Closed ibc closed 6 months ago
==4508==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200011d032 at pc 0x556081bfb8f1 bp 0x7ffda03b4dd0 sp 0x7ffda03b4dc8
READ of size 1 at 0x60200011d032 thread T0
#0 0x556081bfb8f0 in RTC::Codecs::H264_SVC::ParseSingleNalu(unsigned char const*, unsigned long, std::unique_ptr<RTC::Codecs::H264_SVC::PayloadDescriptor, std::default_delete<RTC::Codecs::H264_SVC::PayloadDescriptor> >, bool) /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:188:21
#1 0x556081bfad76 in RTC::Codecs::H264_SVC::Parse(unsigned char const*, unsigned long, RTC::RtpPacket::FrameMarking*, unsigned char) /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:139:28
#2 0x556081e21aea in Fuzzer::RTC::Codecs::H264_SVC::Fuzz(unsigned char const*, unsigned long) /mediasoup/worker/out/Release/build/../../../fuzzer/src/RTC/Codecs/FuzzerH264_SVC.cpp:6:59
#3 0x556081e16703 in LLVMFuzzerTestOneInput /mediasoup/worker/out/Release/build/../../../fuzzer/src/fuzzer.cpp:77:3
#4 0x556081523853 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41d853) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
#5 0x556081522fa9 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41cfa9) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
#6 0x556081524799 in fuzzer::Fuzzer::MutateAndTestOne() (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41e799) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
#7 0x556081525315 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41f315) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
#8 0x556081513452 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x40d452) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
#9 0x55608153d142 in main (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x437142) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
#10 0x7fa4d8587d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
#11 0x7fa4d8587e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
#12 0x556081507e94 in _start (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x401e94) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
0x60200011d032 is located 0 bytes to the right of 2-byte region [0x60200011d030,0x60200011d032)
allocated by thread T0 here:
#0 0x5560815fad8d in operator new[](unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x4f4d8d) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
#1 0x556081523762 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41d762) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
#2 0x556081522fa9 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41cfa9) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
#3 0x556081524799 in fuzzer::Fuzzer::MutateAndTestOne() (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41e799) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
#4 0x556081525315 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41f315) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
#5 0x556081513452 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x40d452) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
#6 0x55608153d142 in main (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x437142) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
#7 0x7fa4d8587d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
SUMMARY: AddressSanitizer: heap-buffer-overflow /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:188:21 in RTC::Codecs::H264_SVC::ParseSingleNalu(unsigned char const*, unsigned long, std::unique_ptr<RTC::Codecs::H264_SVC::PayloadDescriptor, std::default_delete<RTC::Codecs::H264_SVC::PayloadDescriptor> >, bool)
Shadow bytes around the buggy address:
0x0c048001b9b0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c048001b9c0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
0x0c048001b9d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c048001b9e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x0c048001b9f0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
=>0x0c048001ba00: fa fa fd fd fa fa[02]fa fa fa fd fd fa fa fd fd
0x0c048001ba10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c048001ba20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c048001ba30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c048001ba40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c048001ba50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4508==ABORTING
MS: 3 ShuffleBytes-CrossOver-EraseBytes-; base unit: c714e0c774f48ed63f54465f6bc9a85871e364f1
0x9d,0xce,
\235\316
artifact_prefix='fuzzer/reports/'; Test unit written to fuzzer/reports/crash-9f66ca4ef3883597fad0dc412148f03a5ac794b6
Base64: nc4=
=================================================================
==4375==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001df514 at pc 0x562d2ee778f1 bp 0x7ffc28ec9d50 sp 0x7ffc28ec9d48
READ of size 1 at 0x6020001df514 thread T0
#0 0x562d2ee778f0 in RTC::Codecs::H264_SVC::ParseSingleNalu(unsigned char const*, unsigned long, std::unique_ptr<RTC::Codecs::H264_SVC::PayloadDescriptor, std::default_delete<RTC::Codecs::H264_SVC::PayloadDescriptor> >, bool) /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:184:21
#1 0x562d2ee7698a in RTC::Codecs::H264_SVC::Parse(unsigned char const*, unsigned long, RTC::RtpPacket::FrameMarking*, unsigned char) /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:101:28
#2 0x562d2f09daea in Fuzzer::RTC::Codecs::H264_SVC::Fuzz(unsigned char const*, unsigned long) /mediasoup/worker/out/Release/build/../../../fuzzer/src/RTC/Codecs/FuzzerH264_SVC.cpp:6:59
#3 0x562d2f092703 in LLVMFuzzerTestOneInput /mediasoup/worker/out/Release/build/../../../fuzzer/src/fuzzer.cpp:77:3
#4 0x562d2e79f853 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41d853) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
#5 0x562d2e79efa9 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41cfa9) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
#6 0x562d2e7a0799 in fuzzer::Fuzzer::MutateAndTestOne() (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41e799) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
#7 0x562d2e7a1315 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41f315) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
#8 0x562d2e78f452 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x40d452) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
#9 0x562d2e7b9142 in main (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x437142) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
#10 0x7f7e98295d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
#11 0x7f7e98295e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
#12 0x562d2e783e94 in _start (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x401e94) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
0x6020001df514 is located 0 bytes to the right of 4-byte region [0x6020001df510,0x6020001df514)
allocated by thread T0 here:
#0 0x562d2e876d8d in operator new[](unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x4f4d8d) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
#1 0x562d2e79f762 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41d762) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
#2 0x562d2e79efa9 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41cfa9) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
#3 0x562d2e7a0799 in fuzzer::Fuzzer::MutateAndTestOne() (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41e799) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
#4 0x562d2e7a1315 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41f315) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
#5 0x562d2e78f452 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x40d452) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
#6 0x562d2e7b9142 in main (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x437142) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
#7 0x7f7e98295d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
SUMMARY: AddressSanitizer: heap-buffer-overflow /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:184:21 in RTC::Codecs::H264_SVC::ParseSingleNalu(unsigned char const*, unsigned long, std::unique_ptr<RTC::Codecs::H264_SVC::PayloadDescriptor, std::default_delete<RTC::Codecs::H264_SVC::PayloadDescriptor> >, bool)
Shadow bytes around the buggy address:
0x0c0480033e50: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
0x0c0480033e60: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480033e70: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480033e80: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
0x0c0480033e90: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
=>0x0c0480033ea0: fa fa[04]fa fa fa fd fd fa fa fd fd fa fa fa fa
0x0c0480033eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480033ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480033ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480033ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480033ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4375==ABORTING
MS: 3 CopyPart-CMP-ChangeASCIIInt- DE: "\004\000"-; base unit: e62d7f1eb43d87c202d2f164ba61297e71be80f4
0x38,0x4,0x0,0x34,
8\004\0004
artifact_prefix='fuzzer/reports/'; Test unit written to fuzzer/reports/crash-9cc885b84ba02d766f422c6512ead3808ded0189
Base64: OAQANA==
Only problem is in H264_SVC in H264_SVC::ParseSingleNalu()
which most probably doesn't check buffer length before reading some bytes.
I also see something suspicious:
There is no break
in case 5
. On purpose?
There is no
break
incase 5
. On purpose?
@prtmD could you please check this? Is that missing break on purpose or is it a bug?
Here a lib that could help, but... hehe https://github.com/chemag/h264nal/
AddressSanitizer: heap-buffer-overflow error is solved here: https://github.com/versatica/mediasoup/pull/1355/commits/dd0136fce3f99806c161dae3783dce174dd876c1
Let's address the possible missing break
in a separate issue: https://github.com/versatica/mediasoup/issues/1356
Details
TODO
Added fuzzers only use the
Parse()
static method of thePayloadDescriptor
class of every supported codec. Should we also call more methods in generatedPayloadDescriptor
instances?