search

justdan96 / tsMuxer

tsMuxer is a transport stream muxer for remuxing/muxing elementary streams, EVO/VOB/MPG, MKV/MKA, MP4/MOV, TS, M2TS to TS to M2TS. Supported video codecs H.264/AVC, H.265/HEVC, VC-1, MPEG2. Supported audio codecs AAC, AC3 / E-AC3(DD+), DTS/ DTS-HD.
Apache License 2.0
829 stars 140 forks source link

fix lace_size bof #847

Closed JP3BGY closed 3 months ago

JP3BGY commented 3 months ago

fixes #846

jcdr428 commented 1 month ago

@JP3BGY Please see issue #874. Could you please confirm that commit 86b2fe2 does not bring back the bof ?

JP3BGY commented 1 month ago

@jcdr428 Yes, the commit bring back same bof. n must be smaller than laces. Here is the output of ASAN.

[!] [ForkServer] Failed to get executor id: Bad file descriptor
        Tips: Is this forkserver attached to client?
        Just executing program...
=================================================================
==66==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000007d4 at pc 0x55cd39c60af6 bp 0x7ffd353f2fb0 sp 0x7ffd353f2fa8
WRITE of size 4 at 0x6020000007d4 thread T0
    #0 0x55cd39c60af5 in MatroskaDemuxer::matroska_parse_block(unsigned char*, int, long, long, long, int, int) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:600:26
    #1 0x55cd39c3fc80 in MatroskaDemuxer::matroska_parse_cluster() /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:966:23
    #2 0x55cd39c3d26b in MatroskaDemuxer::readPacket(AVPacket&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1137:28
    #3 0x55cd39c3083c in MatroskaDemuxer::simpleDemuxBlock(std::map<int, MemoryBlock, std::less<int>, std::allocator<std::pair<int const, MemoryBlock>>>&, std::set<int, std::less<int>, std::allocator<int>> const&, long&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:2389:29
    #4 0x55cd39c2cbe0 in main /src/tsMuxer/tsMuxer/main.cpp:50:18
    #5 0x7fef41843d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #6 0x7fef41843e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #7 0x55cd39965c64 in _start (/out/tsmuxer-mkv+0x119c64) (BuildId: e3c6b2d015698efc)

0x6020000007d4 is located 0 bytes to the right of 4-byte region [0x6020000007d0,0x6020000007d4)
allocated by thread T0 here:
    #0 0x55cd39a259fd in operator new[](unsigned long) (/out/tsmuxer-mkv+0x1d99fd) (BuildId: e3c6b2d015698efc)
    #1 0x55cd39c5e9f5 in MatroskaDemuxer::matroska_parse_block(unsigned char*, int, long, long, long, int, int) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:542:49
    #2 0x55cd39c3fc80 in MatroskaDemuxer::matroska_parse_cluster() /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:966:23
    #3 0x55cd39c3d26b in MatroskaDemuxer::readPacket(AVPacket&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1137:28
    #4 0x55cd39c3083c in MatroskaDemuxer::simpleDemuxBlock(std::map<int, MemoryBlock, std::less<int>, std::allocator<std::pair<int const, MemoryBlock>>>&, std::set<int, std::less<int>, std::allocator<int>> const&, long&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:2389:29
    #5 0x55cd39c2cbe0 in main /src/tsMuxer/tsMuxer/main.cpp:50:18
    #6 0x7fef41843d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:600:26 in MatroskaDemuxer::matroska_parse_block(unsigned char*, int, long, long, long, int, int)
Shadow bytes around the buggy address:
  0x0c047fff80a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 07
  0x0c047fff80b0: fa fa fd fd fa fa fd fa fa fa 00 04 fa fa fd fa
  0x0c047fff80c0: fa fa fd fd fa fa fd fa fa fa 00 04 fa fa fd fa
  0x0c047fff80d0: fa fa fd fa fa fa fd fa fa fa 00 07 fa fa fd fa
  0x0c047fff80e0: fa fa fd fa fa fa 00 05 fa fa fd fa fa fa fd fa
=>0x0c047fff80f0: fa fa fd fa fa fa 00 05 fa fa[04]fa fa fa fa fa
  0x0c047fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==66==ABORTING