search

justdan96 / tsMuxer

tsMuxer is a transport stream muxer for remuxing/muxing elementary streams, EVO/VOB/MPG, MKV/MKA, MP4/MOV, TS, M2TS to TS to M2TS. Supported video codecs H.264/AVC, H.265/HEVC, VC-1, MPEG2. Supported audio codecs AAC, AC3 / E-AC3(DD+), DTS/ DTS-HD.
Apache License 2.0
860 stars 144 forks source link

Alloc-dealloc-mismatch on tsMuxer #778

Open Frank-Z7 opened 12 months ago

Frank-Z7 commented 12 months ago

Description

We found a alloc-dealloc-mismatch (operator new [] vs operator delete) error when using tsMuxer/tsmuxer.

ASAN Log

=================================================================
==4087327==ERROR: AddressSanitizer: alloc-dealloc-mismatch (operator new [] vs operator delete) on 0x610000000040
    #0 0x5d946d in operator delete(void*) (/afltest/tsMuxer/tsMuxer/tsmuxer+0x5d946d)
    #1 0x6e88a3 in MatroskaDemuxer::readClose() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1041:42
    #2 0x6fca23 in MatroskaDemuxer::~MatroskaDemuxer() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.h:11:35
    #3 0x6fcc97 in MatroskaDemuxer::~MatroskaDemuxer() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.h:11:33
    #4 0x73ed9e in METADemuxer::DetectStreamReader(BufferedReaderManager const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /afltest/tsMuxer/tsMuxer/metaDemuxer.cpp:669:9
    #5 0x6bb225 in detectStreamReader(char const*, MPLSParser*, bool) /afltest/tsMuxer/tsMuxer/main.cpp:114:34
    #6 0x6c76ef in main /afltest/tsMuxer/tsMuxer/main.cpp:689:17
    #7 0x7ffff798b082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x530d5d in _start (/afltest/tsMuxer/tsMuxer/tsmuxer+0x530d5d)

0x610000000040 is located 0 bytes inside of 184-byte region [0x610000000040,0x6100000000f8)
allocated by thread T0 here:
    #0 0x5d8d1d in operator new[](unsigned long) (/afltest/tsMuxer/tsMuxer/tsmuxer+0x5d8d1d)
    #1 0x6f3be7 in MatroskaDemuxer::matroska_add_stream() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1893:53
    #2 0x6ee754 in MatroskaDemuxer::matroska_parse_tracks() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1746:19
    #3 0x6e9989 in MatroskaDemuxer::matroska_read_header() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1228:19
    #4 0x6e7b5a in MatroskaDemuxer::openFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1027:5
    #5 0x73c0d9 in METADemuxer::DetectStreamReader(BufferedReaderManager const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /afltest/tsMuxer/tsMuxer/metaDemuxer.cpp:608:18
    #6 0x6bb225 in detectStreamReader(char const*, MPLSParser*, bool) /afltest/tsMuxer/tsMuxer/main.cpp:114:34
    #7 0x6c76ef in main /afltest/tsMuxer/tsMuxer/main.cpp:689:17
    #8 0x7ffff798b082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: alloc-dealloc-mismatch (/afltest/tsMuxer/tsMuxer/tsmuxer+0x5d946d) in operator delete(void*)
==4087327==HINT: if you don't care about these errors you may set ASAN_OPTIONS=alloc_dealloc_mismatch=0
==4087327==ABORTING

Location

0x610000000040 is located 0 bytes inside of 184-byte region [0x610000000040,0x6100000000f8) allocated by thread T0 here:

0 0x5d8d1d in operator new[](unsigned long) (/afltest/tsMuxer/tsMuxer/tsmuxer+0x5d8d1d)

#1 0x6f3be7 in MatroskaDemuxer::matroska_add_stream() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1893:53
#2 0x6ee754 in MatroskaDemuxer::matroska_parse_tracks() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1746:19
#3 0x6e9989 in MatroskaDemuxer::matroska_read_header() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1228:19
#4 0x6e7b5a in MatroskaDemuxer::openFile(std::\__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1027:5
#5 0x73c0d9 in METADemuxer::DetectStreamReader(BufferedReaderManager const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /afltest/tsMuxer/tsMuxer/metaDemuxer.cpp:608:18
#6 0x6bb225 in detectStreamReader(char const*, MPLSParser*, bool) /afltest/tsMuxer/tsMuxer/main.cpp:114:34
#7 0x6c76ef in main /afltest/tsMuxer/tsMuxer/main.cpp:689:17
#8 0x7ffff798b082 in \__libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16

image-20231006143638493

image-20231006143714557

image-20231006143835928

image-20231006144239334

image-20231006151150514

image-20231006151242007

image-20231006151341860

Destructor of class MatroskaDemuxer:

image-20231006151517201

image-20231006151642860

Version

./tsmuxer --version
tsMuxeR version git-2539d07. github.com/justdan96/tsMuxer

tsMuxeR version git-2539d07 is the latest version.

Reference

https://github.com/justdan96/tsMuxer

Actual Behavior

Alloc-dealloc-mismatch

PoC

PocTsmuxer.mkv: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/PocTsmuxer.mkv

Reproduction

cd tsMuxer
./tsMuxer/tsmuxer PocTsmuxer.mkv

Environment

ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09

Credit

Zeng Yunxiang ([Huazhong University of Science and Technology](http://cse.hust.edu.cn/)) Song Jiaxuan

jcdr428 commented 11 months ago

@Frank-Z7 I can't understand the reason for this "mismatch". tracks is a MatroskaTrack[64]:

image

Edit: ok, so the char[] was cast to a MastroskaTrack object in line 1893. I believe the mismatch is solved simply by casting the MastroskaTrack back to the original char[] then we can delete[].

Commit pushed, can you please check tomorrow's release.