Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(rtc): fix crash when pkt->payload() if pkt is nullptr #2751

Merged
merged 1 commit into from
Nov 24, 2021
Merged

fix(rtc): fix crash when pkt->payload() if pkt is nullptr #2751

merged 1 commit into from
Nov 24, 2021

Conversation

johzzy
Copy link
Contributor

@johzzy johzzy commented Nov 22, 2021
edited by winlinvip

Please refer to the gdb log.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000617774 in SrsRtpPacket::payload (this=0x0) at src/kernel/srs_kernel_rtc_rtp.hpp:317
317	    ISrsRtpPayloader* payload() { return payload_; }
Missing separate debuginfos, use: debuginfo-install glibc-2.17-325.el7_9.x86_64 libgcc-4.8.5-44.el7.x86_64 libstdc++-4.8.5-44.el7.x86_64
(gdb) bt
#0  0x0000000000617774 in SrsRtpPacket::payload (this=0x0) at src/kernel/srs_kernel_rtc_rtp.hpp:317
#1  0x0000000000611a2e in SrsRtmpFromRtcBridger::packet_video_rtmp (this=0x18b1310, start=0, end=17707) at src/app/srs_app_rtc_source.cpp:1632
#2  0x0000000000610b61 in SrsRtmpFromRtcBridger::packet_video (this=0x18b1310, src=0x207ef20) at src/app/srs_app_rtc_source.cpp:1452
#3  0x0000000000610446 in SrsRtmpFromRtcBridger::on_rtp (this=0x18b1310, pkt=0x207ef20) at src/app/srs_app_rtc_source.cpp:1350
#4  0x000000000060d9ac in SrsRtcSource::on_rtp (this=0x1869330, pkt=0x207ef20) at src/app/srs_app_rtc_source.cpp:634
#5  0x0000000000616334 in SrsRtcVideoRecvTrack::on_rtp (this=0x133b090, source=0x1869330, pkt=0x207ef20) at src/app/srs_app_rtc_source.cpp:2653
#6  0x00000000005ccc0d in SrsRtcPublishStream::do_on_rtp_plaintext (this=0x174c5e0, pkt=@0x7ffff66e8758: 0x207ef20, buf=0x7ffff66e8740)
    at src/app/srs_app_rtc_conn.cpp:1471
#7  0x00000000005cc9c8 in SrsRtcPublishStream::on_rtp_plaintext (this=0x174c5e0,
    plaintext=0xeac9b0 "\220fE,\030\066\357\264\232\070\334\231\276\336", nb_plaintext=1128) at src/app/srs_app_rtc_conn.cpp:1438
#8  0x00000000005cc6fa in SrsRtcPublishStream::on_rtp (this=0x174c5e0, data=0xeac9b0 "\220fE,\030\066\357\264\232\070\334\231\276\336",
    nb_data=1138) at src/app/srs_app_rtc_conn.cpp:1405
#9  0x00000000005d0f1a in SrsRtcConnection::on_rtp (this=0xf70ce0, data=0xeac9b0 "\220fE,\030\066\357\264\232\070\334\231\276\336", nb_data=1138)
    at src/app/srs_app_rtc_conn.cpp:2333
...

(gdb) p this
$1 = (SrsRtpPacket * const) 0x0
(gdb) frame 1
#1  0x0000000000611a2e in SrsRtmpFromRtcBridger::packet_video_rtmp (this=0x18b1310, start=0, end=17707) at src/app/srs_app_rtc_source.cpp:1632
1632	        SrsRtpFUAPayload2* fua_payload = dynamic_cast<SrsRtpFUAPayload2*>(pkt->payload());
(gdb) p pkt
$2 = (SrsRtpPacket *) 0x0
(gdb) frame 2
#2  0x0000000000610b61 in SrsRtmpFromRtcBridger::packet_video (this=0x18b1310, src=0x207ef20) at src/app/srs_app_rtc_source.cpp:1452
1452	                if ((err = packet_video_rtmp(header_sn_, tail_sn)) != srs_success) {
(gdb)

TRANS_BY_GPT3

@johzzy
Copy link
Contributor Author

johzzy commented Nov 22, 2021
edited by winlinvip

Related PR #2545

TRANS_BY_GPT3

@winlinvip winlinvip merged commit a862573 into ossrs:develop Nov 24, 2021
winlinvip pushed a commit that referenced this pull request Nov 24, 2021
@johzzy @winlinvip
RTC: Fix crash when pkt->payload() if pkt is nullptr (#2751). v4.0.199
ff8657e
@winlinvip
Copy link
Member

@johzzy Thanks a lot.

@Timnf
Copy link

Timnf commented Aug 26, 2022
edited by winlinvip 

SrsCommonMessage rtmp;
SrsRtpPacket* pkt = cache_video_pkts_[cache_index(start)].pkt;          // Here is a missing null check, which may cause a crash when accessing NULL. How should we handle it?
rtmp.header.initialize_video(nb_payload, pkt->get_avsync_time(), 1);
rtmp.create_payload(nb_payload);
rtmp.size = nb_payload;
SrsBuffer payload(rtmp.payload, rtmp.size);
if (pkt->is_keyframe()) {
    payload.write_1bytes(0x17); // type(4 bits): key frame; code(4bits): avc
    rtp_key_frame_ts_ = -1;
} else {
    payload.write_1bytes(0x27); // type(4 bits): inter frame; code(4bits): avc
}
payload.write_1bytes(0x01); // avc_type: nalu
payload.write_1bytes(0x0);  // composition time
payload.write_1bytes(0x0);
payload.write_1bytes(0x0);

int nalu_len = 0;
for (uint16_t i = 0; i < (uint16_t)cnt; ++i) {
    uint16_t index = cache_index((start + i));
    SrsRtpPacket* pkt = cache_video_pkts_[index].pkt;

    // fix crash when pkt->payload() if pkt is nullptr;
    if (!pkt) continue;

@johzzy

TRANS_BY_GPT3

@Timnf
Copy link

Timnf commented Aug 26, 2022
edited by winlinvip

f687442 Found the problem and resolved it

TRANS_BY_GPT3

@winlinvip winlinvip added the TransByAI Translated by AI/GPT. label Jul 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@winlinvip winlinvip winlinvip approved these changes

Assignees
No one assigned
Labels
TransByAI Translated by AI/GPT.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@johzzy @winlinvip @Timnf