Re: [Live-devel] SIGABRT in base64Decode in liveMedia/Base64.cpp

Thu, 26 Jun 2014 09:12:52 -0700 

Hi Ross,
We have rebuilt with -g and without -o0 and get the same result (SIGABRT in disassembled code, no stack trace). 


We have tried the latest build of OpenRTSP with the -T flag. OpenRTSP 
does not send GET_PARAMETER requests to the Live555 server, so it will 
not call the code in base64Decode where the SIGABRT occurs (in the new 
or delete calls).



We are using VLC client which does send the GET_PARAMETER messages. The 
crash during GET_PARAMETER message processing appears to be related to 
truncated base 64 encoded GET_PARAMETER requests, so may be triggered by 
network congestion.



Excepts from the live555 debug (with indented lines being debug we have 
added to try to locate the crash) are attached below.



It appears that after sending the RTSP/1.0 400 Bad Request response, 
RTSPClientConnection::handleRequestBytes is called with 3 bytes, which 
sets fBase64RemainderCount to 3. Is this causing the pointer passed into 
base64Decode to go out of range ?



Please let me know if there are further tests we can do to find the 
cause and indicate a fix for this issue.


Thanks for the mention in the latest changelog ...

Best Regards,

Piers Hawksley



The following happens twice with many RTCP Liveness indications between.




RTSPClientConnection[0x1b64b8]::handleRequestBytes() read 443 new 
bytes:R0VUX1BBUkFNRVRFUiBydHNwOi8vMTAuMjYuNy44MC9zdHJlYW0wLyBSVFNQLzEuMA0KQ1NlcTogNzQNCkF1dGhvcml6YXRpb246IERpZ2VzdCB1c2VybmFtZT0iQWRtaW4iLCByZWFsbT0iTElWRTU1NSBTdHJlYW1pbmcgTWVkaWEiLCBub25jZT0iYTlmMDA1ODBlYTA2ZDMxYmIxNWI1ZTU4OTk1ZGFmNmIiLCB1cmk9InJ0c3A6Ly8xMC4yNi43LjgwL3N0cmVhbTAvIiwgcmVzcG9uc2U9ImMwZDgzNGQyNGY4NjE5ZjdiOTU3NmNmZjE4YjRjN2UyIg0KVXNlci1BZ2VudDogTGliVkxDLzIuMS4zIChMSVZFNTU1IFN0cmVhbWluZyBNZWRpYSB2MjAxNC4wMS4yMSkNClNlc3Npb246IDcwOTY

numBytesToDecode=440, newBase64RemainderCount=3
    out=0x27cd80
    k=330, paddingCount=0, inSize=440
    trimTrailingZeros=1
    resultSize=330
    new result=0x27cf40
    Moved out to result
    deleted out
    decodedBytes=0x27cf40

Base64-decoded 440 input bytes into 330 new bytes:GET_PARAMETER 
rtsp://10.26.7.80/stream0/ RTSP/1.0

CSeq: 74

Authorization: Digest username="Admin", realm="LIVE555 Streaming Media", 
nonce="a9f00580ea06d31bb15b5e58995daf6b", 
uri="rtsp://10.26.7.80/stream0/", 
response="c0d834d24f8619f7b9576cff18b4c7e2"

User-Agent: LibVLC/2.1.3 (LIVE555 Streaming Media v2014.01.21)
Session: 70
    Deletedd decodedBytes
    fBase64RemainderCount=3

RTSPClientConnection[0x1b64b8]::handleRequestBytes() read 13 new 
bytes:3QjVEDQoNCg==

numBytesToDecode=16, newBase64RemainderCount=0
    out=0x183708
    k=12, paddingCount=2, inSize=16
    trimTrailingZeros=1
    resultSize=10
    new result=0x183748
    Moved out to result
    deleted out
    decodedBytes=0x183748
Base64-decoded 16 input bytes into 10 new bytes:7B5D


    Deletedd decodedBytes
    fBase64RemainderCount=0

parseRTSPRequestString() failed; checking now for HTTP commands (for 
RTSP-over-HTTP tunneling)...

parseHTTPRequestString() failed!
sending response: RTSP/1.0 400 Bad Request
Date: Wed, Jun 18 2014 14:15:32 GMT

Allow: OPTIONS, DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, GET_PARAMETER, 
SET_PARAMETER



RTSPClientConnection[0x1b64b8]::handleRequestBytes() processing 3 new 
bytes:oNC

    numBytesToDecode=0, newBase64RemainderCount=3
    fBase64RemainderCount=3





Then after a few more RTCP Liveness indications we receive a complete 
base 64 encoded GET_PARAMETER request (with fBase64RemainderCount set to 
3) and crash.





RTSPClientConnection[0x1b64b8]::handleRequestBytes() read 456 new 
bytes:R0VUX1BBUkFNRVRFUiBydHNwOi8vMTAuMjYuNy44MC9zdHJlYW0wLyBSVFNQLzEuMA0KQ1NlcTogNzUNCkF1dGhvcml6YXRpb246IERpZ2VzdCB1c2VybmFtZT0iQWRtaW4iLCByZWFsbT0iTElWRTU1NSBTdHJlYW1pbmcgTWVkaWEiLCBub25jZT0iYTlmMDA1ODBlYTA2ZDMxYmIxNWI1ZTU4OTk1ZGFmNmIiLCB1cmk9InJ0c3A6Ly8xMC4yNi43LjgwL3N0cmVhbTAvIiwgcmVzcG9uc2U9ImMwZDgzNGQyNGY4NjE5ZjdiOTU3NmNmZjE4YjRjN2UyIg0KVXNlci1BZ2VudDogTGliVkxDLzIuMS4zIChMSVZFNTU1IFN0cmVhbWluZyBNZWRpYSB2MjAxNC4wMS4yMSkNClNlc3Npb246IDcwOTY3QjVEDQoNCg==

    numBytesToDecode=456, newBase64RemainderCount=3
    out=0x183830
    k=342, paddingCount=0, inSize=456
    trimTrailingZeros=1
    resultSize=342
    new result=0x27cd48
    Moved out to result

*** glibc detected *** /program/name: free(): invalid next size (fast): 
0x00183830 ***



_______________________________________________
live-devel mailing list
[email protected]
http://lists.live555.com/mailman/listinfo/live-devel






















					Reply via email to