pjproject icon indicating copy to clipboard operation
pjproject copied to clipboard
verified publisher icon pjsip

heap/buffer overflow with epCfg.medConfig.audioFramePtime set to 5 in opus codec code

Open Sfinx opened this issue 3 years ago • 0 comments

Describe the bug

setting epCfg.medConfig.audioFramePtime (or PJSUA_DEFAULT_AUDIO_FRAME_PTIME) to 5 crashes opus codec. catched when compiling pjsip app with -fsanitize=address and making call with opus codec :

2022 May 16 23:41:24.597] [trace] Resetting jitter buffer in stream playback start
[2022 May 16 23:41:24.598] [trace] Jitter buffer reset
=================================================================
==24406==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x007f87421170 at pc 0x0000006304e4 bp 0x007f7d6dddd0 sp 0x007f7d6dde28
READ of size 792 at 0x007f87421170 thread T9

   #0 0x6304e0 in __interceptor_memcpy /home/tcwg-buildslave/workspace/tcwg-gnu-build/snapshots/gcc.git~master/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
    #1 0x73d74c in get_frame (/root/app+0x73d74c)
    #2 0x741a34 in clock_callback (/root/app+0x741a34)
    #3 0x75f658 in clock_thread (/root/app+0x75f658)
    #4 0x721c9c in thread_main (/root/app+0x721c9c)
    #5 0x7f89acb698 in start_thread nptl/pthread_create.c:435
    #6 0x7f89b33d18  (/lib/aarch64-linux-gnu/libc.so.6+0xe5d18)

Other codecs works with audioFramePtime set to 5

Steps to reproduce

set epCfg.medConfig.audioFramePtime (or PJSUA_DEFAULT_AUDIO_FRAME_PTIME) to 5 make call using opus codec

PJSIP version

commit c3d260dc330af2bd06ea811d4739ef6be2d6de39

Context

Ubuntu 20.04 at aarch64 gcc-linaro-12.0.1-2022.02-x86_64_aarch64-linux-gnu latest pjsip git (commit c3d260dc330af2bd06ea811d4739ef6be2d6de39) latest opus git (commit ccaaffa9a3ee427e9401c4dcf6462e378d9a4694)

Log, call stack, etc

[2022 May 16 23:41:24.587] [debug] Audio channel update..
[2022 May 16 23:41:24.588] [trace] Initialize Opus encoder, sample rate: 48000, avg bitrate: 0, vad: 0, plc: 1, pkt loss: 5, complexity: 5, constant bit rate: 0
[2022 May 16 23:41:24.589] [trace] Jitter buffer reset
[2022 May 16 23:41:24.589] [trace] pjmedia_rtp_session_init: ses=0x7f8741bf68, default_pt=96, ssrc=0x37b7bdb2
[2022 May 16 23:41:24.589] [trace] pjmedia_rtp_session_init2: ses=0x7f8741bf68, seq=18541, ts=0, peer_ssrc=2021024215
[2022 May 16 23:41:24.590] [trace] pjmedia_rtp_session_init: ses=0x7f8741b490, default_pt=96, ssrc=0x37b7bdb2
[2022 May 16 23:41:24.590] [trace] pjmedia_rtp_session_init2: ses=0x7f8741b490, seq=21873, ts=0, peer_ssrc=2021024215
[2022 May 16 23:41:24.590] [debug] Remote RTCP address switched to 10.1.1.236:4007
[2022 May 16 23:41:24.591] [debug] UDP media transport attached
[2022 May 16 23:41:24.591] [trace] Stream strm0x7f7e916928 created
[2022 May 16 23:41:24.591] [debug] Encoder stream started
[2022 May 16 23:41:24.592] [debug] Decoder stream started
[2022 May 16 23:41:24.592] [trace] resample created: high qualiy, large filter, in/out rate=48000/8000
[2022 May 16 23:41:24.592] [trace] resample created: high qualiy, large filter, in/out rate=8000/48000
[2022 May 16 23:41:24.592] [debug] Audio updated, stream #0: opus (sendrecv)
[2022 May 16 23:41:24.593] [trace] [Channel N3] onCallMediaState: media_size: 1, media_info.status: 1
[2022 May 16 23:41:24.593] [trace] Conf connect: 28 --> 1
[2022 May 16 23:41:24.593] [debug] Port 28 (sip:[email protected]:5060;transport=udp) transmitting to port 1 (Mic/Speaker Channel)
[2022 May 16 23:41:24.594] [trace] Conf connect: 28 --> 4
[2022 May 16 23:41:24.594] [debug] Port 28 (sip:[email protected]:5060;transport=udp) transmitting to port 4 (Speaker VU meter)
[2022 May 16 23:41:24.594] [trace] slot 28, rx_adj_level -84
[2022 May 16 23:41:24.595] [trace] Received Response msg 200/INVITE/cseq=4349 (rdata0x7f7e739928), sending ACK
[2022 May 16 23:41:24.595] [trace] Request msg ACK/cseq=4349 (tdta0x7f69d119a8) created.
[2022 May 16 23:41:24.595] [trace] Sending Request msg ACK/cseq=4349 (tdta0x7f69d119a8)
[2022 May 16 23:41:24.595] [trace] Target '10.1.1.236:5060' type=Unspecified resolved to '10.1.1.236:5060' type=UDP (UDP transport)
[2022 May 16 23:41:24.596] [debug] TX 364 bytes Request msg ACK/cseq=4349 (tdta0x7f69d119a8) to UDP 10.1.1.236:5060:
ACK sip:[email protected]:5060 SIP/2.0
Via: SIP/2.0/UDP 10.1.1.247:5060;rport;branch=z9hG4bKPjff42790b-7644-4817-858d-f548ce54b9a3
Max-Forwards: 70
From: sip:[email protected];tag=d08b51f8-4d62-4cd9-8b73-c7516a73d519
To: sip:[email protected];tag=oqaH8k7mGrPWypzCzvx56ZgLOxK8dfLl
Call-ID: f5fc192f-736c-4a31-8e34-04e2740d91be
CSeq: 4349 ACK
Content-Length:  0


--end msg--
[2022 May 16 23:41:24.596] [info] [Channel N3] onCallState: state: CONFIRMED [5], code: 200, reason: OK
[2022 May 16 23:41:24.596] [trace] media_player_t: stop playing /root/prompts/ringtone.wav to speaker
[2022 May 16 23:41:24.597] [trace] Conf disconnect: 10 -x- 1
[2022 May 16 23:41:24.597] [trace] Conf disconnect: 10 -x- 4
[2022 May 16 23:41:24.597] [trace] Resetting jitter buffer in stream playback start
[2022 May 16 23:41:24.598] [trace] Jitter buffer reset
=================================================================
==24406==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x007f87421170 at pc 0x0000006304e4 bp 0x007f7d6dddd0 sp 0x007f7d6dde28
READ of size 792 at 0x007f87421170 thread T9
[2022 May 16 23:41:24.599] [trace] RTP status: badpt=0, badssrc=0, dup=0, outorder=0, probation=-1, restart=0
[2022 May 16 23:41:24.601] [trace] Underflow, buf_cnt=0, will generate 1 frame
[2022 May 16 23:41:24.604] [trace] 40 samples reduced, buf_cnt=80
[2022 May 16 23:41:24.605] [trace] Underflow, buf_cnt=0, will generate 1 frame
[2022 May 16 23:41:24.609] [trace] 41 samples reduced, buf_cnt=79
[2022 May 16 23:41:24.610] [trace] Underflow, buf_cnt=0, will generate 1 frame
[2022 May 16 23:41:24.614] [trace] 39 samples reduced, buf_cnt=80
[2022 May 16 23:41:24.615] [trace] Underflow, buf_cnt=0, will generate 1 frame
[2022 May 16 23:41:24.619] [trace] 72 samples reduced, buf_cnt=48
[2022 May 16 23:41:24.620] [trace] Underflow, buf_cnt=0, will generate 1 frame
[2022 May 16 23:41:24.624] [trace] 8 samples reduced, buf_cnt=80
[2022 May 16 23:41:24.625] [trace] Underflow, buf_cnt=0, will generate 1 frame
[2022 May 16 23:41:24.629] [trace] Pausing media flow on downstream direction (level=9)
[2022 May 16 23:41:24.630] [trace] Underflow, buf_cnt=0, will generate 1 frame
[2022 May 16 23:41:24.635] [trace] Underflow, buf_cnt=0, will generate 1 frame
[2022 May 16 23:41:24.640] [trace] Pausing media flow on upstream direction (level=-9)
    #0 0x6304e0 in __interceptor_memcpy /home/tcwg-buildslave/workspace/tcwg-gnu-build/snapshots/gcc.git~master/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
    #1 0x73d74c in get_frame (/root/app+0x73d74c)
    #2 0x741a34 in clock_callback (/root/app+0x741a34)
    #3 0x75f658 in clock_thread (/root/app+0x75f658)
    #4 0x721c9c in thread_main (/root/app+0x721c9c)
    #5 0x7f89acb698 in start_thread nptl/pthread_create.c:435
    #6 0x7f89b33d18  (/lib/aarch64-linux-gnu/libc.so.6+0xe5d18)

0x007f87421170 is located 240 bytes to the right of 2048-byte region [0x007f87420880,0x007f87421080)
allocated by thread T8 here:
    #0 0x6914a4 in __interceptor_malloc /home/tcwg-buildslave/workspace/tcwg-gnu-build/snapshots/gcc.git~master/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x733968 in default_block_alloc (/root/app+0x733968)
    #2 0x728dd0 in pj_pool_allocate_find (/root/app+0x728dd0)
    #3 0x73ccd4 in create_conf_port (/root/app+0x73ccd4)
    #4 0x73df74 in pjmedia_conf_add_port (/root/app+0x73df74)
    #5 0x6eff64 in pjsua_aud_channel_update (/root/app+0x6eff64)
    #6 0x6e937c in pjsua_media_channel_update (/root/app+0x6e937c)
    #7 0x6dbd40 in pjsua_call_on_media_update (/root/app+0x6dbd40)
    #8 0x7c7110 in inv_negotiate_sdp (/root/app+0x7c7110)
    #9 0x7c80b8 in inv_check_sdp_in_incoming_msg (/root/app+0x7c80b8)
    #10 0x7cd5c4 in inv_on_state_early (/root/app+0x7cd5c4)
    #11 0x7c7680 in mod_inv_on_tsx_state (/root/app+0x7c7680)
    #12 0x71c3e0 in pjsip_dlg_on_tsx_state (/root/app+0x71c3e0)
    #13 0x716c9c in tsx_set_state (/root/app+0x716c9c)
    #14 0x717e2c in tsx_on_state_proceeding_uac (/root/app+0x717e2c)
    #15 0x719b44 in pjsip_tsx_recv_msg (/root/app+0x719b44)
    #16 0x719c14 in mod_tsx_layer_on_rx_response (/root/app+0x719c14)
    #17 0x705f04 in pjsip_endpt_process_rx_data (/root/app+0x705f04)
    #18 0x7060ac in endpt_on_rx_msg (/root/app+0x7060ac)
    #19 0x70b4a8 in pjsip_tpmgr_receive_packet (/root/app+0x70b4a8)
    #20 0x70d274 in udp_on_read_complete (/root/app+0x70d274)
    #21 0x71f57c in ioqueue_dispatch_read_event (/root/app+0x71f57c)
    #22 0x720d04 in pj_ioqueue_poll (/root/app+0x720d04)
    #23 0x705c24 in pjsip_endpt_handle_events2 (/root/app+0x705c24)
    #24 0x6ddce8 in pjsua_handle_events (/root/app+0x6ddce8)
    #25 0x6ddd28 in worker_thread (/root/app+0x6ddd28)
    #26 0x721c9c in thread_main (/root/app+0x721c9c)
    #27 0x7f89acb698 in start_thread nptl/pthread_create.c:435
    #28 0x7f89b33d18  (/lib/aarch64-linux-gnu/libc.so.6+0xe5d18)

Sfinx avatar May 16 '22 20:05 Sfinx