Closed iwashiira closed 3 months ago
Looking at the commit history, skipLeft and size originally used uint64_t, but this commit changes them from uint64_t to int64_t. https://github.com/justdan96/tsMuxer/commit/37f4eb5fa0f0861704786e6367987a1923477735
Depending on the intent of this change, it may be better to consider a different mitigation.
Our fuzzer found heap buffer under-read in IOContextDemuxer in the current master(75c9cb3). PoC is here.
Following is an output of ASAN. vuln11.mov is in poc11.zip
It is caused by this function. https://github.com/justdan96/tsMuxer/blob/5f43ab2a45482ad448524dc61a1ab7204ca8849d/tsMuxer/ioContextDemuxer.cpp#L121-L158 In
IOContextDemuxer::skip_bytes(const int64_t size)
, unlikeget_buffer
, the type aroundcopyLen
is performed in int64_t. This allows passing any negative number as the value returned by the result of the min macro, and there is a buffer under-read that can memcpy data from the memory area by subtractingm_curPos
as desired based on this value.Ricerca Security, Inc.