Extract elementary stream from all kinds of media files, show inside media meta information and reconstruct Transport-Stream, ISOBMFF, Matroska and MMT media files
MIT License
59
stars
15
forks
source link
Null Pointer Dereference in function DumpOneStream() at src/DumpStream.cpp:3075 #21
Describe:
A Null Pointer Dereference was discovered in DumpTS. The issue is being triggered in function DumpOneStream() at src/DumpStream.cpp:3075
Reproduce:
Tested in Ubuntu 22.04
Compile the program with address sanitizer with this:
first add the command in makefile as follows:
Then:
gdb --args ./DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000000,sig:11,src:000007,time:80786,execs:34010,op:int16,pos:5,val:+64 --showinfo --removebox='unkn'
(gdb) set logging on
(gdb) set logging file out.txt
(gdb) set logging redirect on
(gdb) break main
(gdb) run
(gdb) step
(gdb) print argc
(gdb) print argv
(gdb) continue
(gdb) info signals
(gdb) backtrace
GDB Reports:
(gdb) run
Starting program: /home/DumpTS/build/linux/DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000000,sig:11,src:000007,time:80786,execs:34010,op:int16,pos:5,val:+64 --showinfo --removebox=unkn
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
invalid 'pointer_field' value.
Program received signal SIGSEGV, Segmentation fault.
0x00007f43f4230d4d in ftell () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) continue
Continuing.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1809928==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f43f4230d4d bp 0x7ffdfcc8c170 sp 0x7ffdfcc8bc90 T0)
==1809928==The signal is caused by a READ memory access.
==1809928==Hint: address points to the zero page.
[Detaching after fork from child process 1811589]
#0 0x7f43f4230d4d in _IO_ftell (/lib/x86_64-linux-gnu/libc.so.6+0x7fd4d) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
#1 0x5583ad745508 (/home/DumpTS/build/linux/DumpTS+0xe86508) (BuildId: b640c03d1d58bdf7)
#2 0x5583ad778276 (/home/DumpTS/build/linux/DumpTS+0xeb9276) (BuildId: b640c03d1d58bdf7)
#3 0x7f43f41dad8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
#4 0x7f43f41dae3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
#5 0x5583acc3f324 (/home/DumpTS/build/linux/DumpTS+0x380324) (BuildId: b640c03d1d58bdf7)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x7fd4d) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348) in _IO_ftell
==1809928==ABORTING
[Inferior 1 (process 1809928) exited with code 01]
Describe: A Null Pointer Dereference was discovered in DumpTS. The issue is being triggered in function DumpOneStream() at src/DumpStream.cpp:3075
Reproduce:
Tested in Ubuntu 22.04 Compile the program with address sanitizer with this: first add the command in makefile as follows:
Then:
gdb --args ./DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000000,sig:11,src:000007,time:80786,execs:34010,op:int16,pos:5,val:+64 --showinfo --removebox='unkn'(gdb) set logging on (gdb) set logging file out.txt (gdb) set logging redirect on (gdb) break main (gdb) run (gdb) step (gdb) print argc (gdb) print argv (gdb) continue (gdb) info signals (gdb) backtraceGDB Reports:
and this is the command at the bug address:
Poc
Poc file is here
Fuzzer Fuzzer is AFL.