Skip to content

GitLab

Closed
Created by Hugo Lefeuvre@hlefeuvreDeveloper

heap-use-after-free during exit when video preview is running

Affects: latest daemon master

How to reproduce:

  1. open GNOME client
  2. go to settings and then media settings
  3. make sure preview runs
  4. quit app using "quit" function

The daemon crashes.

I can't reproduce it with -pcd but -cd does crash.

ASan and gdb stacktrace:

=================================================================
==478==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000105fd0 at pc 0x7ffff6ee1676 bp 0x7fffd46c4400 sp 0x7fffd46c3ba8
READ of size 11 at 0x608000105fd0 thread T49
    #0 0x7ffff6ee1675 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x77675)
    #1 0x7ffff34a1277 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x121277)
    #2 0x475a8a in bool std::operator< <char, std::char_traits<char>, std::allocator<char> >(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/5/bits/basic_string.h:4989
    #3 0x462a60 in std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::operator()(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const /usr/include/c++/5/bits/stl_function.h:387
    #4 0x4c413b in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_lower_bound(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*, std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/5/bits/stl_tree.h:1628
    #5 0x4c3694 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::lower_bound(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/5/bits/stl_tree.h:1091
    #6 0x4c2f62 in std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::lower_bound(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/5/bits/stl_map.h:916
    #7 0x521844 in std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::operator[](std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&) /usr/include/c++/5/bits/stl_map.h:499
    #8 0x7da690 in ring::Smartools::setResolution(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int) /home/hlefeuvre/Development/ring-daemon/src/smartools.cpp:100
    #9 0x9853a9 in ring::video::SinkClient::update(ring::video::Observable<std::shared_ptr<ring::VideoFrame> >*, std::shared_ptr<ring::VideoFrame> const&) /home/hlefeuvre/Development/ring-daemon/src/media/video/sinkclient.cpp:337
    #10 0x71570e in ring::video::Observable<std::shared_ptr<ring::VideoFrame> >::notify(std::shared_ptr<ring::VideoFrame>) /home/hlefeuvre/Development/ring-daemon/src/media/video/video_base.h:97
    #11 0x71345c in ring::video::VideoGenerator::publishFrame() /home/hlefeuvre/Development/ring-daemon/src/media/video/video_base.cpp:50
    #12 0x72c859 in ring::video::VideoInput::captureFrame() /home/hlefeuvre/Development/ring-daemon/src/media/video/video_input.cpp:249
    #13 0x72bf6d in ring::video::VideoInput::process() /home/hlefeuvre/Development/ring-daemon/src/media/video/video_input.cpp:162
    #14 0x734c5d in void std::_Mem_fn_base<void (ring::video::VideoInput::*)(), true>::operator()<, void>(ring::video::VideoInput*) const /usr/include/c++/5/functional:600
    #15 0x733c34 in void std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /usr/include/c++/5/functional:1074
    #16 0x732d86 in void std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)>::operator()<, void>() /usr/include/c++/5/functional:1133
    #17 0x731e1e in std::_Function_handler<void (), std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)> >::_M_invoke(std::_Any_data const&) (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x731e1e)
    #18 0x4638a3 in std::function<void ()>::operator()() const /usr/include/c++/5/functional:2267
    #19 0x7b0ee3 in ring::ThreadLoop::mainloop(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>) /home/hlefeuvre/Development/ring-daemon/src/threadloop.cpp:38
    #20 0x7b4b3f in void std::_Mem_fn_base<void (ring::ThreadLoop::*)(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>), true>::operator()<std::reference_wrapper<std::thread::id>, std::function<bool ()>, std::function<void ()>, std::function<void ()>, void>(ring::ThreadLoop*, std::reference_wrapper<std::thread::id>&&, std::function<bool ()>&&, std::function<void ()>&&, std::function<void ()>&&) const (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x7b4b3f)
    #21 0x7b4874 in void std::_Bind_simple<std::_Mem_fn<void (ring::ThreadLoop::*)(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>)> (ring::ThreadLoop*, std::reference_wrapper<std::thread::id>, std::function<bool ()>, std::function<void ()>, std::function<void ()>)>::_M_invoke<0ul, 1ul, 2ul, 3ul, 4ul>(std::_Index_tuple<0ul, 1ul, 2ul, 3ul, 4ul>) (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x7b4874)
    #22 0x7b45d9 in std::_Bind_simple<std::_Mem_fn<void (ring::ThreadLoop::*)(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>)> (ring::ThreadLoop*, std::reference_wrapper<std::thread::id>, std::function<bool ()>, std::function<void ()>, std::function<void ()>)>::operator()() (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x7b45d9)
    #23 0x7b4569 in std::thread::_Impl<std::_Bind_simple<std::_Mem_fn<void (ring::ThreadLoop::*)(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>)> (ring::ThreadLoop*, std::reference_wrapper<std::thread::id>, std::function<bool ()>, std::function<void ()>, std::function<void ()>)> >::_M_run() (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x7b4569)
    #24 0x7ffff3438c7f  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8c7f)
    #25 0x7ffff49196b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #26 0x7ffff2b9e41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x608000105fd0 is located 48 bytes inside of 96-byte region [0x608000105fa0,0x608000106000)
freed by thread T0 here:
    #0 0x7ffff6f03b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
    #1 0x4bc9f7 in __gnu_cxx::new_allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::deallocate(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*, unsigned long) /usr/include/c++/5/ext/new_allocator.h:110
    #2 0x4bc938 in std::allocator_traits<std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > >::deallocate(std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >&, std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:517
    #3 0x4bc87e in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_put_node(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*) /usr/include/c++/5/bits/stl_tree.h:495
    #4 0x4bc719 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_drop_node(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*) /usr/include/c++/5/bits/stl_tree.h:562
    #5 0x4bc3fb in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_erase(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*) /usr/include/c++/5/bits/stl_tree.h:1614
    #6 0x4bc203 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::~_Rb_tree() /usr/include/c++/5/bits/stl_tree.h:858
    #7 0x4bbd35 in std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::~map() /usr/include/c++/5/bits/stl_map.h:96
    #8 0x7d9ddf in ring::Smartools::~Smartools() /home/hlefeuvre/Development/ring-daemon/src/smartools.cpp:42
    #9 0x7ffff2ad0ff7  (/lib/x86_64-linux-gnu/libc.so.6+0x39ff7)

previously allocated by thread T49 here:
    #0 0x7ffff6f03532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
    #1 0x4c4cc9 in __gnu_cxx::new_allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
    #2 0x4c4a5b in std::allocator_traits<std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > >::allocate(std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:491
    #3 0x4c41c0 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_get_node() /usr/include/c++/5/bits/stl_tree.h:491
    #4 0x5226b8 in std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >* std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_create_node<std::piecewise_construct_t const&, std::tuple<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&>, std::tuple<> >(std::piecewise_construct_t const&, std::tuple<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&>&&, std::tuple<>&&) /usr/include/c++/5/bits/stl_tree.h:545
    #5 0x5221e7 in std::_Rb_tree_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_emplace_hint_unique<std::piecewise_construct_t const&, std::tuple<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&>, std::tuple<> >(std::_Rb_tree_const_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::piecewise_construct_t const&, std::tuple<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&>&&, std::tuple<>&&) /usr/include/c++/5/bits/stl_tree.h:2170
    #6 0x521951 in std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::operator[](std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&) /usr/include/c++/5/bits/stl_map.h:502
    #7 0x7da730 in ring::Smartools::setResolution(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int) /home/hlefeuvre/Development/ring-daemon/src/smartools.cpp:101
    #8 0x9853a9 in ring::video::SinkClient::update(ring::video::Observable<std::shared_ptr<ring::VideoFrame> >*, std::shared_ptr<ring::VideoFrame> const&) /home/hlefeuvre/Development/ring-daemon/src/media/video/sinkclient.cpp:337
    #9 0x71570e in ring::video::Observable<std::shared_ptr<ring::VideoFrame> >::notify(std::shared_ptr<ring::VideoFrame>) /home/hlefeuvre/Development/ring-daemon/src/media/video/video_base.h:97
    #10 0x71345c in ring::video::VideoGenerator::publishFrame() /home/hlefeuvre/Development/ring-daemon/src/media/video/video_base.cpp:50
    #11 0x72c859 in ring::video::VideoInput::captureFrame() /home/hlefeuvre/Development/ring-daemon/src/media/video/video_input.cpp:249
    #12 0x72bf6d in ring::video::VideoInput::process() /home/hlefeuvre/Development/ring-daemon/src/media/video/video_input.cpp:162
    #13 0x734c5d in void std::_Mem_fn_base<void (ring::video::VideoInput::*)(), true>::operator()<, void>(ring::video::VideoInput*) const /usr/include/c++/5/functional:600
    #14 0x733c34 in void std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /usr/include/c++/5/functional:1074
    #15 0x732d86 in void std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)>::operator()<, void>() /usr/include/c++/5/functional:1133
    #16 0x731e1e in std::_Function_handler<void (), std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)> >::_M_invoke(std::_Any_data const&) (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x731e1e)
    #17 0x4638a3 in std::function<void ()>::operator()() const /usr/include/c++/5/functional:2267
    #18 0x7b0ee3 in ring::ThreadLoop::mainloop(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>) /home/hlefeuvre/Development/ring-daemon/src/threadloop.cpp:38
    #19 0x7b4b3f in void std::_Mem_fn_base<void (ring::ThreadLoop::*)(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>), true>::operator()<std::reference_wrapper<std::thread::id>, std::function<bool ()>, std::function<void ()>, std::function<void ()>, void>(ring::ThreadLoop*, std::reference_wrapper<std::thread::id>&&, std::function<bool ()>&&, std::function<void ()>&&, std::function<void ()>&&) const (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x7b4b3f)
    #20 0x7b4874 in void std::_Bind_simple<std::_Mem_fn<void (ring::ThreadLoop::*)(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>)> (ring::ThreadLoop*, std::reference_wrapper<std::thread::id>, std::function<bool ()>, std::function<void ()>, std::function<void ()>)>::_M_invoke<0ul, 1ul, 2ul, 3ul, 4ul>(std::_Index_tuple<0ul, 1ul, 2ul, 3ul, 4ul>) (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x7b4874)
    #21 0x7b45d9 in std::_Bind_simple<std::_Mem_fn<void (ring::ThreadLoop::*)(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>)> (ring::ThreadLoop*, std::reference_wrapper<std::thread::id>, std::function<bool ()>, std::function<void ()>, std::function<void ()>)>::operator()() (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x7b45d9)
    #22 0x7b4569 in std::thread::_Impl<std::_Bind_simple<std::_Mem_fn<void (ring::ThreadLoop::*)(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>)> (ring::ThreadLoop*, std::reference_wrapper<std::thread::id>, std::function<bool ()>, std::function<void ()>, std::function<void ()>)> >::_M_run() (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x7b4569)
    #23 0x7ffff3438c7f  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8c7f)

Thread T49 created by T0 here:
    #0 0x7ffff6ea0253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
    #1 0x7ffff3438dc2 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8dc2)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 memcmp
Shadow bytes around the buggy address:
  0x0c1080018ba0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1080018bb0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1080018bc0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1080018bd0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1080018be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1080018bf0: fa fa fa fa fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0c1080018c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080018c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080018c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080018c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080018c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==478==ABORTING

Thread 50 "dring" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffd46c8700 (LWP 601)]
0x00007ffff2acc428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff2acc428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff2ace02a in __GI_abort () at abort.c:89
#2  0x00007ffff6f17d99 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#3  0x00007ffff6f0a769 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#4  0x00007ffff6f0f5a2 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#5  0x00007ffff6f096e6 in __asan_report_error () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#6  0x00007ffff6ee1691 in memcmp () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#7  0x00007ffff34a1278 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#8  0x0000000000475a8b in std::operator< <char, std::char_traits<char>, std::allocator<char> > (__lhs="local height", __rhs="local width") at /usr/include/c++/5/bits/basic_string.h:4989
#9  0x0000000000462a61 in std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::operator() (this=0x1f41100 <ring::Smartools::getInstance()::instance_>, 
    __x="local height", __y="local width") at /usr/include/c++/5/bits/stl_function.h:387
#10 0x00000000004c413c in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_lower_bound (this=0x1f41100 <ring::Smartools::getInstance()::instance_>, __x=0x608000105fa0, __y=0x1f41108 <ring::Smartools::getInstance()::instance_+8>, __k="local width")
    at /usr/include/c++/5/bits/stl_tree.h:1628
#11 0x00000000004c3695 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::lower_bound
    (this=0x1f41100 <ring::Smartools::getInstance()::instance_>, __k="local width") at /usr/include/c++/5/bits/stl_tree.h:1091
#12 0x00000000004c2f63 in std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::lower_bound (this=0x1f41100 <ring::Smartools::getInstance()::instance_>, __x="local width")
    at /usr/include/c++/5/bits/stl_map.h:916
#13 0x0000000000521845 in std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::operator[](std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&) (
    this=0x1f41100 <ring::Smartools::getInstance()::instance_>, __k=<unknown type in /home/hlefeuvre/Development/ring-daemon/bin/dring, CU 0x19c75c, DIE 0x1b821d>)
    at /usr/include/c++/5/bits/stl_map.h:499
#14 0x00000000007da691 in ring::Smartools::setResolution (this=0x1f41100 <ring::Smartools::getInstance()::instance_>, id="local", width=1280, height=720) at smartools.cpp:100
#15 0x00000000009853aa in ring::video::SinkClient::update (this=0x60f000044c00, frame_p=std::shared_ptr (count 2, weak 0) 0x607000120050) at sinkclient.cpp:337
#16 0x000000000071570f in ring::video::Observable<std::shared_ptr<ring::VideoFrame> >::notify (this=0x617000056010, data=std::shared_ptr (count 2, weak 0) 0x607000120050) at video_base.h:97
#17 0x000000000071345d in ring::video::VideoGenerator::publishFrame (this=0x617000056010) at video_base.cpp:50
#18 0x000000000072c85a in ring::video::VideoInput::captureFrame (this=0x617000056010) at video_input.cpp:249
#19 0x000000000072bf6e in ring::video::VideoInput::process (this=0x617000056010) at video_input.cpp:162
#20 0x0000000000734c5e in std::_Mem_fn_base<void (ring::video::VideoInput::*)(), true>::operator()<, void>(ring::video::VideoInput*) const (this=0x6030008d4150, __object=0x617000056010)
    at /usr/include/c++/5/functional:600
#21 0x0000000000733c35 in std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) (this=0x6030008d4150, 
    __args=<unknown type in /home/hlefeuvre/Development/ring-daemon/bin/dring, CU 0x75e7bf, DIE 0x79c8c4>) at /usr/include/c++/5/functional:1074
#22 0x0000000000732d87 in std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)>::operator()<, void>() (this=0x6030008d4150) at /usr/include/c++/5/functional:1133
#23 0x0000000000731e1f in std::_Function_handler<void (), std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)> >::_M_invoke(std::_Any_data const&) (__functor=...)
    at /usr/include/c++/5/functional:1871

This is CWE-416 but security implications are negligible IMO.

Edited by Hugo Lefeuvre