pjproject
pjproject copied to clipboard
Published
20 hours ago •
pjsip
pjsip
Crash when encoding H264, iOS, VideoToolbox, pjsip 2.12
Describe the bug
I made an example using pjsua2 to make video call. After call connected for a short time, app will be crashed. Every time, app crash at wrap_memcpy+0x16c (Line 1221 in the attached log file)
16:29:18.513 inv0x61d000010528 ....SDP negotiation done: Success 16:29:18.513 pjsua_media.c .....Call 1: updating media.. 16:29:18.513 pjsua_media.c ......Call 1: stream #0 (audio) unchanged. 16:29:18.514 pjsua_media.c ......Audio updated, stream #0: speex (sendrecv) 16:29:18.514 pjsua_vid.c .......Stopping video stream.. 16:29:18.514 ios_opengl_dev.c ........Stopping ios opengl stream 16:29:18.514 pjsua_vid.c ........Window 1: destroying.. #0 0x10f88477c in wrap_memcpy+0x16c (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x1977c) #1 0x10ef1c82d in vtool_codec_encode_begin+0x1ed (call_demo_swift:x86_64+0x10015e82d) #2 0x10efb4852 in put_frame+0x162 (call_demo_swift:x86_64+0x1001f6852) #3 0x10efb618c in on_clock_tick+0x43c (call_demo_swift:x86_64+0x1001f818c) #4 0x10ef85a0e in clock_thread+0xce (call_demo_swift:x86_64+0x1001c7a0e) #5 0x10efc0cd5 in thread_main+0x45 (call_demo_swift:x86_64+0x100202cd5) #6 0x7fff6fb094e0 in pthread_start+0x7c (libsystem_pthread.dylib:x86_64+0x64e0) #7 0x7fff6fb04f6a in thread_start+0xe (libsystem_pthread.dylib:x86_64+0x1f6a)
Steps to reproduce
Run app in Simulator
-
Init pjsua2 with acc_cfg.videoConfig.autoShowIncoming = true; acc_cfg.videoConfig.autoTransmitOutgoing = true;
-
Make video call
-
Call connected. App will be crashed in very shot time (< 1 sec)
PJSIP version
2.12
Context
- Simulator iPhone 12 (15.4)
- IPhone 7, iOS 15.4. log.txt 1
Log, call stack, etc
16:29:18.513 inv0x61d000010528 ....SDP negotiation done: Success
16:29:18.513 pjsua_media.c .....Call 1: updating media..
16:29:18.513 pjsua_media.c ......Call 1: stream #0 (audio) unchanged.
16:29:18.514 pjsua_media.c ......Audio updated, stream #0: speex (sendrecv)
16:29:18.514 pjsua_vid.c .......Stopping video stream..
16:29:18.514 ios_opengl_dev.c ........Stopping ios opengl stream
16:29:18.514 pjsua_vid.c ........Window 1: destroying..
#0 0x10f88477c in wrap_memcpy+0x16c (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x1977c)
#1 0x10ef1c82d in vtool_codec_encode_begin+0x1ed (call_demo_swift:x86_64+0x10015e82d)
#2 0x10efb4852 in put_frame+0x162 (call_demo_swift:x86_64+0x1001f6852)
#3 0x10efb618c in on_clock_tick+0x43c (call_demo_swift:x86_64+0x1001f818c)
#4 0x10ef85a0e in clock_thread+0xce (call_demo_swift:x86_64+0x1001c7a0e)
#5 0x10efc0cd5 in thread_main+0x45 (call_demo_swift:x86_64+0x100202cd5)
#6 0x7fff6fb094e0 in _pthread_start+0x7c (libsystem_pthread.dylib:x86_64+0x64e0)
#7 0x7fff6fb04f6a in thread_start+0xe (libsystem_pthread.dylib:x86_64+0x1f6a)
Address 0x62d0007fd028 is a wild pointer inside of access range of size 0x000000000058.
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x1977c) in wrap_memcpy+0x16c
Shadow bytes around the buggy address:
0x0c5b107bf9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5b107bf9c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5b107bf9d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5b107bf9e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5b107bf9f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c5b107bfa00: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa
0x0c5b107bfa10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5b107bfa20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5b107bfa30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5b107bfa40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5b107bfa50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Thread T17 created by T9 here:
#0 0x10f8a8d9c in wrap_pthread_create+0x5c (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x3dd9c)
#1 0x10efc0b65 in pj_thread_create+0x135 (call_demo_swift:x86_64+0x100202b65)
#2 0x10ef8592a in pjmedia_clock_start+0x8a (call_demo_swift:x86_64+0x1001c792a)
#3 0x10efb6cf6 in pjmedia_vid_conf_connect_port+0x186 (call_demo_swift:x86_64+0x1001f8cf6)
#4 0x10ee502c7 in pjsua_vid_channel_update+0x597 (call_demo_swift:x86_64+0x1000922c7)
#5 0x10ee4306c in pjsua_media_channel_update+0xf9c (call_demo_swift:x86_64+0x10008506c)
#6 0x10ee2a889 in pjsua_call_on_media_update+0x1f9 (call_demo_swift:x86_64+0x10006c889)
#7 0x10ef7c64c in inv_negotiate_sdp+0x5c (call_demo_swift:x86_64+0x1001be64c)
#8 0x10ef7c576 in inv_check_sdp_in_incoming_msg+0x616 (call_demo_swift:x86_64+0x1001be576)
#9 0x10ef7d2b6 in inv_on_state_early+0x236 (call_demo_swift:x86_64+0x1001bf2b6)
#10 0x10ef7bea9 in mod_inv_on_tsx_state+0x49 (call_demo_swift:x86_64+0x1001bdea9)
#11 0x10eea6183 in pjsip_dlg_on_tsx_state+0xa3 (call_demo_swift:x86_64+0x1000e8183)
#12 0x10eea04ae in tsx_set_state+0x13e (call_demo_swift:x86_64+0x1000e24ae)
#13 0x10eea181a in tsx_on_state_proceeding_uac+0x2da (call_demo_swift:x86_64+0x1000e381a)
#14 0x10eea08f2 in pjsip_tsx_recv_msg+0x82 (call_demo_swift:x86_64+0x1000e28f2)
#15 0x10eea1017 in mod_tsx_layer_on_rx_response+0x97 (call_demo_swift:x86_64+0x1000e3017)
#16 0x10ee90876 in pjsip_endpt_process_rx_data+0x166 (call_demo_swift:x86_64+0x1000d2876)
#17 0x10ee900cb in endpt_on_rx_msg+0x19b (call_demo_swift:x86_64+0x1000d20cb)
#18 0x10ee96d6b in pjsip_tpmgr_receive_packet+0x5db (call_demo_swift:x86_64+0x1000d8d6b)
#19 0x10ee9ad6d in on_data_read+0xed (call_demo_swift:x86_64+0x1000dcd6d)
#20 0x10efc3aa5 in ioqueue_on_read_complete+0x185 (call_demo_swift:x86_64+0x100205aa5)
#21 0x10efbe15a in ioqueue_dispatch_read_event+0x2fa (call_demo_swift:x86_64+0x10020015a)
#22 0x10efbfcac in pj_ioqueue_poll+0x37c (call_demo_swift:x86_64+0x100201cac)
#23 0x10ee9059a in pjsip_endpt_handle_events2+0x8a (call_demo_swift:x86_64+0x1000d259a)
#24 0x10ee363e5 in worker_thread+0x75 (call_demo_swift:x86_64+0x1000783e5)
#25 0x10efc0cd5 in thread_main+0x45 (call_demo_swift:x86_64+0x100202cd5)
#26 0x7fff6fb094e0 in _pthread_start+0x7c (libsystem_pthread.dylib:x86_64+0x64e0)
#27 0x7fff6fb04f6a in thread_start+0xe (libsystem_pthread.dylib:x86_64+0x1f6a)
Thread T9 created by T0 here:
#0 0x10f8a8d9c in wrap_pthread_create+0x5c (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x3dd9c)
#1 0x10efc0b65 in pj_thread_create+0x135 (call_demo_swift:x86_64+0x100202b65)
#2 0x10ee35e60 in pjsua_init+0x730 (call_demo_swift:x86_64+0x100077e60)
#3 0x10eebd0cf in pj::Endpoint::libInit(pj::EpConfig const&) endpoint.cpp:1894
#4 0x10edc29ac in initPjSip(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >) pjsip_wrapper.mm:76
#5 0x10edec0d3 in -[exampleObjC initLib:SIPServer:SIPProxy:SIPPort:SIPUser:SIPPW:SIPTransport:SIPCallee:] exampleObjC.mm:56
#6 0x10ee1c369 in SceneDelegate.initexample() SceneDelegate.swift:56
#7 0x10ee0fed2 in ViewController.onButtonInitexampleSDK(_:) ViewController.swift:158
#8 0x10ee10080 in @objc ViewController.onButtonInitexampleSDK(_:) <compiler-generated>
#9 0x7fff25094c86 in -[UIApplication sendAction:to:from:forEvent:]+0x52 (UIKitCore:x86_64+0xce0c86)
#10 0x7fff24923987 in -[UIControl sendAction:to:forEvent:]+0x6d (UIKitCore:x86_64+0x56f987)
#11 0x7fff24923d8b in -[UIControl _sendActionsForEvents:withEvent:]+0x158 (UIKitCore:x86_64+0x56fd8b)
#12 0x7fff2492026e in -[UIButton _sendActionsForEvents:withEvent:]+0x93 (UIKitCore:x86_64+0x56c26e)
#13 0x7fff249225e2 in -[UIControl touchesEnded:withEvent:]+0x1e4 (UIKitCore:x86_64+0x56e5e2)
#14 0x7fff250d6049 in -[UIWindow _sendTouchesForEvent:]+0x50b (UIKitCore:x86_64+0xd22049)
#15 0x7fff250d80ad in -[UIWindow sendEvent:]+0x14bf (UIKitCore:x86_64+0xd240ad)
#16 0x7fff250ae15f in -[UIApplication sendEvent:]+0x333 (UIKitCore:x86_64+0xcfa15f)
#17 0x7fff25146cfc in __dispatchPreprocessedEventFromEventQueue+0x2208 (UIKitCore:x86_64+0xd92cfc)
#18 0x7fff2514949f in __processEventQueue+0x21ba (UIKitCore:x86_64+0xd9549f)
#19 0x7fff2513fccc in __eventFetcherSourceCallback+0xe7 (UIKitCore:x86_64+0xd8bccc)
#20 0x7fff20373832 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x10 (CoreFoundation:x86_64+0x82832)
#21 0x7fff2037372a in __CFRunLoopDoSource0+0xb3 (CoreFoundation:x86_64+0x8272a)
#22 0x7fff20372bf7 in __CFRunLoopDoSources0+0xf1 (CoreFoundation:x86_64+0x81bf7)
#23 0x7fff2036d2f3 in __CFRunLoopRun+0x366 (CoreFoundation:x86_64+0x7c2f3)
#24 0x7fff2036ca8f in CFRunLoopRunSpecific+0x231 (CoreFoundation:x86_64+0x7ba8f)
#25 0x7fff2cb72c8d in GSEventRunModal+0x8a (GraphicsServices:x86_64+0x3c8d)
#26 0x7fff2508e90d in -[UIApplication _run]+0x39f (UIKitCore:x86_64+0xcda90d)
#27 0x7fff25093568 in UIApplicationMain+0x64 (UIKitCore:x86_64+0xcdf568)
#28 0x10ee1975e in main AppDelegate.swift:13
#29 0x10f4dff20 in start_sim+0x9 (dyld_sim:x86_64+0x1f20)
#30 0x1102ba51d (<unknown module>)
==10381==ABORTING
Warning: hit breakpoint while running function, skipping commands and conditions to prevent recursion.
AddressSanitizer report breakpoint hit. Use 'thread info -s' to get extended information about the report.
(lldb)
