Closed JP3BGY closed 3 months ago
@JP3BGY Please see issue #874. Could you please confirm that commit 86b2fe2 does not bring back the bof ?
@jcdr428 Yes, the commit bring back same bof. n
must be smaller than laces
. Here is the output of ASAN.
[!] [ForkServer] Failed to get executor id: Bad file descriptor
Tips: Is this forkserver attached to client?
Just executing program...
=================================================================
==66==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000007d4 at pc 0x55cd39c60af6 bp 0x7ffd353f2fb0 sp 0x7ffd353f2fa8
WRITE of size 4 at 0x6020000007d4 thread T0
#0 0x55cd39c60af5 in MatroskaDemuxer::matroska_parse_block(unsigned char*, int, long, long, long, int, int) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:600:26
#1 0x55cd39c3fc80 in MatroskaDemuxer::matroska_parse_cluster() /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:966:23
#2 0x55cd39c3d26b in MatroskaDemuxer::readPacket(AVPacket&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1137:28
#3 0x55cd39c3083c in MatroskaDemuxer::simpleDemuxBlock(std::map<int, MemoryBlock, std::less<int>, std::allocator<std::pair<int const, MemoryBlock>>>&, std::set<int, std::less<int>, std::allocator<int>> const&, long&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:2389:29
#4 0x55cd39c2cbe0 in main /src/tsMuxer/tsMuxer/main.cpp:50:18
#5 0x7fef41843d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x7fef41843e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#7 0x55cd39965c64 in _start (/out/tsmuxer-mkv+0x119c64) (BuildId: e3c6b2d015698efc)
0x6020000007d4 is located 0 bytes to the right of 4-byte region [0x6020000007d0,0x6020000007d4)
allocated by thread T0 here:
#0 0x55cd39a259fd in operator new[](unsigned long) (/out/tsmuxer-mkv+0x1d99fd) (BuildId: e3c6b2d015698efc)
#1 0x55cd39c5e9f5 in MatroskaDemuxer::matroska_parse_block(unsigned char*, int, long, long, long, int, int) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:542:49
#2 0x55cd39c3fc80 in MatroskaDemuxer::matroska_parse_cluster() /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:966:23
#3 0x55cd39c3d26b in MatroskaDemuxer::readPacket(AVPacket&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1137:28
#4 0x55cd39c3083c in MatroskaDemuxer::simpleDemuxBlock(std::map<int, MemoryBlock, std::less<int>, std::allocator<std::pair<int const, MemoryBlock>>>&, std::set<int, std::less<int>, std::allocator<int>> const&, long&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:2389:29
#5 0x55cd39c2cbe0 in main /src/tsMuxer/tsMuxer/main.cpp:50:18
#6 0x7fef41843d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:600:26 in MatroskaDemuxer::matroska_parse_block(unsigned char*, int, long, long, long, int, int)
Shadow bytes around the buggy address:
0x0c047fff80a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 07
0x0c047fff80b0: fa fa fd fd fa fa fd fa fa fa 00 04 fa fa fd fa
0x0c047fff80c0: fa fa fd fd fa fa fd fa fa fa 00 04 fa fa fd fa
0x0c047fff80d0: fa fa fd fa fa fa fd fa fa fa 00 07 fa fa fd fa
0x0c047fff80e0: fa fa fd fa fa fa 00 05 fa fa fd fa fa fa fd fa
=>0x0c047fff80f0: fa fa fd fa fa fa 00 05 fa fa[04]fa fa fa fa fa
0x0c047fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==66==ABORTING
fixes #846