Project

General

Custom queries

Profile

Actions
Copy link

Bug #4457

closed

Segmentation Fault on long URL inside M3U file - strlen() function at src/url.c:112

Added by Raphael Lacerda almost 8 years ago. Updated almost 8 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
IPTV
Target version:
-
Start date:
2017-06-24
Due date:
% Done:

100%

Estimated time:
Found in version:
tvheadend: version 4.2.2-63~g0cbd8a1
Affected Versions:

Description

Hello!

TVHeadend 4.2.2-63~g0cbd8a1 (debian package still found in DEB repositories) crashed every time I tried to use a specific M3U8 list within an IPTV Automatic Network.
At debug and core-dump analysis, I suspected that a specific item in the M3U8 list was problematic. This was confirmed after removing half of the list recursively, until the issued entry was left alone.

The issued entry happens to be a M3U8 file that contains very long URLs. Those URLs are probably mishandled by "strlen()" function inside src/url.c source code, as indicated by the full backtrace of the core dump.

Issued M3U8 playlist
http://listaiptvbrasil.com/tt.txt
  • attention: the first tag of the list (#EXTM3U) was preceded by a space character, avoiding TVHeadend to recognize the list formatting. Looks like the owner fixed the playlist already.

Issued M3U8 playlist segment

#EXTINF:-1 tvg-logo="https://lut.im/ogVGfv4QCU/HoTyEvQGcwNSJ3eG.png" group-title="FILMES", MaxUp
http://duost.ddns.me:19790/live/DSK94cdypL/nnnrhnV1Nv/86.m3u8

Issued M3U File Content: 86.m3u8

#EXTM3U
#EXT-X-VERSION:3
#EXT-X-MEDIA-SEQUENCE:3592
#EXT-X-ALLOW-CACHE:YES
#EXT-X-TARGETDURATION:12
#EXTINF:8.000000,
/hlsr/ShpaUURdE1sSUlYBVFYFBlsPDVRSCQMEB1dWCVJRAlRXDwEDUlEJAFIWT0dCEkBQA1tmWFQaWAsAHxFEFlYRbVhcEAoVAQRDHBYXDFwDEA9SGhtBWVxACRQCBQFVBEEeE11KRFJHXwBcawcARw9RUEAMV0RcVE4RWV1sVQBeAlxVGggSBxcdQ1lHE0cLRHxQFlNVXRBsB19TUFxcEF0KUVBbXVVEFX0VVFVBSRMEW0EQV01UEgJACg4LER1HUAxHX0xASRUPEyNiFk9HVB5GUAxFUF5eGlgRWwBGCUcfQVtCZ0BVREFDBFFZBhcTXBAFQBobXFFAPVBZXV1UBkcKXV9LEAoVBAFRABZPR1wJXFwWWUtuQFEGEQwRAQNQAVIQTA==/DSK94cdypL/nnnrhnV1Nv/86/134b9abb431c8500519aa2bece41c061/86_3592.ts
#EXTINF:11.999000,
/hlsr/ShpaUURdE1sSUlYBVFYFBlsPDVRSCQMEB1dWCVJRAlRXDwEDUlEJAFIWT0dCEkBQA1tmWFQaWAsAHxFEFlYRbVhcEAoVAQRDHBYXDFwDEA9SGhtBWVxACRQCBQFVBEEeE11KRFJHXwBcawcARw9RUEAMV0RcVE4RWV1sVQBeAlxVGggSBxcdQ1lHE0cLRHxQFlNVXRBsB19TUFxcEF0KUVBbXVVEFX0VVFVBSRMEW0EQV01UEgJACg4LER1HUAxHX0xASRUPEyNiFk9HVB5GUAxFUF5eGlgRWwBGCUcfQVtCZ0BVREFDBFFZBhcTXBAFQBobXFFAPVBZXV1UBkcKXV9LEAoVBAFRABZPR1wJXFwWWUtuQFEGEQwRAQNQAVIQTA==/DSK94cdypL/nnnrhnV1Nv/86/82a28777ec9ad2b64f754ec9ee18c096/86_3593.ts
#EXTINF:8.000000,
/hlsr/ShpaUURdE1sSUlYBVFYFBlsPDVRSCQMEB1dWCVJRAlRXDwEDUlEJAFIWT0dCEkBQA1tmWFQaWAsAHxFEFlYRbVhcEAoVAQRDHBYXDFwDEA9SGhtBWVxACRQCBQFVBEEeE11KRFJHXwBcawcARw9RUEAMV0RcVE4RWV1sVQBeAlxVGggSBxcdQ1lHE0cLRHxQFlNVXRBsB19TUFxcEF0KUVBbXVVEFX0VVFVBSRMEW0EQV01UEgJACg4LER1HUAxHX0xASRUPEyNiFk9HVB5GUAxFUF5eGlgRWwBGCUcfQVtCZ0BVREFDBFFZBhcTXBAFQBobXFFAPVBZXV1UBkcKXV9LEAoVBAFRABZPR1wJXFwWWUtuQFEGEQwRAQNQAVIQTA==/DSK94cdypL/nnnrhnV1Nv/86/63ff12aac7f66b078af815b134d679e2/86_3594.ts
#EXTINF:12.000000,
/hlsr/ShpaUURdE1sSUlYBVFYFBlsPDVRSCQMEB1dWCVJRAlRXDwEDUlEJAFIWT0dCEkBQA1tmWFQaWAsAHxFEFlYRbVhcEAoVAQRDHBYXDFwDEA9SGhtBWVxACRQCBQFVBEEeE11KRFJHXwBcawcARw9RUEAMV0RcVE4RWV1sVQBeAlxVGggSBxcdQ1lHE0cLRHxQFlNVXRBsB19TUFxcEF0KUVBbXVVEFX0VVFVBSRMEW0EQV01UEgJACg4LER1HUAxHX0xASRUPEyNiFk9HVB5GUAxFUF5eGlgRWwBGCUcfQVtCZ0BVREFDBFFZBhcTXBAFQBobXFFAPVBZXV1UBkcKXV9LEAoVBAFRABZPR1wJXFwWWUtuQFEGEQwRAQNQAVIQTA==/DSK94cdypL/nnnrhnV1Nv/86/82696359a7ed607604768be5fffb96c5/86_3595.ts
#EXTINF:8.000000,
/hlsr/ShpaUURdE1sSUlYBVFYFBlsPDVRSCQMEB1dWCVJRAlRXDwEDUlEJAFIWT0dCEkBQA1tmWFQaWAsAHxFEFlYRbVhcEAoVAQRDHBYXDFwDEA9SGhtBWVxACRQCBQFVBEEeE11KRFJHXwBcawcARw9RUEAMV0RcVE4RWV1sVQBeAlxVGggSBxcdQ1lHE0cLRHxQFlNVXRBsB19TUFxcEF0KUVBbXVVEFX0VVFVBSRMEW0EQV01UEgJACg4LER1HUAxHX0xASRUPEyNiFk9HVB5GUAxFUF5eGlgRWwBGCUcfQVtCZ0BVREFDBFFZBhcTXBAFQBobXFFAPVBZXV1UBkcKXV9LEAoVBAFRABZPR1wJXFwWWUtuQFEGEQwRAQNQAVIQTA==/DSK94cdypL/nnnrhnV1Nv/86/3eb1faafc2aad553f491959b3ec1e86c/86_3596.ts
#EXTINF:11.999000,
/hlsr/ShpaUURdE1sSUlYBVFYFBlsPDVRSCQMEB1dWCVJRAlRXDwEDUlEJAFIWT0dCEkBQA1tmWFQaWAsAHxFEFlYRbVhcEAoVAQRDHBYXDFwDEA9SGhtBWVxACRQCBQFVBEEeE11KRFJHXwBcawcARw9RUEAMV0RcVE4RWV1sVQBeAlxVGggSBxcdQ1lHE0cLRHxQFlNVXRBsB19TUFxcEF0KUVBbXVVEFX0VVFVBSRMEW0EQV01UEgJACg4LER1HUAxHX0xASRUPEyNiFk9HVB5GUAxFUF5eGlgRWwBGCUcfQVtCZ0BVREFDBFFZBhcTXBAFQBobXFFAPVBZXV1UBkcKXV9LEAoVBAFRABZPR1wJXFwWWUtuQFEGEQwRAQNQAVIQTA==/DSK94cdypL/nnnrhnV1Nv/86/16ec623a5763f13089857994dd1dba37/86_3597.ts

Debug Output (last 7 rows)

2017-06-24 05:40:21.387 [  DEBUG] mpegts: tvfoco.m3u - MaxUp in TV Foco Local - add raw service
2017-06-24 05:40:21.387 [  DEBUG] service: 1: tvfoco.m3u - MaxUp in TV Foco Local si 0x72b00bb8 <unknown> weight 0 prio 11 error 0
2017-06-24 05:40:21.387 [   INFO] mpegts: tvfoco.m3u - MaxUp in TV Foco Local - tuning on IPTV
2017-06-24 05:40:21.391 [  DEBUG] mpegts: tvfoco.m3u - MaxUp in TV Foco Local - started
2017-06-24 05:40:21.392 [  DEBUG] mpegts: tvfoco.m3u - MaxUp in TV Foco Local - open PID tables subscription [0042/0x72b10a78]
2017-06-24 05:40:21.392 [   INFO] subscription: 0002: "scan" subscribing to mux "tvfoco.m3u - MaxUp", weight: 5, adapter: "IPTV", network: "TV Foco Local", service: "Raw PID Subscription" 
Segmentation fault (core dumped)

GDB Core Analysis

GNU gdb (Raspbian 7.7.1+dfsg-5+rpi1) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying" 
and "show warranty" for details.
This GDB was configured as "arm-linux-gnueabihf".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from tvheadend...Reading symbols from /usr/lib/debug//usr/bin/tvheadend...done.
done.
[New LWP 17187]
…similar lines removed by Raphael…
[New LWP 17216]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
Core was generated by `tvheadend -d -D'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  strlen () at ../ports/sysdeps/arm/armv6/strlen.S:26
26    ../ports/sysdeps/arm/armv6/strlen.S: No such file or directory.

GDB Full Backtrace

(gdb) bt full
#0  strlen () at ../ports/sysdeps/arm/armv6/strlen.S:26
No locals.
#1  0x54b682ac in urlparse (str=<optimized out>, url=0x74ede944) at src/url.c:112
        state = {uri = 0x74ede7bc, errorCode = 0, errorPos = 0x0, reserved = 0x0}
        path = 0x73e019c0
        uri = {scheme = {first = 0x73e029f8 "http://107.182.226.91:19790/hlsr/ShpaUURdE1sSBgVdBAQCBgMCAQlSCFNRA1FQAlFXUAMGAQFRVAIBAAIWT0dCEkBQA1tmWFQaWAsAHxFEFlYRbVhcEAoVAQRDHBYXDFwDEA9SGhtBWVxACRQCBQFVBEEeE11KRFJHXwBcawcARw9RUEAMV0RcVE4RWV1sVQB"..., afterLast = 0x73e029fc "://107.182.226.91:19790/hlsr/ShpaUURdE1sSBgVdBAQCBgMCAQlSCFNRA1FQAlFXUAMGAQFRVAIBAAIWT0dCEkBQA1tmWFQaWAsAHxFEFlYRbVhcEAoVAQRDHBYXDFwDEA9SGhtBWVxACRQCBQFVBEEeE11KRFJHXwBcawcARw9RUEAMV0RcVE4RWV1sVQBeAlx"...}, userInfo = {first = 0x0, afterLast = 0x0}, hostText = {first = 0x73e029ff "107.182.226.91:19790/hlsr/ShpaUURdE1sSBgVdBAQCBgMCAQlSCFNRA1FQAlFXUAMGAQFRVAIBAAIWT0dCEkBQA1tmWFQaWAsAHxFEFlYRbVhcEAoVAQRDHBYXDFwDEA9SGhtBWVxACRQCBQFVBEEeE11KRFJHXwBcawcARw9RUEAMV0RcVE4RWV1sVQBeAlxVGg"..., afterLast = 0x73e02a0d ":19790/hlsr/ShpaUURdE1sSBgVdBAQCBgMCAQlSCFNRA1FQAlFXUAMGAQFRVAIBAAIWT0dCEkBQA1tmWFQaWAsAHxFEFlYRbVhcEAoVAQRDHBYXDFwDEA9SGhtBWVxACRQCBQFVBEEeE11KRFJHXwBcawcARw9RUEAMV0RcVE4RWV1sVQBeAlxVGggSBxcdQ1lHE0cL"...}, hostData = {ip4 = 0x73e07540, ip6 = 0x0, ipFuture = {first = 0x0, afterLast = 0x0}}, portText = {first = 0x73e02a0e "19790/hlsr/ShpaUURdE1sSBgVdBAQCBgMCAQlSCFNRA1FQAlFXUAMGAQFRVAIBAAIWT0dCEkBQA1tmWFQaWAsAHxFEFlYRbVhcEAoVAQRDHBYXDFwDEA9SGhtBWVxACRQCBQFVBEEeE11KRFJHXwBcawcARw9RUEAMV0RcVE4RWV1sVQBeAlxVGggSBxcdQ1lHE0cLR"..., afterLast = 0x73e02a13 "/hlsr/ShpaUURdE1sSBgVdBAQCBgMCAQlSCFNRA1FQAlFXUAMGAQFRVAIBAAIWT0dCEkBQA1tmWFQaWAsAHxFEFlYRbVhcEAoVAQRDHBYXDFwDEA9SGhtBWVxACRQCBQFVBEEeE11KRFJHXwBcawcARw9RUEAMV0RcVE4RWV1sVQBeAlxVGggSBxcdQ1lHE0cLRHxQFl"...}, pathHead = 0x73e07388, pathTail = 0x73e01f78, query = {first = 0x0, afterLast = 0x0}, fragment = {first = 0x0, afterLast = 0x0}, absolutePath = 0, owner = 0, reserved = 0x0}
        s = <optimized out>
        buf = "ShpaUURdE1sSBgVdBAQCBgMCAQlSCFNRA1FQAlFXUAMGAQFRVAIBAAIWT0dCEkBQA1tmWFQaWAsAHxFEFlYRbVhcEAoVAQRDHBYXDFwDEA9SGhtBWVxACRQCBQFVBEEeE11KRFJHXwBcawcARw9RUEAMV0RcVE4RWV1sVQBeAlxVGggSBxcdQ1lHE0cLRHxQFlNVXRBs"...
#2  0x66635542 in ?? ()
No symbol table info available.
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb)

#2

Updated by Jaroslav Kysela almost 8 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF