f1 in ?? ??:0
> 
> SUMMARY: AddressSanitizer: double-free
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10) in free
> ==3782==ABORTING
> ```
> 
> Without symbolizer:
> 
> ```
> libvlc: removing module "avcodec"
> =================================================================
> ==3782==ERROR: AddressSanitizer: attempting double-free on 0x60a0000e9540
> in thread T413:
> libvlc: picture might be displayed late (missing 3 ms)
> libvlc: picture might be displayed late (missing 2 ms)
> libvlc: picture might be displayed late (missing 1 ms)
> libvlc: picture might be displayed late (missing 10 ms)
> libvlc: picture might be displayed late (missing 14 ms)
> libvlc: picture might be displayed late (missing 10 ms)
>     #0 0x7f38f3e56a10 in free
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
>     #1 0x7f38422478bd
> (/usr/lib/x86_64-linux-gnu/vlc/plugins/codec/libavcodec_plugin.so+0x42fc8bd)
>     #2 0x7f3842310606
> (/usr/lib/x86_64-linux-gnu/vlc/plugins/codec/libavcodec_plugin.so+0x43c5606)
>     #3 0x7f38ed09f9ac in vlc_module_unload
> (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x5179ac)
>     #4 0x7f38ecf5a3ac in input_DecoderDelete
> (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x3d23ac)
>     #5 0x7f38ecf73c6d  (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x3ebc6d)
>     #6 0x7f38ecf894b8  (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x4014b8)
>     #7 0x7f38ecf938e9  (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x40b8e9)
>     #8 0x7f38ecf9d9ac  (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x4159ac)
>     #9 0x7f38ecfa4ef9  (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x41cef9)
>     #10 0x7f38ecfac942  (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x424942)
>     #11 0x7f38ecfcbd54  (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x443d54)
>     #12 0x7f38ef615493 in start_thread
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
>     #13 0x7f38edda3ace in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8ace)
> 
> 0x60a0000e9540 is located 0 bytes inside of 88-byte region
> [0x60a0000e9540,0x60a0000e9598)
> freed by thread T422 here:
>     #0 0x7f38f3e56a10 in free
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
>     #1 0x7f384433c79c
> (/usr/lib/x86_64-linux-gnu/vlc/plugins/codec/libavcodec_plugin.so+0x63f179c)
> 
> previously allocated by thread T422 here:
>     #0 0x7f38f3e57760 in posix_memalign
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2760)
>     #1 0x7f384534ec95
> (/usr/lib/x86_64-linux-gnu/vlc/plugins/codec/libavcodec_plugin.so+0x7403c95)
> 
> Thread T413 created by T0 here:
>     #0 0x7f38f3dc5f59 in __interceptor_pthread_create
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
>     #1 0x7f38ed1066dc in vlc_clone
> (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x57e6dc)
> 
> Thread T422 created by T413 here:
>     #0 0x7f38f3dc5f59 in __interceptor_pthread_create
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
>     #1 0x7f3843e8f2f1
> (/usr/lib/x86_64-linux-gnu/vlc/plugins/codec/libavcodec_plugin.so+0x5f442f1)
> 
> SUMMARY: AddressSanitizer: double-free
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10) in free
> ==3782==ABORTING
> ```
> 
> So anyway, what upstream should I ask help for? VLC, ffmpeg? If fix is
> simple, could it be released on stable Stretch release?

VLC 2.2.x reached the end of its supported lifetime. So please check if this
issue is also present in 3.0.x. If it is, please forward it to the VLC
developers.

Cheers
-- 
Sebastian Ramacher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-multimedia-maintainers/attachments/20180518/76285c68/attachment.sig>

More information about the pkg-multimedia-maintainers mailing list