Project

General

Profile

Bug #4119

Segfault: heap-use-after-free on channel_delete

Added by C K about 8 years ago. Updated about 8 years ago.

Status:
Fixed
Priority:
High
Assignee:
Jaroslav Kysela
Category:
-
Target version:
-
Start date:
2016-12-06
Due date:
% Done:

100%

Estimated time:
Found in version:
git 48b9f49
Affected Versions:

Description

Message from clang:

=================================================================
==31450==AddressSanitizer: while reporting a bug found another one.Ignoring.
==31450==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160008bc5bc at pc 0x7f756328b828 bp 0x7f755b697ed0 sp 0x7f755b697ec8
WRITE of size 4 at 0x6160008bc5bc thread T9 (tvh:httpc)
    #0 0x7f756328b827 in http_client_reconnect /home/waldmeister/src/tvheadend/src/httpc.c:1462
    #1 0x7f7563288afb in http_client_simple_reconnect /home/waldmeister/src/tvheadend/src/httpc.c:1266
    #2 0x7f7563a40f33 in iptv_http_reconnect /home/waldmeister/src/tvheadend/src/input/mpegts/iptv/iptv_http.c:365
    #3 0x7f7563a3d39d in iptv_http_complete /home/waldmeister/src/tvheadend/src/input/mpegts/iptv/iptv_http.c:440
    #4 0x7f756329602f in http_client_finish /home/waldmeister/src/tvheadend/src/httpc.c:680
    #5 0x7f756327ec72 in http_client_run0 /home/waldmeister/src/tvheadend/src/httpc.c:984
    #6 0x7f756327c2c0 in http_client_run /home/waldmeister/src/tvheadend/src/httpc.c:1149
    #7 0x7f7563291b87 in http_client_thread /home/waldmeister/src/tvheadend/src/httpc.c:1411
    #8 0x7f7562f3c632 in thread_wrapper /home/waldmeister/src/tvheadend/src/wrappers.c:159
    #9 0x7f7561280183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)
    #10 0x7f755fa2337c (/lib/x86_64-linux-gnu/libc.so.6+0xfa37c)

0x6160008bc5bc is located 60 bytes inside of 544-byte region [0x6160008bc580,0x6160008bc7a0)
freed by thread T21 (tvh:mtimer) here:
    #0 0x7f7562e6bfd9 in __interceptor_free (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4dcfd9)
    #1 0x7f7563290184 in http_client_close /home/waldmeister/src/tvheadend/src/httpc.c:1622
    #2 0x7f7563a36b8b in iptv_http_stop /home/waldmeister/src/tvheadend/src/input/mpegts/iptv/iptv_http.c:557
    #3 0x7f7563a250fe in iptv_input_stop_mux /home/waldmeister/src/tvheadend/src/input/mpegts/iptv/iptv.c:379
    #4 0x7f756376df2b in mpegts_mux_stop /home/waldmeister/src/tvheadend/src/input/mpegts/mpegts_mux.c:840
    #5 0x7f75636fd812 in mpegts_input_close_service /home/waldmeister/src/tvheadend/src/input/mpegts/mpegts_input.c:815
    #6 0x7f75637976ae in mpegts_service_stop /home/waldmeister/src/tvheadend/src/input/mpegts/mpegts_service.c:410
    #7 0x7f75630e0331 in service_stop /home/waldmeister/src/tvheadend/src/service.c:359
    #8 0x7f75630bdf48 in subscription_unlink_service0 /home/waldmeister/src/tvheadend/src/subscriptions.c:166
    #9 0x7f75630bd2bf in subscription_unlink_service /home/waldmeister/src/tvheadend/src/subscriptions.c:173
    #10 0x7f75630e0d6f in service_remove_subscriber /home/waldmeister/src/tvheadend/src/service.c:401
    #11 0x7f75630ca248 in subscription_unsubscribe /home/waldmeister/src/tvheadend/src/subscriptions.c:705
    #12 0x7f7563782a69 in mpegts_mux_unsubscribe_by_name /home/waldmeister/src/tvheadend/src/input/mpegts/mpegts_mux.c:1386
    #13 0x7f7563834af8 in mpegts_network_scan_mux_done0 /home/waldmeister/src/tvheadend/src/input/mpegts/mpegts_network_scan.c:116
    #14 0x7f7563836884 in mpegts_network_scan_mux_done /home/waldmeister/src/tvheadend/src/input/mpegts/mpegts_network_scan.c:159
    #15 0x7f7563769594 in mpegts_mux_scan_done /home/waldmeister/src/tvheadend/src/input/mpegts/mpegts_mux.c:1097
    #16 0x7f756378eab5 in mpegts_mux_scan_timeout /home/waldmeister/src/tvheadend/src/input/mpegts/mpegts_mux.c:1156
    #17 0x7f7562e9e38e in mtimer_thread /home/waldmeister/src/tvheadend/src/main.c:634
    #18 0x7f7562f3c632 in thread_wrapper /home/waldmeister/src/tvheadend/src/wrappers.c:159
    #19 0x7f7561280183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)
previously allocated by thread T21 (tvh:mtimer) here:
    #0 0x7f7562e6c229 in calloc (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4dd229)
    #1 0x7f756328e126 in http_client_connect /home/waldmeister/src/tvheadend/src/httpc.c:1528
    #2 0x7f7563a36008 in iptv_http_start /home/waldmeister/src/tvheadend/src/input/mpegts/iptv/iptv_http.c:517
    #3 0x7f7563a2490f in iptv_input_start_mux /home/waldmeister/src/tvheadend/src/input/mpegts/iptv/iptv.c:356
    #4 0x7f756375ace7 in mpegts_mux_instance_start /home/waldmeister/src/tvheadend/src/input/mpegts/mpegts_mux.c:260
    #5 0x7f7563796dc3 in mpegts_service_start /home/waldmeister/src/tvheadend/src/input/mpegts/mpegts_service.c:381
    #6 0x7f75630e92e9 in service_start /home/waldmeister/src/tvheadend/src/service.c:699
    #7 0x7f75630ef83a in service_find_instance /home/waldmeister/src/tvheadend/src/service.c:867
    #8 0x7f75630c17f7 in subscription_start_instance /home/waldmeister/src/tvheadend/src/subscriptions.c:309
    #9 0x7f75630d03ed in subscription_create_from_channel_or_service /home/waldmeister/src/tvheadend/src/subscriptions.c:856
    #10 0x7f75630d1a52 in subscription_create_from_mux /home/waldmeister/src/tvheadend/src/subscriptions.c:928
    #11 0x7f75637822e0 in mpegts_mux_subscribe /home/waldmeister/src/tvheadend/src/input/mpegts/mpegts_mux.c:1367
    #12 0x7f75638335f2 in mpegts_network_scan_timer_cb /home/waldmeister/src/tvheadend/src/input/mpegts/mpegts_network_scan.c:62
    #13 0x7f7562e9e38e in mtimer_thread /home/waldmeister/src/tvheadend/src/main.c:634
    #14 0x7f7562f3c632 in thread_wrapper /home/waldmeister/src/tvheadend/src/wrappers.c:159
    #15 0x7f7561280183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)

Thread T9 (tvh:httpc) created by T0 here:
    #0 0x7f7562e5b612 in pthread_create (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4cc612)
    #1 0x7f7562f3c04b in tvhthread_create /home/waldmeister/src/tvheadend/src/wrappers.c:177
    #2 0x7f756329101e in http_client_init /home/waldmeister/src/tvheadend/src/httpc.c:1658
    #3 0x7f7562e96d31 in main /home/waldmeister/src/tvheadend/src/main.c:1203
    #4 0x7f755f94af44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

Thread T21 (tvh:mtimer) created by T0 here:
    #0 0x7f7562e5b612 in pthread_create (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4cc612)
    #1 0x7f7562f3c04b in tvhthread_create /home/waldmeister/src/tvheadend/src/wrappers.c:177
    #2 0x7f7562e972dd in main /home/waldmeister/src/tvheadend/src/main.c:1285
    #3 0x7f755f94af44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: heap-use-after-free /home/waldmeister/src/tvheadend/src/httpc.c:1462 http_client_reconnect
Shadow bytes around the buggy address:
  0x0c2c8010f860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8010f870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8010f880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8010f890: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c8010f8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2c8010f8b0: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
  0x0c2c8010f8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c8010f8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c8010f8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c8010f8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c8010f900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==31450==ABORTING

Last debug messages:

2016-12-06 15:21:17.283 [   INFO]:subscription: 0AB4: "scan" unsubscribing
2016-12-06 15:21:17.283 [  DEBUG]:mpegts: XXXXXXXX in IPTV - close PID tables subscription [0042/0x61900882c080]
2016-12-06 15:21:17.283 [  DEBUG]:mpegts: XXXXXXXX in IPTV - stopping mux
2016-12-06 15:21:17.284 [  DEBUG]:mpegts: XXXXXXXX in IPTV - close PID 0000 (0) [20/0x622000486100]
2016-12-06 15:21:17.284 [  DEBUG]:mpegts: XXXXXXXX in IPTV - close PID 0011 (17) [16/0x6220000f3100]
2016-12-06 15:21:17.284 [  DEBUG]:mpegts: XXXXXXXX in IPTV - close PID 0012 (18) [20/0x62200062a100]
2016-12-06 15:21:17.284 [  DEBUG]:epggrab: grab done for XXXXXXXX in IPTV (stolen)
2016-12-06 15:21:17.284 [  DEBUG]:mpegts: IPTV - removing mux XXXXXXXX in IPTV from scan queue
2016-12-06 15:21:17.284 [  DEBUG]:mpegts: XXXXXXXX in IPTV - add raw service
2016-12-06 15:21:17.285 [  DEBUG]:service: 1: XXXXXXXX.mkv in IPTV si 0x61000070b840 <unknown> weight 0 prio 11 error 0
2016-12-06 15:21:17.285 [   INFO]:mpegts: XXXXXXXX.mkv in IPTV - tuning on IPTV

Some IPTV providers list VOD videos in their channel list, maybe thats a problem. I already wrote a python script that ignore these video muxes, but these types of muxes are created if there a new VOD videos.

History

#1

Updated by Jaroslav Kysela about 8 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset commit:tvheadend|aeceb4a30f6426dc05e2975a9de9094955069b1a.

Also available in: Atom PDF