search

justdan96 / tsMuxer

tsMuxer is a transport stream muxer for remuxing/muxing elementary streams, EVO/VOB/MPG, MKV/MKA, MP4/MOV, TS, M2TS to TS to M2TS. Supported video codecs H.264/AVC, H.265/HEVC, VC-1, MPEG2. Supported audio codecs AAC, AC3 / E-AC3(DD+), DTS/ DTS-HD.
Apache License 2.0
830 stars 140 forks source link

heap-buffer-overflow in ./tsMuxer/bitStream.h:164:41 in BitStreamReader::getCurVal(unsigned int*) const #785

Closed gandalf4a closed 8 months ago

gandalf4a commented 9 months ago

Version

$ git show
commit 2539d074cd4da0547b97aedd8bc12252b973907c (HEAD -> master, tag: nightly-2023-10-05-01-55-56, origin/master, origin/HEAD)
Author: jcdr428 <jessiedeer@hotmail.com>
Date:   Wed Oct 4 10:17:02 2023 +0100

Platform

$ uname -a
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Asan

tsMuxeR version git-2539d07. github.com/justdan96/tsMuxer
=================================================================
==518458==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000d538 at pc 0x558cd3c038d5 bp 0x7ffc16fe1010 sp 0x7ffc16fe1008
READ of size 1 at 0x60200000d538 thread T0
    #0 0x558cd3c038d4 in BitStreamReader::getCurVal(unsigned int*) const /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/bitStream.h:164:41
    #1 0x558cd3c038d4 in BitStreamReader::getBits(unsigned int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/bitStream.h:75:24
    #2 0x558cd3f98edd in unsigned char BitStreamReader::getBits<unsigned char>(unsigned int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/bitStream.h:60:31
    #3 0x558cd3f98edd in SEIUnit::mvc_scalable_nesting(SPSUnit const&, unsigned char*, int, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:1746:44
    #4 0x558cd3f959f4 in SEIUnit::sei_payload(SPSUnit const&, int, unsigned char*, int, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:1550:9
    #5 0x558cd3f959f4 in SEIUnit::deserialize(SPSUnit const&, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:1368:13
    #6 0x558cd3ca1d7f in H264StreamReader::checkStream(unsigned char*, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/h264StreamReader.cpp:131:25
    #7 0x558cd3e8b535 in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/metaDemuxer.cpp:749:22
    #8 0x558cd3e7f766 in METADemuxer::DetectStreamReader(BufferedReaderManager const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/metaDemuxer.cpp:685:35
    #9 0x558cd3da4a7a in detectStreamReader(char const*, MPLSParser*, bool) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/main.cpp:114:34
    #10 0x558cd3db8efb in main /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/main.cpp:689:17
    #11 0x7f47a3629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7f47a3629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x558cd3b3fd24 in _start (/home/user/fuzzing_tsMuxer/tsMuxer/build/tsMuxer/tsmuxer+0x249d24) (BuildId: 93aa533ae68cbad6d874b6199ee386d19d3a575e)

0x60200000d538 is located 0 bytes to the right of 8-byte region [0x60200000d530,0x60200000d538)
allocated by thread T0 here:
    #0 0x558cd3bfda4d in operator new[](unsigned long) (/home/user/fuzzing_tsMuxer/tsMuxer/build/tsMuxer/tsmuxer+0x307a4d) (BuildId: 93aa533ae68cbad6d874b6199ee386d19d3a575e)
    #1 0x558cd3f631bc in NALUnit::decodeBuffer(unsigned char const*, unsigned char const*) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:270:19

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/bitStream.h:164:41 in BitStreamReader::getCurVal(unsigned int*) const
Shadow bytes around the buggy address:
  0x0c047fff9a50: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fff9a60: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff9a70: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 00
  0x0c047fff9a80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9a90: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa 00 fa
=>0x0c047fff9aa0: fa fa 02 fa fa fa 00[fa]fa fa fa fa fa fa fa fa
  0x0c047fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==518458==ABORTING

Reproduce

./tsmuxer poc

POC File

https://github.com/gandalf4a/crash_report/blob/main/tsMuxer/poc_hbo_164

Credit

Gandalf4a
jcdr428 commented 9 months ago

@gandalf4a Not reproducible on Windows. Same under Linux Bullseye, all I have is:

./tsMuxeR poc_hbo_164
tsMuxeR version git-a5cc8ba. github.com/justdan96/tsMuxer
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Can't detect stream type
gandalf4a commented 8 months ago

build reproduce

$ cd tsMuxer
$ mkdir build && cd build
$ cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address"
$ make

Give me a second to see if windows can reproduce

jcdr428 commented 8 months ago

Ok, got it. Thanks @gandalf4a