search

noirotm / flvmeta

FLV Metadata Editor
https://flvmeta.com/
GNU General Public License v2.0
121 stars 35 forks source link

Memory allocation failure in xml_on_metadata_tag_only() at dump_xml.c:271 #19

Closed fengzhengzhan closed 1 year ago

fengzhengzhan commented 1 year ago

Memory allocation failure in xml_on_metadata_tag_only() at dump_xml.c:271

Memory allocation failure in the flvmeta at function xml_on_metadata_tag_only in dump_xml.c:271.

Environment

Ubuntu 18.04, 64 bit FLVMeta 1.2.1

Steps to reproduce

  1. download file 
    wget https://github.com/noirotm/flvmeta/archive/refs/tags/v1.2.1.tar.gz
tar -zxvf v1.2.1.tar.gz
  2. compile libming with ASAN 
    
cd flvmeta-1.2.1
export FORCE_UNSAFE_CONFIGURE=1
export LLVM_COMPILER=clang
CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -Wno-error" cmake -DCMAKE_C_COMPILER=wllvm -DCMAKE_CXX_COMPILER=wllvm++ -B obj-bc -G"Unix Makefiles" 
cd obj-bc
make

cd src extract-bc flvmeta clang -fsanitize=address flvmeta.bc -o flvmeta_asan

3. command for reproducing the error

./flvmeta_asan poc

Download poc: 
[flvmeta_memory-allocation-failure_dumpxml271.zip](https://github.com/noirotm/flvmeta/files/11731815/flvmeta_memory-allocation-failure_dumpxml271.zip)

## ASAN report

root@a71b82b5d288:~/dataset/flvmeta-1.2.1/obj-bc/src# ./flvmeta_asan flvmeta_memory-allocation-failure_dumpxml271 AddressSanitizer:DEADLYSIGNAL

==30124==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000489d7b bp 0x7fff17e62cb0 sp 0x7fff17e62440 T0) ==30124==The signal is caused by a READ memory access. ==30124==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used.

0 0x489d7b in __interceptor_strcmp.part.298 /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:444

#1 0x4fe908 in xml_on_metadata_tag_only /root/dataset/flvmeta-1.2.1/src/dump_xml.c:271:14
#2 0x502563 in flv_parse /root/dataset/flvmeta-1.2.1/src/flv.c:506:26
#3 0x4fd491 in dump_metadata /root/dataset/flvmeta-1.2.1/src/dump.c:160:14
#4 0x502855 in main /root/dataset/flvmeta-1.2.1/src/flvmeta.c:385:50
#5 0x7f8aa5304c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#6 0x41b819 in _start (/root/dataset/flvmeta-1.2.1/obj-bc/src/flvmeta_asan+0x41b819)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:444 in __interceptor_strcmp.part.298 ==30124==ABORTING

noirotm commented 1 year ago

Hi, thanks for the bug report.

Could you please check this against the HEAD version of flvmeta? A very similar bug has been reported some time ago and has been fixed in commit 7b91e5656e27b16639c8de156878c7624346cbd4.

Regards

fengzhengzhan commented 1 year ago

Thank you very much for your reply. I am using the latest submitted version of the software and the vulnerability has been tested and fixed. The latest version executes as follows:

./flvmeta_asan: unexpected end of file

Thank you very much.