Extract elementary stream from all kinds of media files, show inside media meta information and reconstruct Transport-Stream, ISOBMFF, Matroska and MMT media files
MIT License
59
stars
15
forks
source link
Null Pointer Dereference in function VerifyCommandLine () at src/DumpTS.cpp:388 #22
A Null Pointer Dereference was discovered in DumpTS v0.1.0-nightly. The issue is being triggered in function VerifyCommandLine () at src/DumpTS.cpp:388.Attackers may exploit this vulnerability to execute and cause a DOS attack.
Reproduce:
Tested in Ubuntu 22.04
Compile the program with address sanitizer with this:
first add the command in makefile as follows:
Then the poc is inputed as the input of DumpTS,here is the command:
gdb --args ./DumpTS /home/DumpTS/fuzz_out3/default/crashes/id\:000000\,sig\:06\,src\:000011\,time\:52513\,execs\:23035\,op\:havoc\,rep\:16 --output=test1.mp4 --pid=0x1011 --showpts --destpid=0x1011
(gdb) break main
(gdb) run
(gdb) continue
(gdb) backtrace
GDB Reports:
(gdb) break main
Breakpoint 1 at 0x38e399: file ../../src/DumpTS.cpp, line 1126.
(gdb) run
Starting program: /home/DumpTS/bin/linux/DumpTS /home/DumpTS/fuzz_out3/default/crashes/id:000000,sig:06,src:000011,time:52513,execs:23035,op:havoc,rep:16 --output=test1.mp4 --pid=0x1011 --showpts --destpid=0x1011
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, main (argc=6, argv=0x7ffd185a24c8) at ../../src/DumpTS.cpp:1126
1126 int nDumpRet = 0;
(gdb) continue
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x00007f85f9b7781e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) backtrace
#0 0x00007f85f9b7781e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f85f9e47bce in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(char const*) const ()
from /lib/x86_64-linux-gnu/libstdc++.so.6
#2 0x000055c2e077c235 in VerifyCommandLine () at ../../src/DumpTS.cpp:388
#3 0x000055c2e0781433 in main (argc=6, argv=0x7ffd185a24c8) at ../../src/DumpTS.cpp:1157
Describe:
A Null Pointer Dereference was discovered in DumpTS v0.1.0-nightly. The issue is being triggered in function VerifyCommandLine () at src/DumpTS.cpp:388.Attackers may exploit this vulnerability to execute and cause a DOS attack.
Reproduce:
Tested in Ubuntu 22.04 Compile the program with address sanitizer with this: first add the command in makefile as follows:
Then the poc is inputed as the input of DumpTS,here is the command:
gdb --args ./DumpTS /home/DumpTS/fuzz_out3/default/crashes/id\:000000\,sig\:06\,src\:000011\,time\:52513\,execs\:23035\,op\:havoc\,rep\:16 --output=test1.mp4 --pid=0x1011 --showpts --destpid=0x1011(gdb) break main (gdb) run (gdb) continue (gdb) backtraceGDB Reports:
and this is the code at the bug address:
Poc
Poc file is here
Fuzzer Fuzzer is AFL.