Bug #4134

Crash on getting EPG for IPTV VOD

Added by C K 3 months ago. Updated 2 months ago.

Status:AcceptedStart date:2016-12-11
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:-
Target version:-
Found in version:4.1-2370~g0c506b4 Affected Versions:

Description

Hi,

here is my log with clang:

ASAN:SIGSEGV
=================================================================
==2130==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7ceb84c9da sp 0x7f7ce7550c48 bp 0x7f7ce75514b0 T9)
    #0 0x7f7ceb84c9d9 (/lib/x86_64-linux-gnu/libc.so.6+0x889d9)
    #1 0x7f7ceecf9005 in __interceptor_strdup (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4cf005)
    #2 0x7f7cef9002d0 in iptv_auto_network_process_m3u_item /home/waldmeister/src/tvheadend/src/input/mpegts/iptv/iptv_auto.c:244
    #3 0x7f7cef8fac30 in iptv_auto_network_process_m3u /home/waldmeister/src/tvheadend/src/input/mpegts/iptv/iptv_auto.c:316
    #4 0x7f7cef8f91ff in iptv_auto_network_process /home/waldmeister/src/tvheadend/src/input/mpegts/iptv/iptv_auto.c:363
    #5 0x7f7cef14dbcd in download_fetch_complete /home/waldmeister/src/tvheadend/src/download.c:123
    #6 0x7f7cef134eb1 in http_client_finish /home/waldmeister/src/tvheadend/src/httpc.c:704
    #7 0x7f7cef11cf22 in http_client_run0 /home/waldmeister/src/tvheadend/src/httpc.c:1011
    #8 0x7f7cef11a570 in http_client_run /home/waldmeister/src/tvheadend/src/httpc.c:1180
    #9 0x7f7cef1305c7 in http_client_thread /home/waldmeister/src/tvheadend/src/httpc.c:1442
    #10 0x7f7ceedd9cf2 in thread_wrapper /home/waldmeister/src/tvheadend/src/wrappers.c:159
    #11 0x7f7ced11b183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)
    #12 0x7f7ceb8be37c (/lib/x86_64-linux-gnu/libc.so.6+0xfa37c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
Thread T9 (tvh:httpc) created by T0 here:
    #0 0x7f7ceecf7312 in pthread_create (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4cd312)
    #1 0x7f7ceedd970b in tvhthread_create /home/waldmeister/src/tvheadend/src/wrappers.c:177
    #2 0x7f7cef12fa5e in http_client_init /home/waldmeister/src/tvheadend/src/httpc.c:1694
    #3 0x7f7ceed33344 in main /home/waldmeister/src/tvheadend/src/main.c:1193
    #4 0x7f7ceb7e5f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

==2130==ABORTING

And compiled with gcc / full bt:

[Thread 0x7fffcb7fe700 (LWP 2458) exited]

Program received signal SIGINT, Interrupt.
pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
238    ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S: Datei oder Verzeichnis nicht gefunden.
Undefined command: "exit".  Try "help".
A debugging session is active.

    Inferior 1 [process 2431] will be killed.

Quit anyway? (y or n) #0  bin2hex (dst=0x7f8a4d7f8b11 "", dst@entry=0x7f8a4d7f8b10 "\276", dstlen=dstlen@entry=33, src=0x140 <error: Cannot access memory at address 0x140>, srclen=srclen@entry=16) at src/uuid.c:83
No locals.
#1  0x00007f8ac59fdff9 in idnode_uuid_as_str (in=<optimized out>, uuid=uuid@entry=0x7f8a4d7f8b10 "\276") at src/idnode.c:227
No locals.
#2  0x00007f8ac5a17f74 in epg_episode_find_by_broadcast (ebc=ebc@entry=0x7f8a7f53b660, src=src@entry=0x7f8ac93422c0, create=create@entry=1, save=save@entry=0x7f8a4d7f95e0, changed=changed@entry=0x7f8a4d7f8c8c) at src/epg.c:956
        uri = "\020\322\364\177\212\177\000\000\222\016V\205\000\000\000\000\340\225\177M\212\177\000\000\200\212\242}\212\177\000\000\000\353j\177\212\177\000\000`\266S\177\212\177\000\000\000\000\000\000\000\000\000\000\222\016V\205\212\177\000\000\340\225\177M\212\177\000\000\335n\244Ŋ\177\000\000`\266S" 
        ubuf = "\276\000\000\000\000\000\000\000*\247\fÊ\177\000\000\000\000\000\000\000\000\000\000\220\254\004|\212\177\000\000`" 
#3  0x00007f8ac5acf97d in _eit_process_event_one (mod=mod@entry=0x7f8ac93422c0, tableid=tableid@entry=78, sect=sect@entry=0, svc=svc@entry=0x7f8ac9d3ab70, ch=<optimized out>, ptr=<optimized out>, ptr@entry=0x7f8a85560d86 "", len=256, len@entry=268, local=local@entry=0, resched=resched@entry=0x7f8a4d7f95e4, save=save@entry=0x7f8a4d7f95e0) at src/epggrab/module/eit.c:536
        dllen = <optimized out>
        save2 = 1
        start = <optimized out>
        stop = <optimized out>
        eid = 89
        dtag = <optimized out>
        dlen = <optimized out>
        running = 4 '\004'
        ebc = 0x7f8a7f53b660
        ee = 0x0
        es = <optimized out>
        run = <optimized out>
        ev = {uri = '\000' <repeats 256 times>, suri = '\000' <repeats 256 times>, title = 0x7f8a7e9cd750, summary = 0x7f8a7eb3d020, desc = 0x7f8a7d6a5450, default_charset = 0x7f8ac86c9e20 "AUTO", extra = 0x0, genre = 0x7f8a7ca9b1a0, hd = 0 '\000', ws = 0 '\000', ad = 0 '\000', st = 0 '\000', ds = 0 '\000', bw = 0 '\000', parental = 0 '\000'}
        changes2 = 1849
        changes3 = 0
        changes4 = 0
        tm1 = "i\377\bÊ\177\000\000%\313xƊ\177\000\000#\313xƊ\177\000\000*\304\bÊ\177\000" 
        tm2 = "\000\000\000\000\000\000\000\000@\217\177M\212\177\000\000\000\000\177M\212\177\000\000ܦ\177M\212\177\000" 
#4  0x00007f8ac5ad08a8 in _eit_process_event (save=0x7f8a4d7f95e0, resched=0x7f8a4d7f95e4, local=0, len=268, ptr=0x7f8a85560d86 "", svc=<optimized out>, sect=0, tableid=78, mod=0x7f8ac93422c0) at src/epggrab/module/eit.c:600
        ilm = 0x7f8ac973e9a0
        ch = <optimized out>
#5  _eit_callback (mt=0x7f8a85560d10, ptr=0x7f8a85560d86 "", len=268, tableid=78) at src/epggrab/module/eit.c:724
        r = <optimized out>
        sect = 0
        last = 1
        ver = 17
        save = 1
        resched = 1
        seg = <optimized out>
        onid = <optimized out>
        tsid = 9900
        sid = <optimized out>
        extraid = <optimized out>
        svc = <optimized out>
        mm = <optimized out>
        map = <optimized out>
        mod = 0x7f8ac93422c0
        ota = 0x7f8ac8740000
        st = 0x7f8a7f4b37c0
        ths = <optimized out>
        ubuf = "86e91bee10196352fc02b09439651053" 
#6  0x00007f8ac5ab6cf8 in mpegts_table_dispatch (sec=<optimized out>, r=<optimized out>, aux=0x7f8a85560d10) at src/input/mpegts/mpegts_table.c:105
        tid = <optimized out>
        len = <optimized out>
        crc_len = <optimized out>
        ret = <optimized out>
        mt = 0x7f8a85560d10
#7  0x00007f8ac5aaf406 in mpegts_psi_section_reassemble0 (mt=mt@entry=0x7f8a85560d10, logpref=logpref@entry=0x7f8a4d7f99d0 "12692H in 13.0E Hotbird", data=data@entry=0x7f8a2c1d37a0 " la Martinique. Le Basque de Saint-Pierre-et-Miquelon. Le nouvel an chinois \340 La R\351union.T\002\224", len=len@entry=184, start=<optimized out>, crc=crc@entry=1, cb=cb@entry=0x7f8ac5ab6c60 <mpegts_table_dispatch>, opaque=opaque@entry=0x7f8a85560d10) at src/input/mpegts/dvb_psi_lib.c:122
        p = 0x7f8a85560d78 "N\361\033\001\243", <incomplete sequence \343>
        excess = 81
        tsize = <optimized out>
#8  0x00007f8ac5aaf63e in mpegts_psi_section_reassemble (mt=mt@entry=0x7f8a85560d10, logprefix=logprefix@entry=0x7f8a4d7f99d0 "12692H in 13.0E Hotbird", tsb=tsb@entry=0x7f8a2c1d379c "G", crc=1, cb=0x7f8ac5ab6c60 <mpegts_table_dispatch>, opaque=opaque@entry=0x7f8a85560d10) at src/input/mpegts/dvb_psi_lib.c:169
        pusi = <optimized out>
        cc = <optimized out>
        off = 4
        r = <optimized out>
#9  0x00007f8ac5aa9639 in mpegts_input_table_dispatch (mm=mm@entry=0x7f8ac9d36070, logprefix=logprefix@entry=0x7f8a4d7f99d0 "12692H in 13.0E Hotbird", tsb=tsb@entry=0x7f8a2c1d36e0 "G@\022\034", tsb_len=940) at src/input/mpegts/mpegts_input.c:1185
        i = <optimized out>
        len = <optimized out>
        c = <optimized out>
        tsb2 = 0x7f8a2c1d379c "G" 
        tsb2_end = 0x7f8a2c1d3a8c "tant c'est ", <incomplete sequence \365>
        pid = 18
        mt = 0x7f8a85560d10
        vec = 0x7f8a4d7f9880
        __PRETTY_FUNCTION__ = "mpegts_input_table_dispatch" 
#10 0x00007f8ac5aa9846 in mpegts_input_table_thread (aux=0x7f8a740099a0) at src/input/mpegts/mpegts_input.c:1576
        mtf = 0x7f8a2c1d36c0
        mm = 0x7f8ac9d36070
        muxname = "12692H in 13.0E Hotbird", '\000' <repeats 232 times>
#11 0x00007f8ac5a06442 in thread_wrapper (p=0x7f8a8439a220) at src/wrappers.c:159
        ts = 0x7f8a8439a220
        set = {__val = {16388, 0 <repeats 15 times>}}
        r = <optimized out>
#12 0x00007f8ac415a184 in start_thread (arg=0x7f8a4d7fa700) at pthread_create.c:312
        __res = <optimized out>
        pd = 0x7f8a4d7fa700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140231982425856, -6082041186477309784, 0, 0, 140231982426560, 140231982425856, 6092426076892004520, 6092728080380690600}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread" 
#13 0x00007f8ac313c37d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
No locals.
#2  0x00007f8ac5a17f74 in epg_episode_find_by_broadcast (ebc=ebc@entry=0x7f8a7f53b660, src=src@entry=0x7f8ac93422c0, create=create@entry=1, save=save@entry=0x7f8a4d7f95e0, changed=changed@entry=0x7f8a4d7f8c8c) at src/epg.c:956
956      snprintf(uri, sizeof(uri)-1, "tvh://channel-%s/bcast-%u/episode",
$1 = {{uri_link = {left = 0x7f8a7d8548c0, right = 0x7f8a7ecd0ab0, parent = 0x0, color = 0}, id_link = {left = 0x0, right = 0x0, parent = 0x7f8a93c4a3c0, color = 0}, un_link = {le_next = 0x0, le_prev = 0x7f8ac6c47480 <epg_object_unref>}, up_link = {le_next = 0x0, le_prev = 0x7f8adc140ac0}, type = EPG_BROADCAST, id = 992764, uri = 0x0, updated = 1480822372, _updated = 1 '\001', _created = 0 '\000', refcount = 0, grabber = 0x7f8ac93422c0, getref = 0x7f8ac5a130d0 <_epg_object_getref>, putref = 0x7f8ac5a14700 <_epg_object_putref>, destroy = 0x7f8ac5a15b00 <_epg_broadcast_destroy>, update = 0x7f8ac5a141d0 <_epg_broadcast_updated>}, dvb_eid = 89, start = 1480821000, stop = 1480822200, is_widescreen = 0 '\000', is_hd = 0 '\000', lines = 0, aspect = 0, is_deafsigned = 0 '\000', is_subtitled = 0 '\000', is_audio_desc = 0 '\000', is_new = 0 '\000', is_repeat = 0 '\000', running = 0 '\000', summary = 0x7f8a7d93fc10, description = 0x7f8a7f6aeb00, sched_link = {left = 0x0, right = 0x0, parent = 0x7f8adc140a70, color = 0}, ep_link = {le_next = 0x0, le_prev = 0x0}, episode = 0x0, sl_link = {le_next = 0x0, le_prev = 0x0}, serieslink = 0x0, channel = 0x140}
#0  lang_str_compare (ls1=0x6e6f696e6967617a, ls2=ls2@entry=0x7f68e01afe00) at src/lang_str.c:279
        e = <optimized out>
        r = <optimized out>
#1  0x00007f693b99dca0 in _epg_object_set_lang_str (o=0x7f68e00c9cf0, old=0x7f68e00c9dc8, str=0x7f68e01afe00, changed=<optimized out>, cflag=<optimized out>) at src/epg.c:353
No locals.
#2  0x00007f693ba5789c in _eit_process_event_one (mod=mod@entry=0x7f693e10bcc0, tableid=tableid@entry=79, sect=sect@entry=0, svc=svc@entry=0x7f693ecb8270, ch=<optimized out>, ptr=<optimized out>, ptr@entry=0x7f68fc4881d6 ":\231\341\177", len=461, len@entry=473, local=local@entry=0, resched=resched@entry=0x7f68c0ff8594, save=save@entry=0x7f68c0ff8590) at src/epggrab/module/eit.c:508
        dllen = <optimized out>
        save2 = 1
        start = <optimized out>
        stop = <optimized out>
        eid = 15001
        dtag = <optimized out>
        dlen = <optimized out>
        running = 4 '\004'
        ebc = 0x7f68e00c9cf0
        ee = 0x0
        es = <optimized out>
        run = <optimized out>
        ev = {uri = '\000' <repeats 256 times>, suri = '\000' <repeats 256 times>, title = 0x7f68e00e4a30, summary = 0x0, desc = 0x7f68e01afe00, default_charset = 0x7f693d0d6d50 "AUTO", extra = 0x0, genre = 0x7f68e0111090, hd = 0 '\000', ws = 0 '\000', ad = 0 '\000', st = 0 '\000', ds = 0 '\000', bw = 0 '\000', parental = 0 '\000'}
        changes2 = 25
        changes3 = 0
        changes4 = 0
        tm1 = "i\177\001\071i\177\000\000%Kq<i\177\000\000#Kq<i\177\000\000*D\001\071i\177\000" 
        tm2 = "\360~\377\300h\177\000\000\360~\377\300h\177\000\000\360~\377\300h\177\000\000\372~\377\300h\177\000" 
#3  0x00007f693ba588a8 in _eit_process_event (save=0x7f68c0ff8590, resched=0x7f68c0ff8594, local=0, len=473, ptr=0x7f68fc4881d6 ":\231\341\177", svc=<optimized out>, sect=0, tableid=79, mod=0x7f693e10bcc0) at src/epggrab/module/eit.c:600
        ilm = 0x7f69428b96c0
        ch = <optimized out>
#4  _eit_callback (mt=0x7f68fc488160, ptr=0x7f68fc4881d6 ":\231\341\177", len=473, tableid=79) at src/epggrab/module/eit.c:724
        r = <optimized out>
        sect = 0
        last = 1
        ver = 8
        save = 1
        resched = 1
        seg = <optimized out>
        onid = <optimized out>
        tsid = 1000
        sid = <optimized out>
        extraid = <optimized out>
        svc = <optimized out>
        mm = <optimized out>
        map = <optimized out>
        mod = 0x7f693e10bcc0
        ota = 0x0
        st = 0x7f68e00c2220
        ths = <optimized out>
        ubuf = "a2613312e099cdbd8a155fba1a3a8ac1" 
#5  0x00007f693ba3ecf8 in mpegts_table_dispatch (sec=<optimized out>, r=<optimized out>, aux=0x7f68fc488160) at src/input/mpegts/mpegts_table.c:105
        tid = <optimized out>
        len = <optimized out>
        crc_len = <optimized out>
        ret = <optimized out>
        mt = 0x7f68fc488160
#6  0x00007f693ba37406 in mpegts_psi_section_reassemble0 (mt=mt@entry=0x7f68fc488160, logpref=logpref@entry=0x7f68c0ff89d0 "10892H in 13.0E Hotbird", data=data@entry=0x7f68e001e324 "ywa kulisy niewyja\266nionych wydarze\361 historycznych. Widzowie dowiedz\261 si\352, sk\261d si\352 wzi\261\263 orze\263 w godle Polski.T\002#\200U\004POL\004R5\027Y", '\377' <repeats 60 times>, "G@\022\033", len=len@entry=184, start=<optimized out>, crc=crc@entry=1, cb=cb@entry=0x7f693ba3ec60 <mpegts_table_dispatch>, opaque=opaque@entry=0x7f68fc488160) at src/input/mpegts/dvb_psi_lib.c:122
        p = 0x7f68fc4881c8 "O\361\350\020\341", <incomplete sequence \321>
        excess = 60
        tsize = <optimized out>
#7  0x00007f693ba3763e in mpegts_psi_section_reassemble (mt=mt@entry=0x7f68fc488160, logprefix=logprefix@entry=0x7f68c0ff89d0 "10892H in 13.0E Hotbird", tsb=tsb@entry=0x7f68e001e320 "G", crc=1, cb=0x7f693ba3ec60 <mpegts_table_dispatch>, opaque=opaque@entry=0x7f68fc488160) at src/input/mpegts/dvb_psi_lib.c:169
        pusi = <optimized out>
        cc = <optimized out>
        off = 4
        r = <optimized out>
#8  0x00007f693ba31639 in mpegts_input_table_dispatch (mm=mm@entry=0x7f693e451700, logprefix=logprefix@entry=0x7f68c0ff89d0 "10892H in 13.0E Hotbird", tsb=tsb@entry=0x7f68e001e030 "G@\022\026", tsb_len=1316) at src/input/mpegts/mpegts_input.c:1185
        i = <optimized out>
        len = <optimized out>
        c = <optimized out>
        tsb2 = 0x7f68e001e320 "G" 
        tsb2_end = 0x7f68e001e554 "h\177" 
        pid = 18
        mt = 0x7f68fc488160
        vec = 0x7f68c0ff8830
        __PRETTY_FUNCTION__ = "mpegts_input_table_dispatch" 
#9  0x00007f693ba31846 in mpegts_input_table_thread (aux=0x7f690010dd00) at src/input/mpegts/mpegts_input.c:1576
        mtf = 0x7f68e001e010
        mm = 0x7f693e451700
        muxname = "10892H in 13.0E Hotbird", '\000' <repeats 232 times>
#10 0x00007f693b98e442 in thread_wrapper (p=0x7f68fc3916d0) at src/wrappers.c:159
        ts = 0x7f68fc3916d0
        set = {__val = {16388, 0 <repeats 15 times>}}
        r = <optimized out>
#11 0x00007f693a0e2184 in start_thread (arg=0x7f68c0ff9700) at pthread_create.c:312
        __res = <optimized out>
        pd = 0x7f68c0ff9700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140087891302144, 8518836883025724521, 0, 0, 140087891302848, 140087891302144, -8581190185688071063, -8580895374122384279}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread" 
#12 0x00007f69390c437d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
No locals.
#2  0x00007f693ba5789c in _eit_process_event_one (mod=mod@entry=0x7f693e10bcc0, tableid=tableid@entry=79, sect=sect@entry=0, svc=svc@entry=0x7f693ecb8270, ch=<optimized out>, ptr=<optimized out>, ptr@entry=0x7f68fc4881d6 ":\231\341\177", len=461, len@entry=473, local=local@entry=0, resched=resched@entry=0x7f68c0ff8594, save=save@entry=0x7f68c0ff8590) at src/epggrab/module/eit.c:508
508        *save |= epg_broadcast_set_description(ebc, ev.desc, &changes2);
$1 = {{uri_link = {left = 0x7f68e0007b70, right = 0x7f68e0062920, parent = 0x3a475250000000bc, color = 1038820272}, id_link = {left = 0x25b0000012004047, right = 0xe000000000c52504, parent = 0xf46f28b4f46e2810, color = -193976130}, un_link = {le_next = 0xf47328dcf47228d2, le_prev = 0xffffff6ae84551e6}, up_link = {le_next = 0xffffffffffffffff, le_prev = 0xffffffffffffffff}, type = 4294967295, id = 4294967295, uri = 0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, updated = -1, _updated = 255 '\377', _created = 255 '\377', refcount = -1, grabber = 0xffffffffffffffff, getref = 0xffffffffffffffff, putref = 0xffffffffffffffff, destroy = 0xffffffffffffffff, update = 0xffffffffffffffff}, dvb_eid = 65535, start = -1, stop = -1, is_widescreen = 255 '\377', is_hd = 255 '\377', lines = 65535, aspect = 65535, is_deafsigned = 255 '\377', is_subtitled = 255 '\377', is_audio_desc = 255 '\377', is_new = 255 '\377', is_repeat = 255 '\377', running = 255 '\377', summary = 0xffffffffffffffff, description = 0x6e6f696effffffff, sched_link = {left = 0x65697a6420686379, right = 0x51, parent = 0x7f68e01786b0, color = -536637472}, ep_link = {le_next = 0x616e7a, le_prev = 0x31}, episode = 0x7f68e008cd80, sl_link = {le_next = 0x7f68e0000098, le_prev = 0x0}, serieslink = 0x0, channel = 0x50}
#4  _eit_callback (mt=0x7f68fc488160, ptr=0x7f68fc4881d6 ":\231\341\177", len=473, tableid=79) at src/epggrab/module/eit.c:724
724        if ((r = _eit_process_event(mod, tableid, sect, svc, ptr, len,
No symbol "ilm" in current context.
No symbol "ilm" in current context.
#4  _eit_callback (mt=0x7f68fc488160, ptr=0x7f68fc4881d6 ":\231\341\177", len=473, tableid=79) at src/epggrab/module/eit.c:724
724        if ((r = _eit_process_event(mod, tableid, sect, svc, ptr, len,
A syntax error in expression, near `'.
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
No locals.
#1  0x00007f7a925a871e in __GI___strdup (s=0x0) at strdup.c:41
        len = <optimized out>
        new = <optimized out>
#2  0x00007f7a94fd22a3 in iptv_auto_network_process_m3u_item (in=in@entry=0x7f7a9980a4b0, last_url=last_url@entry=0x7f7a542b7561 "get.php", remove_args=remove_args@entry=0x7f7a88ff84c0, chnum=<optimized out>, chnum@entry=0, item=<optimized out>, total=total@entry=0x7f7a88ff84b8, count=count@entry=0x7f7a88ff84bc) at src/input/mpegts/iptv/iptv_auto.c:244
        conf = <optimized out>
        f = <optimized out>
        mm = 0x7f7a99881170
        im = 0x7f7a99881170
        u = {scheme = 0x7f7a5427e120 "http", user = 0x0, pass = 0x0, host = 0x7f7a5427ffa0 "XXXXXXXXX", port = 8711, path = 0x7f7a5419cee0 "XXXXXXXXX/3476.ts", query = 0x0, frag = 0x0, raw = 0x7f7a545a4480 "XXXXXXXXX/3476.ts"}
        change = 1
        args = {tqh_first = 0x0, tqh_last = 0x7f7a88ff7f20}
        ra1 = <optimized out>
        ra2 = <optimized out>
        ra2_next = <optimized out>
        q = {hq_q = {tqh_first = 0x2, tqh_last = 0x7f7a00000032}, hq_size = 2298445728, hq_maxsize = 32634}
        l = <optimized out>
        chnum2 = <optimized out>
        url = <optimized out>
        name = <optimized out>
        logo = <optimized out>
        epgid = <optimized out>
        tags = 0x0
        url2 = "XXXXXXXXX/3476.ts\000\000\000\000\000\000\000\001\177\000w\205\200\377\377\006\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\061\000\000\000\000\000\000\000\000\201\377\210z\177", '\000' <repeats 14 times>, "[", '\000' <repeats 19 times>, "n\000\000\000w", '\000' <repeats 11 times>, "\377\200\377\210z\177\000\000|\000\000\000\000\000\000\000P\201\377\210z\177\000\000|\000\000\000\000\000\000\000\260^+Tz\177\000\000\000\000\000\000\000\000\000\000"...
        custom = "\000}\000w\205\200\377\377\002\000\000\000\374\212\342\354\000\000\000\000\000\000\000\000\060\000\000\000\000\000\000\000\300\202\377\210z\177", '\000' <repeats 14 times>, "[", '\000' <repeats 19 times>, "n\000\000\000w", '\000' <repeats 11 times>, "\277\202\377\210z\177\000\000|\000\000\000z\177\000\000\300&Z\222z\177\000\000\000\000\000\000z\177\000\000@>\271\231z\177\000\000\071>\271\231z\177\000\000\214\360\v\224z\177\000\000pr\f\224z\177\000\000 \000\000Tz\177\000\000B\000\000\000\000\000\000\000 \000\000Tz\177\000\000p \000\000\000\000\000\000@\020\000Tz\177\000\000p\203\377\210z\177", '\000' <repeats 18 times>...
        name2 = "get.php - -------- UK Sports ---------\000-----\000\000\000\000\001\000\000\000\000\000\000\000.\000\000\000\000\000\000\000`\200\377\210z\177\000\000\"\000\000\000\000\000\000\000p\200\377\210[\000\000\000\036", '\000' <repeats 15 times>, "\030\000\000\000\000\000\000\000\240\000\000\000\000\000\000\000\017\000\000\000\000\000\000" 
        buf = "\001\000\000\000\000\000\000\000U\000\000\000\000\000\000\000\321\177\000w\205\200\377\377K\000\000\000\000\000\000" 
        n = 0x7f7a88ff7fc0 "get.php - -------- UK Sports ---------" 
#3  0x00007f7a94fd292a in iptv_auto_network_process_m3u (chnum=0, remove_args=0x7f7a88ff84c0, host_url=<optimized out>, last_url=0x7f7a542b7561 "get.php", data=<optimized out>, in=0x7f7a9980a4b0) at src/input/mpegts/iptv/iptv_auto.c:316
        count = 0
        m = 0x7f7a54001040
        ret = 0
        total = 775
        items = <optimized out>
        item = <optimized out>
        f = 0x7f7a5401d0b0
#4  iptv_auto_network_process (aux=<optimized out>, last_url=0x7f7a542b7561 "get.php", host_url=<optimized out>, data=<optimized out>, len=<optimized out>) at src/input/mpegts/iptv/iptv_auto.c:363
        ap = <optimized out>
        in = 0x7f7a9980a4b0
        mm = <optimized out>
        mm2 = <optimized out>
        r = -1
        count = <optimized out>
        n = <optimized out>
        i = <optimized out>
        remove_args = {tqh_first = 0x7f7a542b6620, tqh_last = 0x7f7a542b6640}
        argv = {0x7f7a98aa5b40 "ticket", 0x7f7a583762e0 "", 0x7f7a88ff8aa0 "\360b7Xz\177", 0x7f7a583762e0 "", 0x7f7a88ff8630 "itle=\"XXXXXXXXX/8480.mp4", 0x7f7a88ff99c0 "\300\251\177\211z\177", 0x7f7a88ff9700 "", 0x7f7a94edc6b8 <_tvhlog+120> "H\201\304", <incomplete sequence \330>, 0x7f7a88ff8630 "itle=\"XXXXXXXXX/8480.mp4", 0xe1a9480cff7a7700 <error: Cannot access memory at address 0xe1a9480cff7a7700>}
#5  0x00007f7a94f3006a in download_fetch_complete (hc=0x7f7a583762e0) at src/download.c:123
        dn = 0x7f7a9973f548
        last_url = 0x7f7a542b7561 "get.php" 
        u = {scheme = 0x7f7a54000c40 "http", user = 0x0, pass = 0x0, host = 0x7f7a54000c60 "XXXXXXXXX", port = 8711, path = 0x7f7a542b7560 "/get.php", query = 0x7f7a542b7510 "XXXXXXXXX", frag = 0x0, raw = 0x7f7a54001260 "http://XXXXXXXXX&type=m3u_plus&output=mpegts"}
#6  0x00007f7a94f2da66 in http_client_finish (hc=hc@entry=0x7f7a583762e0) at src/httpc.c:704
        wcmd = <optimized out>
        res = <optimized out>
#7  0x00007f7a94f2e0fb in http_client_run0 (hc=hc@entry=0x7f7a583762e0) at src/httpc.c:1116
        buf = 0x7f7a88ff8630 "itle=\"XXXXXXXXX\r\nhttp://XXXXXXXXX/8480.mp4" 
        saveptr = 0x7f7a54009810 "" 
        argv = {0x7f7a540096d0 "HTTP/1.1", 0x7f7a540096d9 "200", 0x7f7a540096dd "OK"}
        d = <optimized out>
        p = <optimized out>
        ver = <optimized out>
        res = <optimized out>
        delimsize = <optimized out>
        r = <optimized out>
        len = <optimized out>
#8  0x00007f7a94f2e9a4 in http_client_run (hc=hc@entry=0x7f7a583762e0) at src/httpc.c:1180
        r = <optimized out>
#9  0x00007f7a94f2eacb in http_client_thread (p=<optimized out>) at src/httpc.c:1442
        n = <optimized out>
        ev = {fd = 0, events = 1, data = {ptr = 0x7f7a583762e0, u64 = 140163442762464, u32 = 1480024800, fd = 1480024800}}
        hc = 0x7f7a583762e0
        c = 0 '\000'
#10 0x00007f7a94ee5792 in thread_wrapper (p=0x7f7a977abf50) at src/wrappers.c:159
        ts = 0x7f7a977abf50
        set = {__val = {16388, 0 <repeats 15 times>}}
        r = <optimized out>
#11 0x00007f7a93638184 in start_thread (arg=0x7f7a88ff9700) at pthread_create.c:312
        __res = <optimized out>
        pd = 0x7f7a88ff9700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140164261189376, -8086493907563697208, 0, 0, 140164261190080, 140164261189376, 8156600968642702280, 8156624092969315272}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread" 
#12 0x00007f7a9261a37d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
No locals.

It seems for me, that tvh tries to get epg data from an IPTV VOD file.

Removing the whole iptv network solves this issue temporarily.

gdb.txt Magnifier (31.8 KB) C K, 2016-12-13 18:19

crash_screen.log (67.5 KB) C K, 2016-12-16 21:45

4134_first10000.log (917 KB) C K, 2016-12-16 21:45

crash_on_start.log - clang summary (11.9 KB) C K, 2016-12-16 23:52

4134-6_100000lines.log - --trace epg,tbl-eit (10.7 MB) C K, 2016-12-16 23:52

4134-7.short.log (10.7 MB) C K, 2016-12-17 00:29

Associated revisions

Revision 3654c98e
Added by Jaroslav Kysela 3 months ago

iptv auto: fix NULL dereference issue for tags, fixes #4134

History

#1 Updated by Jaroslav Kysela 3 months ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

#2 Updated by Jaroslav Kysela 3 months ago

  • Status changed from Fixed to Accepted

Only the clang reported issue is fixed in v4.1-2371-g3654c98 (two different things are reported). Could you reproduce the second issue in clang ?

#3 Updated by C K 2 months ago

Really? Looked the same for me :-)
Okay will recompile with clang

#4 Updated by C K 2 months ago

Still an issue, see attached gdb.txt

#5 Updated by Jaroslav Kysela 2 months ago

The clang sanitizer does not report anything for this ? Also, provide log for '--trace epg,tbl-eit' (last 5000 lines prior the crash).

#6 Updated by C K 2 months ago

Jaroslav Kysela wrote:

The clang sanitizer does not report anything for this ? Also, provide log for '--trace epg,tbl-eit' (last 5000 lines prior the crash).

Sorry perexg my fault, will compile with clang next time

#7 Updated by C K 2 months ago

clang log and last 10'000 lines of trace

#8 Updated by C K 2 months ago

C K wrote:

clang log and last 10'000 lines of trace

I this this does not relate to the issue. Nevermind, would be cool to see this fixed. Full Trace-Log is 16GB.

#9 Updated by C K 2 months ago

Crash:

2016-12-16 23:10:01.798 [   INFO] mpegts: get.php - Boardwalk.Empire.S05E05 in IPTV: KingIPTV - tuning on IPTV
2016-12-16 23:10:01.836 [   INFO] epggrab: get.php - Boardwalk.Empire.S05E05 in IPTV: KingIPTV - registering mux for OTA EPG
2016-12-16 23:10:01.861 [   INFO] subscription: 0129: "scan" subscribing to mux "get.php - Boardwalk.Empire.S05E05", weight: 5, adapter: "IPTV", network: "IPTV: KingIPTV", service: "Raw PID Subscription" 
=================================================================
==1539==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f57af903d40 at pc 0x7f57bbcf1da6 bp 0x7f57af903c10 sp 0x7f57af903be8
READ of size 39 at 0x7f57af903d40 thread T4 (tvh:save)
    #0 0x7f57bbcf1da5 in __interceptor_strlen (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4d1da5)
    #1 0x7f57bc00fb6e in htsmsg_add_str /home/waldmeister/src/tvheadend/src/htsmsg.c:357
    #2 0x7f57bbdb4939 in prop_read_value /home/waldmeister/src/tvheadend/src/prop.c:342
    #3 0x7f57bbdb16b4 in prop_read_values /home/waldmeister/src/tvheadend/src/prop.c:377
    #4 0x7f57bbd806fd in idnode_read0 /home/waldmeister/src/tvheadend/src/idnode.c:1218
    #5 0x7f57bc39e97d in dvr_entry_class_save /home/waldmeister/src/tvheadend/src/dvr/dvr_db.c:2189
    #6 0x7f57bbd7e424 in idnode_savefn /home/waldmeister/src/tvheadend/src/idnode.c:1130
    #7 0x7f57bbd99ad8 in save_thread /home/waldmeister/src/tvheadend/src/idnode.c:1901
    #8 0x7f57bbdd30f2 in thread_wrapper /home/waldmeister/src/tvheadend/src/wrappers.c:159
    #9 0x7f57ba111183 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8183)
    #10 0x7f57b88b437c (/lib/x86_64-linux-gnu/libc.so.6+0xfa37c)

Address 0x7f57af903d40 is located in stack of thread T4 (tvh:save) at offset 128 in frame
    #0 0x7f57bc00f90f in htsmsg_add_str /home/waldmeister/src/tvheadend/src/htsmsg.c:355

  This frame has 4 object(s):
    [32, 40) ''
    [96, 104) ''
    [160, 168) '' <== Memory access at offset 128 partially underflows this variable
    [224, 232) 'f'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Thread T4 (tvh:save) created by T0 here:
    #0 0x7f57bbcefdb2 in pthread_create (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4cfdb2)
    #1 0x7f57bbdd2b0b in tvhthread_create /home/waldmeister/src/tvheadend/src/wrappers.c:177
    #2 0x7f57bbd99442 in idnode_init /home/waldmeister/src/tvheadend/src/idnode.c:1950
    #3 0x7f57bbd2b3de in main /home/waldmeister/src/tvheadend/src/main.c:1160
    #4 0x7f57b87dbf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 __interceptor_strlen
Shadow bytes around the buggy address:
  0x0feb75f18750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb75f18760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb75f18770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb75f18780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb75f18790: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4
=>0x0feb75f187a0: f2 f2 f2 f2 00 f4 f4 f4[f2]f2 f2 f2 00 f4 f4 f4
  0x0feb75f187b0: f2 f2 f2 f2 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00
  0x0feb75f187c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb75f187d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb75f187e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb75f187f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==1539==ABORTING

#10 Updated by C K 2 months ago

Now tvh crashes on start. See attached files with --trace epg,tbl-eit and clang summary.

#11 Updated by C K 2 months ago

Attached a log with --trace all

#12 Updated by Jaroslav Kysela 2 months ago

Pls, apply the patch bellow and rerun tvh from cmd line. What's the last line with 'name = ' before the crash?

diff --git a/src/prop.c b/src/prop.c
index fb33d12..0fb61d0 100644
--- a/src/prop.c
+++ b/src/prop.c
@@ -338,9 +338,11 @@ prop_read_value
       htsmsg_add_s64(m, name, atomic_get_s64((int64_t *)val));
       break;
     case PT_STR:
-      if ((s = *(const char **)val))
+      if ((s = *(const char **)val)) {
+        printf("name = '%s', s = %p\n", name, s);
         htsmsg_add_str(m, name, (optmask & PO_LOCALE) != 0 && lang ?
                                 tvh_gettext_lang(lang, s) : s);
+      }
       break;
     case PT_DBL:
       htsmsg_add_dbl(m, name, *(double*)val);

#13 Updated by C K 2 months ago

Crash on exit (Ctrl-C in a screen session):

2016-12-18 18:07:45.895 [   INFO] mpegts: get.php - UK: Sky Sports F1 in IPTV: PlanetIPTV..cs (0x6190010d9c80) - deleting
2016-12-18 18:07:45.895 [  ERROR] mpegts: log buffer full
2016-12-18 18:07:53.562 [   INFO] subscription: 03B3: "DVR: American Dad" unsubscribing from "{name-not-set}" 
name = 'channel', s = 0x7fa003c99890
name = 'channelname', s = 0x603003563230
name = 'config_name', s = 0x7fa003c99890
name = 'owner', s = 0x6020009fcff0
name = 'creator', s = 0x6020009fd010
name = 'autorec', s = 0x7fa003c99890
name = 'timerec', s = 0x7fa001e573a0
name = 'parent', s = 0x7fa001e573a0
name = 'child', s = 0x7fa001e573a0
name = 'comment', s = 0x604002cdd310
2016-12-18 18:07:54.292 [   INFO] capmt: rpi2-1 inactive
2016-12-18 18:07:54.325 [   INFO] capmt: rpi2-1: mode 5 IP address 192.168.178.37 port 9000 destroyed
=================================================================
==6510==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160006f3780 at pc 0x7fa00075f1b0 bp 0x7fffc39ae470 sp 0x7fffc39ae468
WRITE of size 8 at 0x6160006f3780 thread T0
==6510==WARNING: Can't read from symbolizer at fd 3
    #0 0x7fa00075f1af in channel_delete /home/waldmeister/src/tvheadend/src/channels.c:1065
    #1 0x7fa00076a8e4 in channel_done /home/waldmeister/src/tvheadend/src/channels.c:1172
    #2 0x7fa00054b055 in main /home/waldmeister/src/tvheadend/src/main.c:1297
    #3 0x7f9ffcff8f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #4 0x7fa000533a3c in _start (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4f6a3c)

0x6160006f3780 is located 256 bytes inside of 552-byte region [0x6160006f3680,0x6160006f38a8)
freed by thread T0 here:
    #0 0x7fa00051d7d9 in __interceptor_free (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4e07d9)
    #1 0x7fa000766f15 in channel_delete /home/waldmeister/src/tvheadend/src/channels.c:1092
    #2 0x7fa00076a8e4 in channel_done /home/waldmeister/src/tvheadend/src/channels.c:1172
    #3 0x7fa00054b055 in main /home/waldmeister/src/tvheadend/src/main.c:1297
    #4 0x7f9ffcff8f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

previously allocated by thread T0 here:
    #0 0x7fa00051da29 in calloc (/home/waldmeister/src/tvheadend/build.linux/tvheadend+0x4e0a29)
    #1 0x7fa000767be0 in channel_init /home/waldmeister/src/tvheadend/src/channels.c:1146
    #2 0x7fa000549357 in main /home/waldmeister/src/tvheadend/src/main.c:1202
    #3 0x7f9ffcff8f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-use-after-free /home/waldmeister/src/tvheadend/src/channels.c:1065 channel_delete
Shadow bytes around the buggy address:
  0x0c2c800d66a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c800d66b0: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800d66c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800d66d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c800d66e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2c800d66f0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c800d6700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c800d6710: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800d6720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800d6730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c800d6740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==6510==ABORTING

#14 Updated by Jaroslav Kysela 2 months ago

I believe that the last one is fixed in v4.1-2390-gdc9238e . Thanks.

Also available in: Atom PDF