Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UaF when video output fails to initialize #14051

Closed
sfan5 opened this issue May 3, 2024 · 0 comments · Fixed by #14053
Closed

UaF when video output fails to initialize #14051

sfan5 opened this issue May 3, 2024 · 0 comments · Fixed by #14053
Assignees
@kasper93

Comments

@sfan5
Copy link
Member

sfan5 commented May 3, 2024

mpv v0.38.0 a26bbbd

% ./build/mpv --no-config --vf=split ~/Videos/sm15630734.mp4 
 (+) Video --vid=1 (*) (h264 640x360 30.000fps)
 (+) Audio --aid=1 --alang=jpn (*) (aac 2ch 48000Hz)
[lavfi] exactly 2 pads required
[user_filter_wrapper] Creating filter 'split' failed.
Video: no video
=================================================================
==82238==ERROR: AddressSanitizer: heap-use-after-free on address 0x508000124570 at pc 0x78de4807f8df bp 0x7ffdec7b9340 sp 0x7ffdec7b8ae8
READ of size 5 at 0x508000124570 thread T0
    #0 0x78de4807f8de in __interceptor_strlen /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:461
    #1 0x63f8c0f9e0e8 in ta_strdup ../ta/ta_utils.c:114
    #2 0x63f8c0f9e0e8 in ta_xstrdup ../ta/ta_utils.c:284
    #3 0x63f8c0df1965 in str_get ../options/m_option.c:1258
    #4 0x63f8c0e10736 in m_option_get_node ../options/m_option.h:590
    #5 0x63f8c0e10736 in m_property_read_sub ../options/m_property.c:478
    #6 0x63f8c0e3e475 in get_track_entry ../player/command.c:2066
    #7 0x63f8c0e116e0 in m_property_read_list ../options/m_property.c:569
    #8 0x63f8c0e0d1e9 in do_action ../options/m_property.c:94
    #9 0x63f8c0e0dd8f in m_property_do ../options/m_property.c:175
    #10 0x63f8c0e51c65 in mp_property_do ../player/command.c:4287
    #11 0x63f8c0e21c2f in getproperty_fn ../player/client.c:1423
    #12 0x63f8c0e268f3 in send_client_property_changes ../player/client.c:1700
    #13 0x63f8c0e268f3 in mp_client_send_property_changes ../player/client.c:1771
    #14 0x63f8c0e798e8 in mp_wait_events ../player/playloop.c:55
    #15 0x63f8c0e800f5 in run_playloop ../player/playloop.c:1277
    #16 0x63f8c0e6eebd in play_current_file ../player/loadfile.c:1818
    #17 0x63f8c0e70286 in mp_play_files ../player/loadfile.c:2000
    #18 0x63f8c0e7237f in mpv_main ../player/main.c:432
    #19 0x78de445d4d49  (/usr/lib/libc.so.6+0x25d49) (BuildId: 915eeec6439cfded1125deefc44a8d73e57873d9)
    #20 0x78de445d4e0b in __libc_start_main (/usr/lib/libc.so.6+0x25e0b) (BuildId: 915eeec6439cfded1125deefc44a8d73e57873d9)
    #21 0x63f8c0cd0504 in _start (/home/stefan/mpv/build/mpv+0x12d504) (BuildId: bc0eeb35af7b3536dc5623fcd397a38f77470836)

0x508000124570 is located 80 bytes inside of 85-byte region [0x508000124520,0x508000124575)
freed by thread T0 here:
    #0 0x78de480dddb2 in __interceptor_free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x63f8c0f9b730 in ta_free_children ../ta/ta.c:231
    #2 0x63f8c0f9b730 in ta_free ../ta/ta.c:243
    #3 0x63f8c0f9b730 in ta_free_children ../ta/ta.c:231
    #4 0x63f8c0f9b730 in ta_free ../ta/ta.c:243
    #5 0x63f8c0e8d2ed in vo_chain_uninit ../player/video.c:146
    #6 0x63f8c0e8d2ed in uninit_video_chain ../player/video.c:162
    #7 0x63f8c0e8da92 in uninit_video_chain ../player/video.c:160
    #8 0x63f8c0e8da92 in reinit_video_chain_src ../player/video.c:292
    #9 0x63f8c0e6eacc in play_current_file ../player/loadfile.c:1743
    #10 0x63f8c0e70286 in mp_play_files ../player/loadfile.c:2000
    #11 0x63f8c0e7237f in mpv_main ../player/main.c:432
    #12 0x78de445d4d49  (/usr/lib/libc.so.6+0x25d49) (BuildId: 915eeec6439cfded1125deefc44a8d73e57873d9)
    #13 0x78de445d4e0b in __libc_start_main (/usr/lib/libc.so.6+0x25e0b) (BuildId: 915eeec6439cfded1125deefc44a8d73e57873d9)
    #14 0x63f8c0cd0504 in _start (/home/stefan/mpv/build/mpv+0x12d504) (BuildId: bc0eeb35af7b3536dc5623fcd397a38f77470836)

previously allocated by thread T0 here:
    #0 0x78de480df359 in __interceptor_malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x63f8c0f9b215 in ta_alloc_size ../ta/ta.c:139
    #2 0x63f8c0f9ce38 in strndup_append_at ../ta/ta_utils.c:93
    #3 0x63f8c0f9e119 in ta_strndup ../ta/ta_utils.c:127
    #4 0x63f8c0f9e119 in ta_strdup ../ta/ta_utils.c:114
    #5 0x63f8c0f9e119 in ta_xstrdup ../ta/ta_utils.c:284
    #6 0x63f8c0d9413f in reinit_decoder ../filters/f_decoder_wrapper.c:450
    #7 0x63f8c0d9413f in mp_decoder_wrapper_reinit ../filters/f_decoder_wrapper.c:477
    #8 0x63f8c0e8d67c in init_video_decoder ../player/video.c:191
    #9 0x63f8c0e8da60 in reinit_video_chain_src ../player/video.c:260
    #10 0x63f8c0e6eacc in play_current_file ../player/loadfile.c:1743
    #11 0x63f8c0e70286 in mp_play_files ../player/loadfile.c:2000
    #12 0x63f8c0e7237f in mpv_main ../player/main.c:432
    #13 0x78de445d4d49  (/usr/lib/libc.so.6+0x25d49) (BuildId: 915eeec6439cfded1125deefc44a8d73e57873d9)
    #14 0x78de445d4e0b in __libc_start_main (/usr/lib/libc.so.6+0x25e0b) (BuildId: 915eeec6439cfded1125deefc44a8d73e57873d9)
    #15 0x63f8c0cd0504 in _start (/home/stefan/mpv/build/mpv+0x12d504) (BuildId: bc0eeb35af7b3536dc5623fcd397a38f77470836)

This happens when reading the decoder sub property so I think a569c3c caused it.
@kasper93
@kasper93 kasper93 self-assigned this May 3, 2024
kasper93 added a commit to kasper93/mpv that referenced this issue May 3, 2024
@kasper93
f_decoder_wrapper: clear decoder info on deinit
354d436 
It is not longer valid and may cause use-after-free if used after
decoder itself is destroyed.

Fixes: mpv-player#14051
@kasper93 kasper93 mentioned this issue May 3, 2024
Merged
sfan5 pushed a commit that referenced this issue May 4, 2024
@kasper93 @sfan5
f_decoder_wrapper: clear decoder info on deinit
637bc69 
It is not longer valid and may cause use-after-free if used after
decoder itself is destroyed.

Fixes: #14051
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kasper93 kasper93

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

f_decoder_wrapper: clear decoder info on deinit kasper93/mpv
2 participants
@sfan5 @kasper93