mkvalidator libmatroska2/matroskamain.c CheckCompression function null pointer dereference

[giantbranch]

Credit: giantbranch of NSFOCUS Security Team

What's the problem?

The CheckCompression function in libmatroska2/matroskamain.c in mkvalidator v0.5.2 can be cause a denial of service (Null pointer dereference and application crash) via a crafted mkv file.

ASAN reports:

$ ./mkvalidator ./tests_72.mkv
WRN00C: Unknown element in TrackEntry [43][63] at 4353 (size 34 total 37)
WRN00C: Unknown element in TrackEntry [72][6E] at 4410 (size 10 total 13)
WRN00C: Unknown element in ContentEncodings [62][F1] at 4450 (size 11 total 14)
WRN00C: Unknown element in Tracks [D0] at 4475 (size 3 total 5)
WRN00C: Unknown element in Tracks [86] at 4482 (size 10 total 12)
WRN00C: Unknown element in Tracks [22][B5][9C] at 4494 (size 3 total 7)
WRN00C: Unknown element in Tracks [6D][80] at 4501 (size 6 total 9)
ERR202: Unique element 'TrackNumber' in TrackEntry at 4327 found more than once at 4466
ERR202: Unique element 'TrackNumber' in TrackEntry at 4327 found more than once at 4466
ERR200: Missing element 'CodecID' in TrackEntry at 4327
ERR200: Missing element 'ContentEncoding' in ContentEncodings at 4447
WRN080: Unknown element [FF] at 4536 size 101
WRN080: Unknown element [FF] at 5052 size 105
ERR201: Invalid 'EncryptedBlock' for profile 'matroska v2' in Cluster at 5186
ERR201: Invalid 'EncryptedBlock' for profile 'matroska v2' in Cluster at 5186
ERR200: Missing element 'Block' in BlockGroup at 5857
WRN080: Unknown element [FF] at 7426 size 5426
ERR063: The SeekPoint at 57 references a SegmentInfo at wrong position 4151 (real 4170)
ERR065: The SeekPoint at 72 references a TrackInfo at wrong position 4287 (real 4321)
ERR066: The SeekPoint at 87 references an unknown Cues at 23625
.AddressSanitizer:DEADLYSIGNAL
=================================================================
==12700==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x0000004d12c3 bp 0x7fff3a3d6ad0 sp 0x7fff3a3d69a0 T0)
==12700==The signal is caused by a READ memory access.
==12700==Hint: address points to the zero page.
    #0 0x4d12c3 in CheckCompression /root/debug-fuzz-reslut/mkvalidator/foundation-source/libmatroska2/matroskamain.c:171:13
    #1 0x4d119d in MATROSKA_LinkBlockWithReadTracks /root/debug-fuzz-reslut/mkvalidator/foundation-source/libmatroska2/matroskamain.c:232:20
    #2 0x4d5608 in MATROSKA_LinkClusterBlocks /root/debug-fuzz-reslut/mkvalidator/foundation-source/libmatroska2/matroskamain.c:852:8
    #3 0x4cb41e in LinkClusterBlocks /root/debug-fuzz-reslut/mkvalidator/foundation-source/mkvalidator/mkvalidator.c:585:3
    #4 0x4cb41e in main /root/debug-fuzz-reslut/mkvalidator/foundation-source/mkvalidator/mkvalidator.c:1352:3
    #5 0x7f3f2cfce83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #6 0x41bf58 in _start (/root/reproduce/mkvalidator+0x41bf58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/debug-fuzz-reslut/mkvalidator/foundation-source/libmatroska2/matroskamain.c:171:13 in CheckCompression
==12700==ABORTING

location: foundation-source/libmatroska2/matroskamain.c:171

How can we reproduce the issue?

Compile command I use:

clang corec/tools/coremake/coremake.c -o coremake && ./coremake gcc_linux_x64

make -C mkvalidator -e CC="clang -g -O2 -fsanitize=address -fsanitize-address-use-after-scope" -e CXX="clang++ -g -O2 -fsanitize=address -fsanitize-address-use-after-scope" -e STRIP=""

reproduce the issue

unzip tests_xx.zip
mkvalidator ./tests_xx.mkv

poc: tests_72.zip

the details about my environment.

• mkvalidator version:

  $ ./mkvalidator --version
  mkvalidator v0.5.2, Copyright (c) 2010-2015 Matroska Foundation
  file "--version"

• Host Operating System and version: Ubuntu 16.04.3 LTS
• Host CPU architecture: x86_64
• clang: clang version 11.0.0