Bug#898428: vlc-plugin-base: memory corruption in vlc_module_unload -> avcodec_close

Vincas Dargis vindrg at gmail.com
Tue May 15 07:59:06 BST 2018 

I have manged to rebuild vlc and libavcodec packages with address
sanitizer. I still had problems to make llvm-symbolizer work... but anyway,
it's double-free:

```
libvlc: removing module "avcodec"
=================================================================
==3782==ERROR: AddressSanitizer: attempting double-free on 0x60a0000e9540
in thread T413:
libvlc: picture might be displayed late (missing 3 ms)
libvlc: picture might be displayed late (missing 2 ms)
libvlc: picture might be displayed late (missing 1 ms)
libvlc: picture might be displayed late (missing 10 ms)
libvlc: picture might be displayed late (missing 14 ms)
libvlc: picture might be displayed late (missing 10 ms)
    #0 0x7f38f3e56a10 in free
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
    #0 0x7f38422478bd in __asan_report_store4 ??:0:0
    #1 0x7f3842310606 in __asan_report_store4 ??:0:0
    #3 0x7f38ed09f9ac in vlc_module_unload
(/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x5179ac)
    #4 0x7f38ecf5a3ac in input_DecoderDelete
(/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x3d23ac)
    #2 0x7f38ecf73c6d in EsDestroyDecoder ./src/input/es_out.c:1590
    #3 0x7f38ecf73c6d in EsUnselect ./src/input/es_out.c:1701
    #4 0x7f38ecf73c6d in ?? ??:0
    #5 0x7f38ecf894b8 in EsOutControlLocked ./src/input/es_out.c:2189
    #6 0x7f38ecf894b8 in EsOutControl ./src/input/es_out.c:2718
    #7 0x7f38ecf894b8 in ?? ??:0
    #8 0x7f38ecf938e9 in es_out_vaControl ./src/../include/vlc_es_out.h:126
    #9 0x7f38ecf938e9 in es_out_Control ./src/../include/vlc_es_out.h:135
    #10 0x7f38ecf938e9 in ?? ??:0
    #11 0x7f38ecf9d9ac in ControlLocked ./src/input/es_out_timeshift.c:618
    #12 0x7f38ecf9d9ac in Control ./src/input/es_out_timeshift.c:716
    #13 0x7f38ecf9d9ac in ?? ??:0
    #14 0x7f38ecfa4ef9 in es_out_vaControl ./src/../include/vlc_es_out.h:126
    #15 0x7f38ecfa4ef9 in es_out_Control ./src/../include/vlc_es_out.h:135
    #16 0x7f38ecfa4ef9 in ?? ??:0
    #17 0x7f38ecfac942 in es_out_SetMode ./src/input/es_out.h:89
    #18 0x7f38ecfac942 in End ./src/input/input.c:1354
    #19 0x7f38ecfac942 in ?? ??:0
    #20 0x7f38ecfcbd54 in Run ./src/input/input.c:526
    #21 0x7f38ecfcbd54 in ?? ??:0
    #12 0x7f38ef615493 in start_thread
(/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
    #13 0x7f38edda3ace in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8ace)

0x60a0000e9540 is located 0 bytes inside of 88-byte region
[0x60a0000e9540,0x60a0000e9598)
freed by thread T422 here:
    #0 0x7f38f3e56a10 in free
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
    #22 0x7f384433c79c in ff_get_format
./ffmpeg/build/./ffmpeg-2-8-13/libavcodec/utils.c:1242
    #23 0x7f384433c79c in ?? ??:0

previously allocated by thread T422 here:
    #0 0x7f38f3e57760 in posix_memalign
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2760)
    #24 0x7f384534ec95 in av_malloc
./ffmpeg/build/./ffmpeg-2-8-13/libavutil/mem.c:97
    #25 0x7f384534ec95 in ?? ??:0

Thread T413 created by T0 here:
    #0 0x7f38f3dc5f59 in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
    #1 0x7f38ed1066dc in vlc_clone
(/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x57e6dc)

Thread T422 created by T413 here:
    #0 0x7f38f3dc5f59 in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
    #26 0x7f3843e8f2f1 in ff_frame_thread_init
./ffmpeg/build/./ffmpeg-2-8-13/libavcodec/pthread_frame.c:730
    #27 0x7f3843e8f2f1 in ?? ??:0

SUMMARY: AddressSanitizer: double-free
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10) in free
==3782==ABORTING
```

Without symbolizer:

```
libvlc: removing module "avcodec"
=================================================================
==3782==ERROR: AddressSanitizer: attempting double-free on 0x60a0000e9540
in thread T413:
libvlc: picture might be displayed late (missing 3 ms)
libvlc: picture might be displayed late (missing 2 ms)
libvlc: picture might be displayed late (missing 1 ms)
libvlc: picture might be displayed late (missing 10 ms)
libvlc: picture might be displayed late (missing 14 ms)
libvlc: picture might be displayed late (missing 10 ms)
    #0 0x7f38f3e56a10 in free
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
    #1 0x7f38422478bd
(/usr/lib/x86_64-linux-gnu/vlc/plugins/codec/libavcodec_plugin.so+0x42fc8bd)
    #2 0x7f3842310606
(/usr/lib/x86_64-linux-gnu/vlc/plugins/codec/libavcodec_plugin.so+0x43c5606)
    #3 0x7f38ed09f9ac in vlc_module_unload
(/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x5179ac)
    #4 0x7f38ecf5a3ac in input_DecoderDelete
(/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x3d23ac)
    #5 0x7f38ecf73c6d  (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x3ebc6d)
    #6 0x7f38ecf894b8  (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x4014b8)
    #7 0x7f38ecf938e9  (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x40b8e9)
    #8 0x7f38ecf9d9ac  (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x4159ac)
    #9 0x7f38ecfa4ef9  (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x41cef9)
    #10 0x7f38ecfac942  (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x424942)
    #11 0x7f38ecfcbd54  (/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x443d54)
    #12 0x7f38ef615493 in start_thread
(/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
    #13 0x7f38edda3ace in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8ace)

0x60a0000e9540 is located 0 bytes inside of 88-byte region
[0x60a0000e9540,0x60a0000e9598)
freed by thread T422 here:
    #0 0x7f38f3e56a10 in free
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
    #1 0x7f384433c79c
(/usr/lib/x86_64-linux-gnu/vlc/plugins/codec/libavcodec_plugin.so+0x63f179c)

previously allocated by thread T422 here:
    #0 0x7f38f3e57760 in posix_memalign
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2760)
    #1 0x7f384534ec95
(/usr/lib/x86_64-linux-gnu/vlc/plugins/codec/libavcodec_plugin.so+0x7403c95)

Thread T413 created by T0 here:
    #0 0x7f38f3dc5f59 in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
    #1 0x7f38ed1066dc in vlc_clone
(/usr/lib/x86_64-linux-gnu/libvlccore.so.8+0x57e6dc)

Thread T422 created by T413 here:
    #0 0x7f38f3dc5f59 in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
    #1 0x7f3843e8f2f1
(/usr/lib/x86_64-linux-gnu/vlc/plugins/codec/libavcodec_plugin.so+0x5f442f1)

SUMMARY: AddressSanitizer: double-free
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10) in free
==3782==ABORTING
```

So anyway, what upstream should I ask help for? VLC, ffmpeg? If fix is
simple, could it be released on stable Stretch release?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-multimedia-maintainers/attachments/20180515/420971de/attachment.html>

More information about the pkg-multimedia-maintainers mailing list