After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 775120 - mpegts parser: null pointer deref in _parse_pat
mpegts parser: null pointer deref in _parse_pat
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-bad
git master
Other Linux
: Normal normal
: 1.10.2
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2016-11-25 21:22 UTC by Hanno Böck
Modified: 2016-11-26 10:32 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
poc file (832 bytes, text/vnd.trolltech.linguist)
2016-11-25 21:22 UTC, Hanno Böck
  Details
mpegtssection: Fix PAT parsing (1.40 KB, patch)
2016-11-26 09:24 UTC, Edward Hervey
committed Details | Review

Description Hanno Böck 2016-11-25 21:22:33 UTC
Created attachment 340777 [details]
poc file

The attached file will cause a null pointer access and segfault in the mpegts parser. Current git code, found with afl.

ASAN stack trace:
=================================================================
==32545==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe957185495 bp 0x60200002cf7a sp 0x7fe956e027a0 T2)
==32545==The signal is caused by a WRITE memory access.
==32545==Hint: address points to the zero page.
    #0 0x7fe957185494 in _parse_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32
    #1 0x7fe957184058 in __common_section_checks /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:166:9
    #2 0x7fe95718522f in gst_mpegts_section_get_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:480:9
    #3 0x7fe957438b9a in mpegts_base_apply_pat /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:942:20
    #4 0x7fe957438b9a in mpegts_base_handle_psi /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1155
    #5 0x7fe957437cd1 in mpegts_base_chain /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1424:11
    #6 0x7fe9574341e7 in mpegts_base_loop /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1589:13
    #7 0x7fe9644305c3 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
    #8 0x7fe96362f867  (/usr/lib64/libglib-2.0.so.0+0x70867)
    #9 0x7fe96362eed4  (/usr/lib64/libglib-2.0.so.0+0x6fed4)
    #10 0x7fe9630ac443 in start_thread (/lib64/libpthread.so.0+0x7443)
    #11 0x7fe962bdb92c in clone (/lib64/libc.so.6+0xe792c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32 in _parse_pat
Thread T2 (tsdemux0:sink) created by T1 (typefind:sink) here:
    #0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
    #1 0x7fe96364cadf  (/usr/lib64/libglib-2.0.so.0+0x8dadf)

Thread T1 (typefind:sink) created by T0 here:
    #0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
    #1 0x7fe96364cadf  (/usr/lib64/libglib-2.0.so.0+0x8dadf)

==32545==ABORTING
Comment 1 Edward Hervey 2016-11-26 09:24:03 UTC
Created attachment 340786 [details] [review]
mpegtssection: Fix PAT parsing

Use the estimated number of programs for parsing. Avoids over-reading.
Comment 2 Sebastian Dröge (slomo) 2016-11-26 10:04:10 UTC
Review of attachment 340786 [details] [review]:

Looks good, just one other potential problem here

::: gst-libs/gst/mpegts/gstmpegtssection.c
@@ +430,1 @@
       g_ptr_array_new_full (nb_programs,

Above here, you probably also want to check "if (end - data < 4)", or is that guaranteed from the caller?
Comment 3 Edward Hervey 2016-11-26 10:12:25 UTC
Review of attachment 340786 [details] [review]:

::: gst-libs/gst/mpegts/gstmpegtssection.c
@@ +430,1 @@
       g_ptr_array_new_full (nb_programs,

That's already checked in the section creation part (the other bug I fixed)
Comment 4 Edward Hervey 2016-11-26 10:14:43 UTC
commit 7b12593cceaa0726d7fc370a7556a8e773ccf318
Author: Edward Hervey <edward@centricular.com>
Date:   Sat Nov 26 10:23:01 2016 +0100

    mpegtssection: Fix PAT parsing
    
    Use the estimated number of programs for parsing. Avoids over-reading.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=775120