tsMuxer is a transport stream muxer for remuxing/muxing elementary streams, EVO/VOB/MPG, MKV/MKA, MP4/MOV, TS, M2TS to TS to M2TS. Supported video codecs H.264/AVC, H.265/HEVC, VC-1, MPEG2. Supported audio codecs AAC, AC3 / E-AC3(DD+), DTS/ DTS-HD.
Apache License 2.0
829
stars
140
forks
source link
heap buffer over-read and overflow is found in extractData (movDemuxer.cpp) #837
Since the value of buff + frameSize is not compared with srcEnd before memcpy, heap buffer over-read and heap buffer overflow of buff + frameSize - srcEnd bytes occur.
Our fuzzer found heap buffer over-read and heap buffer overflow in MovDemuxer. in the current master(75c9cb3). PoC is here.
Folloing is an output of valgrind. vuln14.mov is in poc14.zip
It is caused by this place. https://github.com/justdan96/tsMuxer/blob/75c9cb3514815d07378007d36cc90c3f209e7b36/tsMuxer/movDemuxer.cpp#L187-L198
Since the value of
buff + frameSize
is not compared withsrcEnd
before memcpy, heap buffer over-read and heap buffer overflow ofbuff + frameSize - srcEnd
bytes occur.Ricerca Security, Inc.