search

justdan96 / tsMuxer

tsMuxer is a transport stream muxer for remuxing/muxing elementary streams, EVO/VOB/MPG, MKV/MKA, MP4/MOV, TS, M2TS to TS to M2TS. Supported video codecs H.264/AVC, H.265/HEVC, VC-1, MPEG2. Supported audio codecs AAC, AC3 / E-AC3(DD+), DTS/ DTS-HD.
Apache License 2.0
829 stars 140 forks source link

Null Pointer Dereference is found in MatroskaDemuxer::getTrackType() #848

Closed JP3BGY closed 3 months ago

JP3BGY commented 3 months ago

Our fuzzer found null ptr dereference in MatroskaDemuxer::getTrackType() in the current main(5f43ab2). PoC is here.

#include "bufferedReaderManager.h"
#include "vod_common.h"
#include "abstractDemuxer.h"
#include "matroskaDemuxer.h"
#include <cstdint>
#include <fs/systemlog.h>
using namespace std;

BufferedReaderManager readManager(2, DEFAULT_FILE_BLOCK_SIZE, DEFAULT_FILE_BLOCK_SIZE + MAX_AV_PACKET_SIZE,
                                  DEFAULT_FILE_BLOCK_SIZE / 2);

int main(int argc, char* argv[]) {
        string fileName = argv[1];
        AbstractDemuxer* demuxer = new MatroskaDemuxer(readManager);

        uint32_t fileBlockSize = demuxer->getFileBlockSize();
        demuxer->openFile(fileName);
        map<int32_t, TrackInfo> acceptedPidMap;
        demuxer->getTrackList(acceptedPidMap);

        return 0;
}

Following is an output of ASAN. poc.mkv is in num_track_poc.zip.

[!] [ForkServer] Failed to get executor id: Bad file descriptor
        Tips: Is this forkserver attached to client?
        Just executing program...
AddressSanitizer:DEADLYSIGNAL
=================================================================
==117==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x560c8155bfe5 bp 0x7ffc9b193830 sp 0x7ffc9b193720 T0)
==117==The signal is caused by a READ memory access.
==117==Hint: address points to the zero page.
    #0 0x560c8155bfe5 in MatroskaDemuxer::getTrackType(Track const*) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:2413:24
    #1 0x560c8155bfe5 in MatroskaDemuxer::getTrackList(std::map<int, TrackInfo, std::less<int>, std::allocator<std::pair<int const, TrackInfo>>>&) /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:2408:71
    #2 0x560c81558e0c in main /src/tsMuxer/tsMuxer/main.cpp:19:11
    #3 0x7fdd02470d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0x7fdd02470e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #5 0x560c81292434 in _start (/out/tsmuxer-mkv3+0x119434) (BuildId: f9c64f115b16f510)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/tsMuxer/tsMuxer/matroskaDemuxer.cpp:2413:24 in MatroskaDemuxer::getTrackType(Track const*)
==117==ABORTING

It is caused because num_track is incremented here but there is a path returned from the function without setting track to tracks[num_track-1]. https://github.com/justdan96/tsMuxer/blob/75c9cb3514815d07378007d36cc90c3f209e7b36/tsMuxer/matroskaDemuxer.cpp#L1895

Ricerca Security, Inc.