tsMuxer is a transport stream muxer for remuxing/muxing elementary streams, EVO/VOB/MPG, MKV/MKA, MP4/MOV, TS, M2TS to TS to M2TS. Supported video codecs H.264/AVC, H.265/HEVC, VC-1, MPEG2. Supported audio codecs AAC, AC3 / E-AC3(DD+), DTS/ DTS-HD.
Apache License 2.0
829
stars
140
forks
source link
heap buffer overflow is found in MatroskaDemuxer::matroska_add_stream() #844
Following is an output of ASAN. poc.mkv is in delete_poc.zip.
[!] [ForkServer] Failed to get executor id: Bad file descriptor
Tips: Is this forkserver attached to client?
Just executing program...
=================================================================
==78==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6100000090d0 at pc 0x559468c5e325 bp 0x7fffd2bfc7b0 sp 0x7fffd2bfc7a8
READ of size 8 at 0x6100000090d0 thread T0
#0 0x559468c5e324 in Track::~Track() /src/tsMuxer/tsMuxer/ioContextDemuxer.h:57:18
#1 0x559468c5e324 in MatroskaDemuxer::matroska_add_stream() /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1903:9
#2 0x559468c4e550 in MatroskaDemuxer::matroska_parse_tracks() /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1746:19
#3 0x559468c4748b in MatroskaDemuxer::matroska_read_header() /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1228:19
#4 0x559468c35006 in MatroskaDemuxer::openFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1027:5
#5 0x559468c33d1a in main /src/tsMuxer/tsMuxer/main.cpp:17:12
#6 0x7f2078b5ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#7 0x7f2078b5ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
#8 0x55946896d484 in _start (/out/tsmuxer-mkv2+0x119484) (BuildId: 8a3bffd4a84d0e3e)
Address 0x6100000090d0 is a wild pointer inside of access range of size 0x000000000008.
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/tsMuxer/tsMuxer/ioContextDemuxer.h:57:18 in Track::~Track()
Shadow bytes around the buggy address:
0x0c207fff91c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff91d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff91e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff91f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff9200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c207fff9210: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa
0x0c207fff9220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff9230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff9240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff9250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff9260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==78==ABORTING
Our fuzzer found heap bof in MatroskaDemuxer::matroska_add_stream() in the current main(5f43ab2). PoC is here.
Following is an output of ASAN. poc.mkv is in delete_poc.zip.
This is caused by these lines because
track
is created as a char array but is deleted as a Track array. https://github.com/justdan96/tsMuxer/blob/75c9cb3514815d07378007d36cc90c3f209e7b36/tsMuxer/matroskaDemuxer.cpp#L1893-L1903Ricerca Security, Inc.