Live555 Streaming Media Heap Use-After-Free Vulnerability in MPEG Demuxer Allowing Denial-of-Service

A heap use-after-free vulnerability has been identified in Live555 Streaming Media version 2018.09.02, specifically within the MPEG1or2Demux component. This vulnerability allows attackers to cause a denial-of-service condition by sending a crafted MPEG Program Stream. The issue arises when the RTSP server's session management inadvertently deletes a demuxer instance while a pointer to it is still in use, leading to a crash when the freed memory is accessed.

Impact

Exploitation of this vulnerability causes the RTSP server to crash during the setup of MPEG-1/2 Program Stream sessions. Additionally, the use-after-free condition could potentially be exploited for memory corruption, depending on the heap layout and timing.

Reproduction

The vulnerability can be reproduced by building the Live555 Streaming Media library with AddressSanitizer enabled, using the 'testOnDemandRTSPServer' demo program. After starting the server, a crafted MPEG Program Stream file named 'test.mpg' must be placed in the server's working directory. When the RTSP client requests to set up a session with the crafted stream, the server crashes, and the AddressSanitizer log reveals the heap-use-after-free error.