tsMuxer is a transport stream muxer for remuxing/muxing elementary streams, EVO/VOB/MPG, MKV/MKA, MP4/MOV, TS, M2TS to TS to M2TS. Supported video codecs H.264/AVC, H.265/HEVC, VC-1, MPEG2. Supported audio codecs AAC, AC3 / E-AC3(DD+), DTS/ DTS-HD.
Apache License 2.0
829
stars
140
forks
source link
negative-size-param is found in TSDemuxer::getTrackList() #862
Our fuzzer found negative-size-param in tsDemuxer. in the current master(94cafe7). PoC is here.
Following is an output of ASAN. vuln20.ts is in poc20.zip
It is caused by these line. https://github.com/justdan96/tsMuxer/blob/94cafe7244213870aaab37035c827ef839a15929/tsMuxer/tsDemuxer.cpp#L119-L120
There is no comparison between
TS_FRAME_SIZE
andtsPacket→getHeaderSize()
, so memcpy size can be negative.Since the code is similar, it could happen on the following lines. https://github.com/justdan96/tsMuxer/blob/94cafe7244213870aaab37035c827ef839a15929/tsMuxer/tsDemuxer.cpp#L295-L296
Ricerca Security, Inc.