Extract elementary stream from all kinds of media files, show inside media meta information and reconstruct Transport-Stream, ISOBMFF, Matroska and MMT media files
MIT License
58
stars
15
forks
source link
buffer-overflow in function PushTSBuf() at src/PayloadBuf.cpp:706 #19
Describe:
A heap-buffer-overflow was discovered in DumpTS v0.1.0-nightly. The issue is being triggered in function PushTSBuf() at src/PayloadBuf.cpp:706.Attackers may exploit this vulnerability to execute and cause a DOS attack.
Reproduce:
Tested in Ubuntu 22.04
Compile the program with address sanitizer with this:
first add the command in makefile as follows:
Then:
gdb --args ./DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000003,sig:06,src:000015+000006,time:134707,execs:46267,op:splice,rep:11 --showinfo --removebox='unkn'
(gdb) set logging on
(gdb) set logging file out.txt
(gdb) set logging redirect on
(gdb) break main
(gdb) run
(gdb) step
(gdb) print argc
(gdb) print argv
(gdb) continue
(gdb) info signals
(gdb) backtrace
GDB Reports:
(gdb) backtrace
#0 0x00007f29f214a03f in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x0000557574249cdb in CPayloadBuf::PushTSBuf (this=0x557574c02520, idxTSPack=0, pBuf=0x7fffebdc3240 "", offStart=239 '\357', offEnd=192 '\300') at ../../src/PayloadBuf.cpp:706
#2 0x000055757433d8c6 in DumpOneStream () at ../../src/DumpStream.cpp:2884
#3 0x000055757435cd52 in main (argc=4, argv=0x7fffebdc4728) at ../../src/DumpTS.cpp:1312
Describe: A heap-buffer-overflow was discovered in DumpTS v0.1.0-nightly. The issue is being triggered in function PushTSBuf() at src/PayloadBuf.cpp:706.Attackers may exploit this vulnerability to execute and cause a DOS attack.
Reproduce:
Tested in Ubuntu 22.04 Compile the program with address sanitizer with this: first add the command in makefile as follows:
Then:
gdb --args ./DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000003,sig:06,src:000015+000006,time:134707,execs:46267,op:splice,rep:11 --showinfo --removebox='unkn'
(gdb) set logging on (gdb) set logging file out.txt (gdb) set logging redirect on (gdb) break main (gdb) run (gdb) step (gdb) print argc (gdb) print argv (gdb) continue (gdb) info signals (gdb) backtraceGDB Reports:
and this is the command at the bug address:
Poc
Poc file is here
Fuzzer Fuzzer is AFL.