search

MediaArea / MediaInfoLib

Convenient unified display of the most relevant technical and tag data for video and audio files.
https://mediaarea.net/MediaInfo
BSD 2-Clause "Simplified" License
638 stars 177 forks source link

heap-buffer-overflow in MediaInfoLib::File_Id3v2::Data_Parse() ../../../Source/MediaInfo/Tag/File_Id3v2.cpp:597 #2105

Open SuyueGuo opened 3 months ago

SuyueGuo commented 3 months ago

Summary

A heap-buffer-overflow vulnerability was found in MediaInfo, it may cause arbitrary code execution.

Version

mediainfo --version
MediaInfo Command line, 
MediaInfoLib - v24.06

Details

ASAN output:

=================================================================
==2239452==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000232 at pc 0x7f64f24e02c3 bp 0x7fff8898ac20 sp 0x7fff8898a3c8
WRITE of size 2882 at 0x602000000232 thread T0
    #0 0x7f64f24e02c2 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
    MediaArea/MediaInfo#1 0x55cf77dbe957 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
    MediaArea/MediaInfo#2 0x55cf77dbe957 in MediaInfoLib::File_Id3v2::Data_Parse() ../../../Source/MediaInfo/Tag/File_Id3v2.cpp:597
    MediaArea/MediaInfo#3 0x55cf780500bc in MediaInfoLib::File__Analyze::Data_Manage() ../../../Source/MediaInfo/File__Analyze.cpp:2810
    MediaArea/MediaInfo#4 0x55cf7805353c in MediaInfoLib::File__Analyze::Buffer_Parse() ../../../Source/MediaInfo/File__Analyze.cpp:1941
    MediaArea/MediaInfo#5 0x55cf78053c87 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() ../../../Source/MediaInfo/File__Analyze.cpp:1507
    MediaArea/MediaInfo#6 0x55cf78055767 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/File__Analyze.cpp:1101
    MediaArea/MediaInfo#7 0x55cf7805b367 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(MediaInfoLib::File__Analyze*, unsigned char const*, unsigned long, bool, double) ../../../Source/MediaInfo/File__Analyze.cpp:1448
    MediaArea/MediaInfo#8 0x55cf77d91c7b in MediaInfoLib::File__Tags_Helper::Synched_Test() ../../../Source/MediaInfo/Tag/File__Tags.cpp:367
    MediaArea/MediaInfo#9 0x55cf7777a793 in MediaInfoLib::File__Tags_Helper::FileHeader_Begin() ../../../Source/MediaInfo/Tag/File__Tags.h:73
    MediaArea/MediaInfo#10 0x55cf7777a793 in MediaInfoLib::File_Flv::FileHeader_Begin() ../../../Source/MediaInfo/Multiple/File_Flv.cpp:654
    MediaArea/MediaInfo#11 0x55cf7804ebee in MediaInfoLib::File__Analyze::FileHeader_Manage() ../../../Source/MediaInfo/File__Analyze.cpp:2524
    MediaArea/MediaInfo#12 0x55cf78054047 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() ../../../Source/MediaInfo/File__Analyze.cpp:1472
    MediaArea/MediaInfo#13 0x55cf78055767 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/File__Analyze.cpp:1101
    MediaArea/MediaInfo#14 0x55cf76fe1d6e in MediaInfoLib::MediaInfo_Internal::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1721
    MediaArea/MediaInfo#15 0x55cf77d8afde in MediaInfoLib::Reader_File::Format_Test_PerParser_Continue(MediaInfoLib::MediaInfo_Internal*) ../../../Source/MediaInfo/Reader/Reader_File.cpp:766
    MediaArea/MediaInfo#16 0x55cf77d88433 in MediaInfoLib::Reader_File::Format_Test_PerParser(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/Reader/Reader_File.cpp:313
    MediaArea/MediaInfo#17 0x55cf76f96bf6 in MediaInfoLib::MediaInfo_Internal::ListFormats(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/MediaInfo_File.cpp:882
    MediaArea/MediaInfo#18 0x55cf77d896d6 in MediaInfoLib::Reader_File::Format_Test(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >) ../../../Source/MediaInfo/Reader/Reader_File.cpp:230
    MediaArea/MediaInfo#19 0x55cf7700f15e in MediaInfoLib::MediaInfo_Internal::Entry() ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1416
    MediaArea/MediaInfo#20 0x55cf7700ad7e in MediaInfoLib::MediaInfo_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1172
    MediaArea/MediaInfo#21 0x55cf77030865 in MediaInfoLib::MediaInfoList_Internal::Entry() ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:212
    MediaArea/MediaInfo#22 0x55cf770393a2 in MediaInfoLib::MediaInfoList_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, MediaInfoLib::fileoptions_t) ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:148
    MediaArea/MediaInfo#23 0x55cf76f0a70b in main ../../../Source/CLI/CLI_Main.cpp:155
    MediaArea/MediaInfo#24 0x7f64f1f55d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    MediaArea/MediaInfo#25 0x7f64f1f55e3f in __libc_start_main_impl ../csu/libc-start.c:392
    MediaArea/MediaInfo#26 0x55cf76f0f5b4 in _start (/data/fuzz/fuzz-data/target/elf/debug/mediainfo+0x4305b4)

0x602000000232 is located 0 bytes to the right of 2-byte region [0x602000000230,0x602000000232)
allocated by thread T0 here:
    #0 0x7f64f255c357 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:102
    MediaArea/MediaInfo#1 0x55cf77dbe890 in MediaInfoLib::File_Id3v2::Data_Parse() ../../../Source/MediaInfo/Tag/File_Id3v2.cpp:589

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
Shadow bytes around the buggy address:
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8020: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8030: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff8040: fa fa fd fd fa fa[02]fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2239452==ABORTING

Poc

heap_overflow_mediainfo.tar.gz

reproduce:

mediainfo heap_overflow_mediainfo
cjee21 commented 3 months ago

Issue in MediaArea/MediaInfoLib?

https://github.com/MediaArea/MediaInfoLib/blob/abdbb218b07f6cc0d4504c863ac5b42ecfab6fc6/Source/MediaInfo/Tag/File_Id3v2.cpp#L597

SuyueGuo commented 3 months ago

Yes, maybe I should open this issue in MediaArea/MediaInfoLib?

cjee21 commented 1 month ago

@JeromeMartinez Visual Studio's Analysis also found some potential memory-related issues and other issues with MediaInfoLib. I'm not sure if there are any false positives and whether they can actually be encountered in normal use or be exploited. Therefore I didn't open a new issues about this but thought I should let you know in case you haven't known. Below are some examples. More can be seen by executing Analyze > Run Code Analysis > Run Code Analysis on MediaInfoLib in Visual Studio.

Memory-related:

Severity    Code    Description Project File    Line    Suppression State   Details
Warning C6001   Using uninitialized memory 'Buffer_Offset_Current'. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_Ac4.cpp   1847        
Warning C6001   Using uninitialized memory 'nonstd_bed_channel_assignment_mask'.    MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_DolbyE.cpp    2403        
Warning C6001   Using uninitialized memory 'Bitw_Stream_Metadata'.  MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_Dts.cpp   1073        
Warning C6001   Using uninitialized memory 'RefClockCode'.  MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_Dts.cpp   1074        
Warning C6001   Using uninitialized memory 'TimeStamp'. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_Dts.cpp   1077        
Warning C6001   Using uninitialized memory 'Num_Frames_Total'.  MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_Dts.cpp   1081        
Warning C6001   Using uninitialized memory 'tnsDataPresent'.    MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_Usac.cpp  4515        
Warning C6001   Using uninitialized memory 'tnsDataPresent[BYTE:0]'.    MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_Usac.cpp  4515        
Warning C6001   Using uninitialized memory 'num_grid_info'. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_Usac.cpp  4772        
Warning C6001   Using uninitialized memory 'numQuantSteps'. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_Usac.cpp  5626        
Warning C6001   Using uninitialized memory 'Compression'.   MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Image\File_Png.cpp   582     
Warning C6001   Using uninitialized memory 'maxscl'.    MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Multiple\File_Mk.cpp 5452        
Warning C6001   Using uninitialized memory 'ProfileLevel'.  MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Multiple\File_Mpeg4_Descriptors.cpp  580     
Warning C6001   Using uninitialized memory 'default_length'.    MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Multiple\File_Mpeg4_Elements.cpp 5142        
Warning C6001   Using uninitialized memory 'SDTI_TimeCode_StartTimecode_StreamPos_Last'.    MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Multiple\File_Mxf.cpp    3579        
Warning C6001   Using uninitialized memory 'SystemScheme1_TimeCodeArray_StartTimecode_StreamPos_Last'.  MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Multiple\File_Mxf.cpp    3587        
Warning C6001   Using uninitialized memory 'End'.   MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Multiple\File_Nsv.cpp    1420        
Warning C6001   Using uninitialized memory 'seq_level_idx'. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Video\File_Av1.cpp   435     
Warning C6001   Using uninitialized memory 'maxscl'.    MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Video\File_Hevc.cpp  3271        
Warning C6001   Using uninitialized memory 'chrominance_factor'.    MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Video\File_ProRes.cpp    332     
Warning C6001   Using uninitialized memory 'frame_type'.    MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Video\File_ProRes.cpp    333     
Warning C6001   Using uninitialized memory 'primaries'. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Video\File_ProRes.cpp    336     
Warning C6001   Using uninitialized memory 'transf_func'.   MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Video\File_ProRes.cpp    336     
Warning C6001   Using uninitialized memory 'colorMatrix'.   MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Video\File_ProRes.cpp    336     
Warning C6001   Using uninitialized memory 'alpha_info'.    MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Video\File_ProRes.cpp    345     
Warning C6001   Using uninitialized memory 'bit_depth'. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Video\File_Vp9.cpp   306     
Warning C6001   Using uninitialized memory 'colorspace'.    MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Video\File_Vp9.cpp   307     
Warning C6001   Using uninitialized memory 'subsampling'.   MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Video\File_Vp9.cpp   311     
Warning C6001   Using uninitialized memory 'yuv_range_flag'.    MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Video\File_Vp9.cpp   312     
Warning C6001   Using uninitialized memory 'width_minus_one'.   MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Video\File_Vp9.cpp   316     
Warning C6001   Using uninitialized memory 'height_minus_one'.  MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Video\File_Vp9.cpp   317     
Severity    Code    Description Project File    Line    Suppression State   Details
Warning C6385   Reading invalid data from 's->bl_count'.    zlibstat    \zlib\trees.c   534     
Warning C6385   Reading invalid data from 's->bl_count'.    zlibstat    \zlib\trees.c   550     
Warning C6385   Reading invalid data from 'MI_Offsets'. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Archive\File_Iso9660.cpp 100     
Warning C6385   Reading invalid data from 'vDk0'.   MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_Aac_GeneralAudio_Sbr.cpp  947     
Warning C6385   Reading invalid data from 'Aac_ChannelMode'.    MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_Aac_Main.cpp  501     
Warning C6385   Reading invalid data from 'uniDrcConfigExtType_ConfNames'.  MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_Usac.cpp  2905        
Warning C6385   Reading invalid data from 'usacConfigExtType_ConfNames'.    MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_Usac.cpp  3380        
Warning C6385   Reading invalid data from 'C.sbrHandler.bs_df_noise[ch]'.   MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_Usac.cpp  4700        
Warning C6385   Reading invalid data from 'usacExtElementType_Names'.   MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_Usac.cpp  5947        
Warning C6385   Reading invalid data from 'PowersOf10'. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\TimeCode.cpp 511     
Severity    Code    Description Project File    Line    Suppression State   Details
Warning C33010  Unchecked lower bound for enum (this->MediaInfoLib::File__Base::StreamKind_Last) used as index..    MediaInfoLib    \MediaInfoLib\Source\MediaInfo\File__Analyze_Streams.cpp    773     
Warning C33010  Unchecked lower bound for enum (this->MediaInfoLib::File__Analyze::StreamSource) used as index..    MediaInfoLib    \MediaInfoLib\Source\MediaInfo\File__Analyze_Streams.cpp    1005        
Warning C33010  Unchecked lower bound for enum StreamKind used as index..   MediaInfoLib    \MediaInfoLib\Source\MediaInfo\File__Analyze_Streams.cpp    1061        
Warning C33010  Unchecked lower bound for enum StreamKind used as index..   MediaInfoLib    \MediaInfoLib\Source\MediaInfo\File__Analyze_Streams.cpp    1744        
Warning C33010  Unchecked lower bound for enum StreamKind used as index..   MediaInfoLib    \MediaInfoLib\Source\MediaInfo\File__Analyze_Streams.cpp    1893        
Warning C33010  Unchecked lower bound for enum Format used as index..   MediaInfoLib    \MediaInfoLib\Source\MediaInfo\MediaInfo_Config.cpp 2903        
Warning C33010  Unchecked lower bound for enum KindOfStream used as index.. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\MediaInfo_Config.cpp 2903        
Warning C33010  Unchecked lower bound for enum Format used as index..   MediaInfoLib    \MediaInfoLib\Source\MediaInfo\MediaInfo_Config.cpp 2964        
Warning C33010  Unchecked lower bound for enum KindOfStream used as index.. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\MediaInfo_Config.cpp 3042        
Warning C33010  Unchecked lower bound for enum KindOfStream used as index.. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\MediaInfo_Config.cpp 3062        
Warning C33010  Unchecked lower bound for enum KindOfStream used as index.. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\MediaInfo_Config.cpp 3074        
Warning C33010  Unchecked lower bound for enum KindOfStream used as index.. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\MediaInfo_Config.cpp 3086

Redundant/repeated checks in if statements which I don't know is intentional or mistake/bug:

Warning C6287   Redundant code. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Audio\File_Adm.cpp   5468

https://github.com/MediaArea/MediaInfoLib/blob/dbed0279c05911f50f9ad715d187666e38f8764c/Source/MediaInfo/Audio/File_Adm.cpp#L5468

Warning C6287   Redundant code. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\File__Analyze_Streams_Finish.cpp 934

https://github.com/MediaArea/MediaInfoLib/blob/dbed0279c05911f50f9ad715d187666e38f8764c/Source/MediaInfo/File__Analyze_Streams_Finish.cpp#L934

Warning C6287   Redundant code. MediaInfoLib    \MediaInfoLib\Source\MediaInfo\Multiple\File_DvDif_Analysis.cpp 787

https://github.com/MediaArea/MediaInfoLib/blob/dbed0279c05911f50f9ad715d187666e38f8764c/Source/MediaInfo/Multiple/File_DvDif_Analysis.cpp#L787

Cppcheck also found:

Id: arrayIndexOutOfBoundsCond
CWE: 788
Either the condition 'Code>=0x80' is redundant or the array 'Iab_Channel_Values[34]' is accessed at index 104, which is out of bounds.

https://github.com/MediaArea/MediaInfoLib/blob/dbed0279c05911f50f9ad715d187666e38f8764c/Source/MediaInfo/Audio/File_Iab.cpp#L117-L118

If I understand the intention correctly, I think this should be:

if (Code>=0x80 && Code-0x68<sizeof(Iab_Channel_Values)/sizeof(const char*))
        return Iab_Channel_Values[Code-0x68];
cjee21 commented 1 month ago 
Warning    C6385   Reading invalid data from 'vDk0'.   MediaInfoLib    >\MediaInfoLib\Source\MediaInfo\Audio\File_Aac_GeneralAudio_Sbr.cpp 947

This one likely a false positive since there is already a check: https://github.com/MediaArea/MediaInfoLib/blob/abdbb218b07f6cc0d4504c863ac5b42ecfab6fc6/Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp#L896-L897 So this should not be possible to be out-of-bounds: https://github.com/MediaArea/MediaInfoLib/blob/abdbb218b07f6cc0d4504c863ac5b42ecfab6fc6/Source/MediaInfo/Audio/File_Aac_GeneralAudio_Sbr.cpp#L947