tsMuxer is a transport stream muxer for remuxing/muxing elementary streams, EVO/VOB/MPG, MKV/MKA, MP4/MOV, TS, M2TS to TS to M2TS. Supported video codecs H.264/AVC, H.265/HEVC, VC-1, MPEG2. Supported audio codecs AAC, AC3 / E-AC3(DD+), DTS/ DTS-HD.
Apache License 2.0
829
stars
140
forks
source link
heap buffer under-read is found in movDemuxer.cpp #881
We found heap buffer under-read in movDemuxer.cpp in the current master(cb04552).
This vulnerability was discovered during the analysis of a fuzzing crash caused by a different root cause.
$ ./tsMuxeR ./15-b.mov
tsMuxeR version git-cb04552. github.com/justdan96/tsMuxer
AddressSanitizer:DEADLYSIGNAL
=================================================================
==72343==ERROR: AddressSanitizer: SEGV on unknown address 0x618ffff966b8 (pc 0x5591c81ed20b bp 0x7ffdd7756d70 sp 0x7ffdd7756ca0 T0)
==72343==The signal is caused by a READ memory access.
#0 0x5591c81ed20b in MovDemuxer::mov_read_trun(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x43320b)
#1 0x5591c81eb6e1 in MovDemuxer::ParseTableEntry(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x4316e1)
#2 0x5591c81ebdc1 in MovDemuxer::mov_read_default(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x431dc1)
#3 0x5591c81efb0f in MovDemuxer::mov_read_moov(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x435b0f)
#4 0x5591c81eb500 in MovDemuxer::ParseTableEntry(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x431500)
#5 0x5591c81ebdc1 in MovDemuxer::mov_read_default(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x431dc1)
#6 0x5591c81e8551 in MovDemuxer::readHeaders() (/home/vagrant/resear/tsMuxer/tsMuxeR+0x42e551)
#7 0x5591c81e76b6 in MovDemuxer::openFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x42d6b6)
#8 0x5591c817e889 in METADemuxer::DetectStreamReader(BufferedReaderManager const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x3c4889)
#9 0x5591c8126b22 in detectStreamReader(char const*, MPLSParser*, bool) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x36cb22)
#10 0x5591c812e318 in main (/home/vagrant/resear/tsMuxer/tsMuxeR+0x374318)
#11 0x7f6423270d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#12 0x7f6423270e3f in __libc_start_main_impl ../csu/libc-start.c:392
#13 0x5591c803a0f4 in _start (/home/vagrant/resear/tsMuxer/tsMuxeR+0x2800f4)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/vagrant/resear/tsMuxer/tsMuxeR+0x43320b) in MovDemuxer::mov_read_trun(MovDemuxer::MOVAtom)
==72343==ABORTING
We found heap buffer under-read in movDemuxer.cpp in the current master(cb04552). This vulnerability was discovered during the analysis of a fuzzing crash caused by a different root cause.
PoC is here.
15-b.mov is in vuln-b.zip
Following is an output of ASAN.
It is caused by this line
There is no check for negative
track_id
values, so it is possible to read in the negative direction of thetracks
array https://github.com/justdan96/tsMuxer/blob/cb0455259bb9182fba466a4905b840fed3a72646/tsMuxer/movDemuxer.cpp#L1075https://github.com/justdan96/tsMuxer/blob/cb0455259bb9182fba466a4905b840fed3a72646/tsMuxer/movDemuxer.cpp#L1156
Ricerca Security, Inc.