tsMuxer is a transport stream muxer for remuxing/muxing elementary streams, EVO/VOB/MPG, MKV/MKA, MP4/MOV, TS, M2TS to TS to M2TS. Supported video codecs H.264/AVC, H.265/HEVC, VC-1, MPEG2. Supported audio codecs AAC, AC3 / E-AC3(DD+), DTS/ DTS-HD.
Apache License 2.0
829
stars
140
forks
source link
stack buffer overflow is found in TSDemuxer::simpleDemuxBlock() #861
ASAN says negative size param, but it is actually stack buffer overflow.
While declaring pmtBuffer as 4096 bytes as the destination Buffer in TSDemuxer::simpleDemuxBlock, it does not check if pmtBufferLen + TS_FRAME_SIZE - tsPacket->getHeaderSize() used in memcpy is smaller than 4096, so stack based BOF occurs.
We can confirm that the return address of main is actually destroyed by the stack BOF in this POC as well.
Our fuzzer found stack buffer overflow in tsDemuxer. in the current master(94cafe7). PoC is here.
Following is an output of ASAN. vuln21.ts is in poc21.zip
It is caused by these line. https://github.com/justdan96/tsMuxer/blob/94cafe7244213870aaab37035c827ef839a15929/tsMuxer/tsDemuxer.cpp#L295-L296
ASAN says negative size param, but it is actually stack buffer overflow. While declaring pmtBuffer as 4096 bytes as the destination Buffer in TSDemuxer::simpleDemuxBlock, it does not check if
pmtBufferLen
+TS_FRAME_SIZE
-tsPacket->getHeaderSize()
used in memcpy is smaller than 4096, so stack based BOF occurs.We can confirm that the return address of main is actually destroyed by the stack BOF in this POC as well.
Ricerca Security, Inc.