ut_conference: heap buffer overflow in testPropagateRecording
With AddressSanitizer enabled, running ut_conference results in a heap buffer overflow in the testPropagateRecording unit test.
ASAN logs:
==701100==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000ce478 at pc 0x5555567aa518 bp 0x7fffdf8f2650 sp 0x7fffdf8f2640
READ of size 8 at 0x6020000ce478 thread T38
#0 0x5555567aa517 in jami::MediaEncoder::encode(AVFrame*, int) media/media_encoder.cpp:496
#1 0x5555567ab3d0 in jami::MediaEncoder::flush() media/media_encoder.cpp:563
#2 0x55555630af84 in jami::MediaRecorder::flush() media/media_recorder.cpp:609
#3 0x555556301fe5 in operator() media/media_recorder.cpp:207
#4 0x55555630e441 in __invoke_impl<void, jami::MediaRecorder::startRecording()::<lambda()>&> /usr/include/c++/11/bits/invoke.h:61
#5 0x55555630d211 in __invoke_r<void, jami::MediaRecorder::startRecording()::<lambda()>&> /usr/include/c++/11/bits/invoke.h:111
#6 0x55555630bf24 in _M_invoke /usr/include/c++/11/bits/std_function.h:290
#7 0x55555690e486 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<dht::ThreadPool::run(std::function<void ()>&&)::{lambda()#1}> > >::_M_run() (/home/ezra/dev/jami-project/daemon/test/unitTest/ut_conference+0x13ba486)
#8 0x7ffff681c2b2 (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc2b2)
#9 0x7ffff64a3b42 in start_thread nptl/pthread_create.c:442
#10 0x7ffff65359ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
0x6020000ce478 is located 0 bytes to the right of 8-byte region [0x6020000ce470,0x6020000ce478)
allocated by thread T0 here:
#0 0x7ffff766b1c7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
#1 0x5555567bd029 in __gnu_cxx::new_allocator<AVCodecContext*>::allocate(unsigned long, void const*) /usr/include/c++/11/ext/new_allocator.h:127
#2 0x5555567bc95d in std::allocator_traits<std::allocator<AVCodecContext*> >::allocate(std::allocator<AVCodecContext*>&, unsigned long) /usr/include/c++/11/bits/alloc_traits.h:464
#3 0x5555567bbb87 in std::_Vector_base<AVCodecContext*, std::allocator<AVCodecContext*> >::_M_allocate(unsigned long) /usr/include/c++/11/bits/stl_vector.h:346
#4 0x5555567bad80 in void std::vector<AVCodecContext*, std::allocator<AVCodecContext*> >::_M_realloc_insert<AVCodecContext* const&>(__gnu_cxx::__normal_iterator<AVCodecContext**, std::vector<AVCodecContext*, std::allocator<AVCodecContext*> > >, AVCodecContext* const&) /usr/include/c++/11/bits/vector.tcc:440
#5 0x5555567b9b12 in std::vector<AVCodecContext*, std::allocator<AVCodecContext*> >::push_back(AVCodecContext* const&) /usr/include/c++/11/bits/stl_vector.h:1198
#6 0x5555567a825c in jami::MediaEncoder::initStream(jami::SystemCodecInfo const&, AVBufferRef*) media/media_encoder.cpp:327
#7 0x5555567a6cde in jami::MediaEncoder::addStream(jami::SystemCodecInfo const&) media/media_encoder.cpp:196
#8 0x555556305fd2 in jami::MediaRecorder::initRecord() media/media_recorder.cpp:379
#9 0x555556302850 in jami::MediaRecorder::startRecording() media/media_recorder.cpp:174
#10 0x55555631a530 in jami::Recordable::startRecording(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) media/recordable.cpp:92
#11 0x55555631a020 in jami::Recordable::toggleRecording() media/recordable.cpp:68
#12 0x555555c5bba7 in jami::Call::toggleRecording() /home/ezra/dev/jami-project/daemon/src/call.cpp:366
#13 0x555556480467 in jami::SIPCall::toggleRecording() sip/sipcall.cpp:3228
#14 0x555555bf1050 in jami::Manager::toggleRecordingCall(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ezra/dev/jami-project/daemon/src/manager.cpp:2259
#15 0x555555d0cf13 in libjami::toggleRecording(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) client/callmanager.cpp:366
#16 0x555555ad06e7 in jami::test::ConferenceTest::testPropagateRecording() call/conference.cpp:926
#17 0x555555b1a405 in void std::__invoke_impl<void, void (jami::test::ConferenceTest::*&)(), jami::test::ConferenceTest*&>(std::__invoke_memfun_deref, void (jami::test::ConferenceTest::*&)(), jami::test::ConferenceTest*&) (/home/ezra/dev/jami-project/daemon/test/unitTest/ut_conference+0x5c6405)
#18 0x555555b1933e in std::__invoke_result<void (jami::test::ConferenceTest::*&)(), jami::test::ConferenceTest*&>::type std::__invoke<void (jami::test::ConferenceTest::*&)(), jami::test::ConferenceTest*&>(void (jami::test::ConferenceTest::*&)(), jami::test::ConferenceTest*&) (/home/ezra/dev/jami-project/daemon/test/unitTest/ut_conference+0x5c533e)
#19 0x555555b17523 in void std::_Bind<void (jami::test::ConferenceTest::*(jami::test::ConferenceTest*))()>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) (/home/ezra/dev/jami-project/daemon/test/unitTest/ut_conference+0x5c3523)
#20 0x555555b1532c in void std::_Bind<void (jami::test::ConferenceTest::*(jami::test::ConferenceTest*))()>::operator()<, void>() (/home/ezra/dev/jami-project/daemon/test/unitTest/ut_conference+0x5c132c)
#21 0x555555b12429 in void std::__invoke_impl<void, std::_Bind<void (jami::test::ConferenceTest::*(jami::test::ConferenceTest*))()>&>(std::__invoke_other, std::_Bind<void (jami::test::ConferenceTest::*(jami::test::ConferenceTest*))()>&) (/home/ezra/dev/jami-project/daemon/test/unitTest/ut_conference+0x5be429)
#22 0x555555b0e8e7 in std::enable_if<is_invocable_r_v<void, std::_Bind<void (jami::test::ConferenceTest::*(jami::test::ConferenceTest*))()>&>, void>::type std::__invoke_r<void, std::_Bind<void (jami::test::ConferenceTest::*(jami::test::ConferenceTest*))()>&>(std::_Bind<void (jami::test::ConferenceTest::*(jami::test::ConferenceTest*))()>&) (/home/ezra/dev/jami-project/daemon/test/unitTest/ut_conference+0x5ba8e7)
#23 0x555555b09136 in std::_Function_handler<void (), std::_Bind<void (jami::test::ConferenceTest::*(jami::test::ConferenceTest*))()> >::_M_invoke(std::_Any_data const&) (/home/ezra/dev/jami-project/daemon/test/unitTest/ut_conference+0x5b5136)
#24 0x555555af8f5f in std::function<void ()>::operator()() const /usr/include/c++/11/bits/std_function.h:590
#25 0x555555b1d62f in CppUnit::TestCaller<jami::test::ConferenceTest>::runTest() (/home/ezra/dev/jami-project/daemon/test/unitTest/ut_conference+0x5c962f)
#26 0x7ffff75934e5 (/lib/x86_64-linux-gnu/libcppunit-1.15.so.1+0x1e4e5)
#27 0x60b00018c03f (<unknown module>)
Thread T38 created by T0 here:
#0 0x7ffff760d685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7ffff681c388 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc388)
SUMMARY: AddressSanitizer: heap-buffer-overflow media/media_encoder.cpp:496 in jami::MediaEncoder::encode(AVFrame*, int)
Shadow bytes around the buggy address:
0x0c0480011c30: fa fa fa fa fa fa fa fa fa fa 00 00 fa fa fa fa
0x0c0480011c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
0x0c0480011c50: fa fa 00 00 fa fa 03 fa fa fa 07 fa fa fa 00 06
0x0c0480011c60: fa fa 03 fa fa fa 03 fa fa fa fa fa fa fa fa fa
0x0c0480011c70: fa fa 00 00 fa fa 00 00 fa fa 03 fa fa fa 00 02
=>0x0c0480011c80: fa fa 07 fa fa fa 03 fa fa fa 03 fa fa fa 00[fa]
0x0c0480011c90: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa 00 00
0x0c0480011ca0: fa fa 00 00 fa fa 00 00 fa fa 03 fa fa fa 00 02
0x0c0480011cb0: fa fa 00 02 fa fa 03 fa fa fa 03 fa fa fa fa fa
0x0c0480011cc0: fa fa 00 00 fa fa fa fa fa fa 00 00 fa fa 00 fa
0x0c0480011cd0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==701100==ABORTING