Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memory access problem in rtpsources.cpp line 339 #4

Closed
lbakman opened this issue Mar 27, 2017 · 4 comments
Closed

Memory access problem in rtpsources.cpp line 339 #4

lbakman opened this issue Mar 27, 2017 · 4 comments

Comments

@lbakman
Copy link

lbakman commented Mar 27, 2017

Hi Jori

I believe I have found a memory access problem in rtpsources.cpp line 339, if a session implementation overrides OnValidatedRTPPacket, sets ispackethandled to true and deletes the RTPPacket pointer.

In rtpsources.cpp line 232 srcdat->ProcessRTPPacket is called, which in turn calls OnValidatedRTPPacket. In example6 the override deletes the packet using DeletePacket(packet), but in rtpsources.cpp line 339, rtppack->GetCSRCCount() is called on a deleted object and in line rtppack->GetCSRC(i) may be called on the same deleted object.

I do not have a suggestion for a fix, but either the OnValidatedRTPPacket should not delete the packet, or it should be handled in some other way. If OnValidatedRTPPacket deletes the packet, the entire contributing source handling will be broken.

I can just avoid setting ispackethandled to true and delete the packet, but that means that the packets are stored in the packetlist and I am not sure why I would want that (I call Poll() from my own thread as in example8).

Regards
Lau Bakman
@j0r1
Copy link
Owner

j0r1 commented Mar 27, 2017

Hi Lau,

You're correct, this is indeed a problem.

I think the easiest fix would be to cache the CSRCs temporarily, before the srcdat->ProcessRTPPacket function is called, and then use those cached values further on (instead of obtaining them from rtppack)

This is what I tried to do in branch 'csrccache' - I haven't tested it though. Could you check if this works for you?

Thanks!
Jori

@lbakman
Copy link
Author

lbakman commented Mar 28, 2017
edited
Loading

Hi Jori

That seems to have fixed the problem when running example 6 with valgrind.

I will do some more testing with my own project today and let you know.

Edit: One thing - if the number of received CSRC's exceed RTP_MAXCSRCS there may be a problem. Perhaps unlikely, but possible. The RTPPacket::ParseRawPacket does not limit the RTPPacket::numcsrcs to RTP_MACCSRCS.

Thank you for the fast response.

Lau

@lbakman
Copy link
Author

lbakman commented Mar 28, 2017

Hi Jori

I have not found any issues with your fix in the csrccache branch except for the potential problem I mentioned above.

Regards
Lau

@j0r1
Copy link
Owner

j0r1 commented Mar 28, 2017

Hi Lau,

The number of CSRCs comes from four bits in the RTP header, so it shouldn't exceed that maximum number. But it's probably best to be extra cautious, so I've added an extra check.

Thanks for testing!

Cheers,
Jori

@j0r1 j0r1 closed this as completed Mar 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lbakman @j0r1