filters/f_decoder_wrapper: fix use-after-free#17553
Closed
N-R-K wants to merge 1 commit intompv-player:masterfrom
Closed
filters/f_decoder_wrapper: fix use-after-free#17553N-R-K wants to merge 1 commit intompv-player:masterfrom
N-R-K wants to merge 1 commit intompv-player:masterfrom
Conversation
to trigger it, run any video with mutliple audio tracks and click on the audio track icon in default osc. this used to be guarded by locks but was changed in a569c3c with no explaination as to why. reverting back to old way fixes the UAF, so do that. ASan stacktrace (notably, the allocation happens in one thread and the free on another): ==29382==ERROR: AddressSanitizer: heap-use-after-free on address 0x7ba2add5cc70 at pc 0x7f22b71f0ddf bp 0x7ffe01061990 sp 0x7ffe01061150 READ of size 5 at 0x7ba2add5cc70 thread T0 #0 0x7f22b71f0dde (/usr/lib/gcc/x86_64-pc-linux-gnu/15/libasan.so.8+0x88dde) mpv-player#1 0x000000b6b875 in ta_strdup ../ta/ta_utils.c:114 mpv-player#2 0x000000b6ca63 in ta_xstrdup ../ta/ta_utils.c:285 mpv-player#3 0x00000072b39e in str_get ../options/m_option.c:1289 mpv-player#4 0x00000075240b in m_option_get_node ../options/m_option.h:604 mpv-player#5 0x0000007571d5 in m_property_read_sub ../options/m_property.c:486 mpv-player#6 0x0000007b4a76 in get_track_entry ../player/command.c:2132 mpv-player#7 0x000000758ca4 in m_property_read_list ../options/m_property.c:577 mpv-player#8 0x0000007b6001 in mp_property_list_tracks ../player/command.c:2239 mpv-player#9 0x000000752ef7 in do_action ../options/m_property.c:94 mpv-player#10 0x000000753b75 in m_property_do ../options/m_property.c:175 mpv-player#11 0x0000007d965b in mp_property_do ../player/command.c:4734 mpv-player#12 0x0000007868d2 in getproperty_fn ../player/client.c:1422 mpv-player#13 0x00000078c8ea in send_client_property_changes ../player/client.c:1699 mpv-player#14 0x00000078e364 in mp_client_send_property_changes ../player/client.c:1770 mpv-player#15 0x0000008610e1 in mp_wait_events ../player/playloop.c:56 mpv-player#16 0x000000875e39 in run_playloop ../player/playloop.c:1313 mpv-player#17 0x000000842b74 in play_current_file ../player/loadfile.c:1952 mpv-player#18 0x000000846816 in mp_play_files ../player/loadfile.c:2144 mpv-player#19 0x00000084cbde in mpv_main ../player/main.c:457 mpv-player#20 0x000000d0bb9a in main ../osdep/main-fn-unix.c:5 mpv-player#21 0x7f22b2a76038 (/lib64/libc.so.6+0x26038) mpv-player#22 0x7f22b2a760f4 in __libc_start_main (/lib64/libc.so.6+0x260f4) mpv-player#23 0x000000418160 in _start (/home/nrk/src/core/mpv/build-debug/mpv+0x418160) 0x7ba2add5cc70 is located 80 bytes inside of 85-byte region [0x7ba2add5cc20,0x7ba2add5cc75) freed by thread T2 here: #0 0x7f22b72aeaeb (/usr/lib/gcc/x86_64-pc-linux-gnu/15/libasan.so.8+0x146aeb) mpv-player#1 0x000000b68bca in ta_free ../ta/ta.c:246 mpv-player#2 0x000000b689ff in ta_free_children ../ta/ta.c:231 mpv-player#3 0x000000b68ba1 in ta_free ../ta/ta.c:243 mpv-player#4 0x000000b689ff in ta_free_children ../ta/ta.c:231 mpv-player#5 0x000000b68ba1 in ta_free ../ta/ta.c:243 mpv-player#6 0x000000765060 in ao_chain_uninit ../player/audio.c:275 mpv-player#7 0x000000765410 in uninit_audio_chain ../player/audio.c:290 mpv-player#8 0x000000827f7c in mp_switch_track_n ../player/loadfile.c:733 mpv-player#9 0x0000007ae477 in mp_property_switch_track ../player/command.c:1982 mpv-player#10 0x000000752ef7 in do_action ../options/m_property.c:94 mpv-player#11 0x000000753680 in m_property_do ../options/m_property.c:142 mpv-player#12 0x0000007d965b in mp_property_do ../player/command.c:4734 mpv-player#13 0x0000007cf713 in mp_property_alias ../player/command.c:3788 mpv-player#14 0x000000752ef7 in do_action ../options/m_property.c:94 mpv-player#15 0x000000753680 in m_property_do ../options/m_property.c:142 mpv-player#16 0x0000007d965b in mp_property_do ../player/command.c:4734 mpv-player#17 0x0000007e42f9 in change_property_cmd ../player/command.c:5367 mpv-player#18 0x0000007ed67e in cmd_add_cycle ../player/command.c:5870 mpv-player#19 0x0000007e9617 in run_command ../player/command.c:5643 mpv-player#20 0x000000782aa7 in run_client_command ../player/client.c:1134 mpv-player#21 0x000000783284 in mpv_command_string ../player/client.c:1169 mpv-player#22 0x000000bac63c in script_command ../player/lua.c:610 mpv-player#23 0x7f22b370945a (/usr/lib64/libluajit-5.1.so.2+0x645a) previously allocated by thread T0 here: #0 0x7f22b72afc9b in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/15/libasan.so.8+0x147c9b) mpv-player#1 0x000000b67ee4 in ta_alloc_size ../ta/ta.c:139 mpv-player#2 0x000000b68241 in ta_realloc_size ../ta/ta.c:187 mpv-player#3 0x000000b6b5dd in strndup_append_at ../ta/ta_utils.c:93 mpv-player#4 0x000000b6b96b in ta_strndup ../ta/ta_utils.c:127 mpv-player#5 0x000000b6b892 in ta_strdup ../ta/ta_utils.c:114 mpv-player#6 0x000000b6ca63 in ta_xstrdup ../ta/ta_utils.c:285 mpv-player#7 0x000000625be3 in reinit_decoder ../filters/f_decoder_wrapper.c:458 mpv-player#8 0x000000626bf5 in mp_decoder_wrapper_reinit ../filters/f_decoder_wrapper.c:491 mpv-player#9 0x0000007698bc in init_audio_decoder ../player/audio.c:533 mpv-player#10 0x00000076a9dc in reinit_audio_chain_src ../player/audio.c:592 mpv-player#11 0x000000769c49 in reinit_audio_chain ../player/audio.c:556 mpv-player#12 0x0000008411e8 in play_current_file ../player/loadfile.c:1871 mpv-player#13 0x000000846816 in mp_play_files ../player/loadfile.c:2144 mpv-player#14 0x00000084cbde in mpv_main ../player/main.c:457 mpv-player#15 0x000000d0bb9a in main ../osdep/main-fn-unix.c:5 mpv-player#16 0x7f22b2a76038 (/lib64/libc.so.6+0x26038) Thread T2 created by T0 here: #0 0x7f22b72a5efd in pthread_create (/usr/lib/gcc/x86_64-pc-linux-gnu/15/libasan.so.8+0x13defd) mpv-player#1 0x000000881a9a in mp_load_script ../player/scripting.c:192 mpv-player#2 0x000000882827 in load_builtin_script ../player/scripting.c:252 mpv-player#3 0x000000882bd7 in mp_load_builtin_scripts ../player/scripting.c:264 mpv-player#4 0x00000080bfaf in mp_option_run_callback ../player/command.c:7989 mpv-player#5 0x000000861b4b in handle_option_callbacks ../player/playloop.c:130 mpv-player#6 0x00000084bd41 in mp_initialize ../player/main.c:389 mpv-player#7 0x00000084cbc9 in mpv_main ../player/main.c:455 mpv-player#8 0x000000d0bb9a in main ../osdep/main-fn-unix.c:5 mpv-player#9 0x7f22b2a76038 (/lib64/libc.so.6+0x26038)
Contributor
Author
|
Closing in favor of: #17554 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
to trigger it, run any video with mutliple audio tracks and click on the audio track icon in default osc.
this used to be guarded by locks but was changed in a569c3c with no explaination as to why. reverting back to old way fixes the UAF, so do that.
ASan stacktrace (notably, the allocation happens in one thread and the free on another):