OSD thread use after free
when compiled with asan, switching from one sequence to another
[s] Random sequence: 8
[i] Using colormap '01'
[i] Using image '00-lebiniou.png'
[s] Sequence id: 1585939599
[s] Name: 1585939599
[s] Image: 00-lebiniou.png
[s] Colormap: 01
[s] | takens
[s] | mirror_bottom
[s] | mirror_right
[s] | infinity
[+] Context_set
#0 0x7f8a64f6bb2e in Sequence_find_plugin src/sequence.c:35
#1 0x7f8a64e51ec0 in g_list_find_custom (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49ec0)
#2 0x7f8a49ed58f4 in osd_plugins plugins/stable/output/SDL2/osd.c:301
#3 0x7f8a49ed58f4 in osd plugins/stable/output/SDL2/osd.c:391
#4 0x7f8a49ed58f4 in osd_thread plugins/stable/output/SDL2/osd.c:409
#5 0x7f8a64672fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
#6 0x7f8a645a34ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)
0x603000053fe0 is located 0 bytes inside of 24-byte region [0x603000053fe0,0x603000053ff8)
freed by thread T0 here:
#0 0x7f8a65624fb0 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0)
#1 0x7f8a64f6c81b in Sequence_copy src/sequence.c:218
previously allocated by thread T0 here:
#0 0x7f8a65625518 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9518)
#1 0x7f8a64f748a8 in xcalloc src/utils.c:75
Thread T4 created by T0 here:
#0 0x7f8a6558cdb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
#1 0x7f8a49ed3e8b in create plugins/stable/output/SDL2/SDL2.c:265
#2 0x7f8a64f64788 in Plugin_init src/plugin.c:201
SUMMARY: AddressSanitizer: heap-use-after-free src/sequence.c:35 in Sequence_find_plugin
Shadow bytes around the buggy address:
0x0c06800027a0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c06800027b0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
0x0c06800027c0: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fa
0x0c06800027d0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c06800027e0: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
=>0x0c06800027f0: fd fd fd fa fa fa fd fd fd fa fa fa[fd]fd fd fa
0x0c0680002800: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c0680002810: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
0x0c0680002820: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
0x0c0680002830: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
Edited by Olivier Girondel