Closed JP3BGY closed 1 month ago
Ok, I reopen the issue as the bof needs another solution (see issue #874). EMBL lacing is explained here: lace and n are not really linked. The data buffer is composed of:
So we have to check when ready each frame size, that this frame size is not > remaining buffer bytes.
Edit: @JP3BGY actually your POC is a specific case where there is only one frame in the EBML lacing. In which case, no need to deduct the size of the last frame from the remaining bytes.
So we just need to add if (laces > 1)
before lace_size[n] = size - total;
to solve the bof...
Our fuzzer found heap bof in MatroskaDemuxer::matroska_parse_block() in the current main(5f43ab2). PoC is here.
Following is an output of ASAN. poc.mkv is in lace_size_poc.zip.
It is caused by these lines because
n
andlaces
is from user data. https://github.com/justdan96/tsMuxer/blob/75c9cb3514815d07378007d36cc90c3f209e7b36/tsMuxer/matroskaDemuxer.cpp#L542-L600Ricerca Security, Inc.