tsMuxer is a transport stream muxer for remuxing/muxing elementary streams, EVO/VOB/MPG, MKV/MKA, MP4/MOV, TS, M2TS to TS to M2TS. Supported video codecs H.264/AVC, H.265/HEVC, VC-1, MPEG2. Supported audio codecs AAC, AC3 / E-AC3(DD+), DTS/ DTS-HD.
Apache License 2.0
829
stars
140
forks
source link
heap buffer overflow is found in movDemuxer.cpp #879
We found heap buffer overflow in movDemuxer.cpp in the current master(cb04552).
This vulnerability was discovered during the analysis of a fuzzing crash caused by a different root cause.
$ ./tsMuxeR ./15-a.mov
tsMuxeR version git-cb04552. github.com/justdan96/tsMuxer
AddressSanitizer:DEADLYSIGNAL
=================================================================
==71990==ERROR: AddressSanitizer: SEGV on unknown address 0x619000017860 (pc 0x5556d778220b bp 0x7fffa409c320 sp 0x7fffa409c250 T0)
==71990==The signal is caused by a READ memory access.
#0 0x5556d778220b in MovDemuxer::mov_read_trun(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x43320b)
#1 0x5556d77806e1 in MovDemuxer::ParseTableEntry(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x4316e1)
#2 0x5556d7780dc1 in MovDemuxer::mov_read_default(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x431dc1)
#3 0x5556d7784b0f in MovDemuxer::mov_read_moov(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x435b0f)
#4 0x5556d7780500 in MovDemuxer::ParseTableEntry(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x431500)
#5 0x5556d7780dc1 in MovDemuxer::mov_read_default(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x431dc1)
#6 0x5556d777d551 in MovDemuxer::readHeaders() (/home/vagrant/resear/tsMuxer/tsMuxeR+0x42e551)
#7 0x5556d777c6b6 in MovDemuxer::openFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x42d6b6)
#8 0x5556d7713889 in METADemuxer::DetectStreamReader(BufferedReaderManager const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x3c4889)
#9 0x5556d76bbb22 in detectStreamReader(char const*, MPLSParser*, bool) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x36cb22)
#10 0x5556d76c3318 in main (/home/vagrant/resear/tsMuxer/tsMuxeR+0x374318)
#11 0x7f4d6329dd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#12 0x7f4d6329de3f in __libc_start_main_impl ../csu/libc-start.c:392
#13 0x5556d75cf0f4 in _start (/home/vagrant/resear/tsMuxer/tsMuxeR+0x2800f4)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/vagrant/resear/tsMuxer/tsMuxeR+0x43320b) in MovDemuxer::mov_read_trun(MovDemuxer::MOVAtom)
==71990==ABORTING
We found heap buffer overflow in movDemuxer.cpp in the current master(cb04552). This vulnerability was discovered during the analysis of a fuzzing crash caused by a different root cause.
PoC is here.
15-a.mov is in vuln-a.zip
Following is an output of ASAN.
It is caused by these line
https://github.com/justdan96/tsMuxer/blob/cb0455259bb9182fba466a4905b840fed3a72646/tsMuxer/movDemuxer.cpp#L1139-L1141
By calling
mov_read_trakmultiple times, whennum_tracksmatchesMAX_STREAMS, BOF occurs and num_tracks itself is overwritten.https://github.com/justdan96/tsMuxer/blob/cb0455259bb9182fba466a4905b840fed3a72646/tsMuxer/ioContextDemuxer.h#L98-L100
This heap buffer overflow is exploitable
Ricerca Security, Inc.