Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

race condition in audio.c on uninit #6808

Closed
3kyo0 opened this issue Jul 15, 2019 · 6 comments
Closed

race condition in audio.c on uninit #6808

3kyo0 opened this issue Jul 15, 2019 · 6 comments

Comments

@3kyo0
Copy link

3kyo0 commented Jul 15, 2019

mpv version and platform

mpv 0.29.1
mpv 0.29.0-353-g65b1c2d065-dirty
MacOS 10.13.6 (17G6030)

Reproduction steps

run script ./fuzz.sh
https://github.com/3kyo0/fuzz_samples/blob/master/fuzz.sh

Expected behavior

crash with Segmentation fault: 11
[mkv] SeekHead position beyond end of file - incomplete file?
(+) Video --vid=1 () (h264 720x432 25.000fps)
(+) Audio --aid=1 --alang=fre (
) (ac3 2ch)
(+) Subs --sid=1 --slang=fre (*) (dvd_subtitle)
[mkv] Invalid EBML length at position 13124
[mkv] Corrupt file detected. Trying to resync starting from position 13124...
No video PTS! Making something up. Using 25.000000 FPS.
[ffmpeg/audio] ac3: expacc 126 is out-of-range
[ffmpeg/audio] ac3: error decoding the audio block
Audio: no audio
Segmentation fault: 11

Actual behavior

crash

Log file

https://github.com/3kyo0/fuzz_samples/blob/master/crashreport.txt
https://github.com/3kyo0/fuzz_samples/blob/master/HONGGFUZZ.REPORT.TXT

Sample files

https://github.com/3kyo0/fuzz_samples/blob/master/SIGSEGV.EXC_BAD_ACCESS.PC.000000010ed954bf.STACK.0000000f38a4c8be.ADDR.000000004d555462.fuzz

@sfan5
Copy link
Member

sfan5 commented Jul 15, 2019

Can't reproduce on Linux with mpv 0.29.0-353-g65b1c2d065 and ffmpeg N-94185-gca576833e4.
For fuzzing you might want to use --no-config to ensure the crash doesn't depend on any of your local configuration.

@3kyo0
Copy link
Author

3kyo0 commented Jul 15, 2019

Can't reproduce on Linux with mpv 0.29.0-353-g65b1c2d065 and ffmpeg N-94185-gca576833e4.
For fuzzing you might want to use --no-config to ensure the crash doesn't depend on any of your local configuration.

Only MacOS

@Akemi Akemi added the os:mac label Jul 15, 2019
@3kyo0
Copy link
Author

3kyo0 commented Jul 16, 2019

seems ao_c->filter pointer broken.there is two debug info.
1、Normal info:
Playing: ./SIGSEGV.EXC_BAD_ACCESS.PC.000000010ed954bf.STACK.0000000f38a4c8be.ADDR.000000004d555462.fuzz
[mkv] SeekHead position beyond end of file - incomplete file?
(+) Video --vid=1 () (h264 720x432 25.000fps)
(+) Audio --aid=1 --alang=fre (
) (ac3 2ch)
(+) Subs --sid=1 --slang=fre (*) (dvd_subtitle)
[vo/gpu] opengl cocoa backend is deprecated, use vo=libmpv instead
[debug]ao_c->filter->f->pins[1]:0x7f8e2f5418d0
[debug]mpctx:0x7f8e32004840
[debug]ao_c:0x7f8e2f5351b0
[debug]ao_c->filter:0x7f8e2f5414f8
[debug]ao_c->filter->got_output_eof:0x0
[debug]mpctx->audio_status:0x0
[debug]
[mkv] Invalid EBML length at position 13124
[mkv] Corrupt file detected. Trying to resync starting from position 13124...
[ffmpeg/audio] ac3: expacc 126 is out-of-range
[ffmpeg/audio] ac3: error decoding the audio block
No video PTS! Making something up. Using 25.000000 FPS.
[debug]ao_c->filter->f->pins[1]:0x7f8e2f5418d0
Audio: no audio
[debug]mpctx:0x7f8e32004840
[debug]ao_c:0x7f8e2f5351b0
[debug]ao_c->filter:0x7f8e2f5414f8
[debug]ao_c->filter->got_output_eof:0x0
[debug]mpctx->audio_status:0x5
[debug]
VO: [gpu] 720x432 => 1455x432 yuv420p
V: -00:00:00 / 00:00:00 (0%)

Exiting... (End of file)

2、Crashed info
Playing: ./SIGSEGV.EXC_BAD_ACCESS.PC.000000010ed954bf.STACK.0000000f38a4c8be.ADDR.000000004d555462.fuzz
[mkv] SeekHead position beyond end of file - incomplete file?
(+) Video --vid=1 () (h264 720x432 25.000fps)
(+) Audio --aid=1 --alang=fre (
) (ac3 2ch)
(+) Subs --sid=1 --slang=fre (*) (dvd_subtitle)
[vo/gpu] opengl cocoa backend is deprecated, use vo=libmpv instead
[debug]ao_c->filter->f->pins[1]:0x7f8ebc1211c0
[debug]mpctx:0x7f8ebe000040
[debug]ao_c:0x7f8ebc120d30
[debug]ao_c->filter:0x7f8ebc120858
[debug]ao_c->filter->got_output_eof:0x0
[debug]mpctx->audio_status:0x0
[debug]
[mkv] Invalid EBML length at position 13124
[mkv] Corrupt file detected. Trying to resync starting from position 13124...
No video PTS! Making something up. Using 25.000000 FPS.
[ffmpeg/audio] ac3: expacc 126 is out-of-range
[ffmpeg/audio] ac3: error decoding the audio block
[debug]ao_c->filter->f->pins[1]:0x7f8ebc1211c0
Audio: no audio
[debug]mpctx:0x7f8ebe000040
[debug]ao_c:0x7f8ebc120d30
[debug]ao_c->filter:0x312d320a6572662d
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3033==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0001012bb3f9 bp 0x7000039f3dc0 sp 0x7000039f3d00 T61145)

@Akemi Akemi removed the os:mac label Jul 16, 2019
@3kyo0
Copy link
Author

3kyo0 commented Jul 17, 2019

After debugging I think this is an Use after free Vulnerability.
audio.c:425 uinit_audio_chain(mpctx); this line free the ao_c
audio.c:810 if(ao_c->filter->got_output_eof && . this line reuse it

@Akemi Akemi changed the title crash on MacOS race condition in audio.c on uninit Jul 21, 2019
@Akemi
Copy link
Member

Akemi commented Jul 21, 2019

i don't think the uninit in line 425 is the culprit. it's called in order and before the code in line 810. it's some race condition in another part of the code.

@ghost
Copy link

ghost commented Sep 21, 2019

I think @3kyo0 was right, that's exactly what I observed.

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants