search

justdan96 / tsMuxer

tsMuxer is a transport stream muxer for remuxing/muxing elementary streams, EVO/VOB/MPG, MKV/MKA, MP4/MOV, TS, M2TS to TS to M2TS. Supported video codecs H.264/AVC, H.265/HEVC, VC-1, MPEG2. Supported audio codecs AAC, AC3 / E-AC3(DD+), DTS/ DTS-HD.
Apache License 2.0
829 stars 140 forks source link

heap buffer overflow is found in MatroskaDemuxer::matroska_add_stream() #844

Closed JP3BGY closed 3 months ago

JP3BGY commented 3 months ago

Our fuzzer found heap bof in MatroskaDemuxer::matroska_add_stream() in the current main(5f43ab2). PoC is here.

#include "bufferedReaderManager.h"
#include "vod_common.h"
#include "abstractDemuxer.h"
#include "matroskaDemuxer.h"
#include <cstdint>
#include <fs/systemlog.h>

using namespace std;

BufferedReaderManager readManager(2, DEFAULT_FILE_BLOCK_SIZE, DEFAULT_FILE_BLOCK_SIZE + MAX_AV_PACKET_SIZE,
                                  DEFAULT_FILE_BLOCK_SIZE / 2);

int main(int argc, char* argv[]) {
  string fileName = argv[1];
  AbstractDemuxer* demuxer = new MatroskaDemuxer(readManager);

  demuxer->openFile(fileName);
  int64_t discardedSize = 0;
  DemuxedData demuxedData;

  PIDSet acceptedPidSet;

  demuxer->simpleDemuxBlock(demuxedData, acceptedPidSet, discardedSize);

  return 0;
}

Following is an output of ASAN. poc.mkv is in delete_poc.zip.

[!] [ForkServer] Failed to get executor id: Bad file descriptor
        Tips: Is this forkserver attached to client?
        Just executing program...
=================================================================
==78==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6100000090d0 at pc 0x559468c5e325 bp 0x7fffd2bfc7b0 sp 0x7fffd2bfc7a8
READ of size 8 at 0x6100000090d0 thread T0
    #0 0x559468c5e324 in Track::~Track() /src/tsMuxer/tsMuxer/ioContextDemuxer.h:57:18
    #1 0x559468c5e324 in MatroskaDemuxer::matroska_add_stream() /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1903:9
    #2 0x559468c4e550 in MatroskaDemuxer::matroska_parse_tracks() /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1746:19
    #3 0x559468c4748b in MatroskaDemuxer::matroska_read_header() /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1228:19
    #4 0x559468c35006 in MatroskaDemuxer::openFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1027:5
    #5 0x559468c33d1a in main /src/tsMuxer/tsMuxer/main.cpp:17:12
    #6 0x7f2078b5ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7f2078b5ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #8 0x55946896d484 in _start (/out/tsmuxer-mkv2+0x119484) (BuildId: 8a3bffd4a84d0e3e)

Address 0x6100000090d0 is a wild pointer inside of access range of size 0x000000000008.
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/tsMuxer/tsMuxer/ioContextDemuxer.h:57:18 in Track::~Track()
Shadow bytes around the buggy address:
  0x0c207fff91c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff91d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff91e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff91f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c207fff9210: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa
  0x0c207fff9220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff9260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==78==ABORTING

This is caused by these lines because track is created as a char array but is deleted as a Track array. https://github.com/justdan96/tsMuxer/blob/75c9cb3514815d07378007d36cc90c3f209e7b36/tsMuxer/matroskaDemuxer.cpp#L1893-L1903

Ricerca Security, Inc.