After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 777940 - qtdemux: huge memory allocation
qtdemux: huge memory allocation
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-good
unspecified
Other Linux
: Normal normal
: 1.10.4
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2017-01-30 13:24 UTC by Hanno Böck
Modified: 2017-01-31 22:29 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
poc file (2.94 KB, video/mp4)
2017-01-30 13:24 UTC, Hanno Böck 		  Details
qtdemux: sanity check number of segments in edit list (907 bytes, patch)
2017-01-30 20:23 UTC, Tim-Philipp Müller 		committed Details | Review

Description Hanno Böck 2017-01-30 13:24:26 UTC 
Created attachment 344542 [details]
poc file

The attached file will cause an attempt to allocate 56 gigabytes of ram.

ASAN error:

==5089==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4d675f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/bin/gst-discoverer-1.0+0x4d675f)
    #1 0x4f0315 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/bin/gst-discoverer-1.0+0x4f0315)
    #2 0x4e0412 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) (/usr/bin/gst-discoverer-1.0+0x4e0412)
    #3 0x4e94a5 in __sanitizer::MmapOrDie(unsigned long, char const*, bool) (/usr/bin/gst-discoverer-1.0+0x4e94a5)
    #4 0x42297f in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (/usr/bin/gst-discoverer-1.0+0x42297f)
    #5 0x4cbb94 in malloc (/usr/bin/gst-discoverer-1.0+0x4cbb94)
    #6 0x7f39609b0768 in g_malloc /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gmem.c:94
    #7 0x7f3953fa138b in qtdemux_parse_segments /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:8775:24
    #8 0x7f3953fa138b in qtdemux_parse_trak /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:11327
    #9 0x7f3953f6ba82 in qtdemux_parse_tree /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:12925:5
    #10 0x7f3953f5cdb2 in gst_qtdemux_loop_state_header /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:4273:7
    #11 0x7f3953f5cdb2 in gst_qtdemux_loop /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:5810
    #12 0x7f39617d5973 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
    #13 0x7f39609d2b2d in g_thread_pool_thread_proxy /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthreadpool.c:307
    #14 0x7f39609d2154 in g_thread_proxy /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread.c:784
    #15 0x7f3960450453 in start_thread (/lib64/libpthread.so.0+0x7453)
    #16 0x7f395ff805dc in clone (/lib64/libc.so.6+0xe75dc)
Comment 1 Tim-Philipp Müller 2017-01-30 20:23:03 UTC 
Created attachment 344580 [details] [review]
qtdemux: sanity check number of segments in edit list

I first did something like

  if (n_segments > (G_MAXINT / entry_size))

which I then revised to

  if (n_segments > ((N * 1024 * 1024) / entry_size))

but it all seemed silly in the end, might just as well specify some threshold directly.
Comment 2 Tim-Philipp Müller 2017-01-31 20:54:41 UTC 
commit 19c9600ea66a2b860ffad117a1266976ab21792c
Author: Tim-Philipp Müller <tim@centricular.com>
Date:   Mon Jan 30 20:20:08 2017 +0000

    qtdemux: sanity check number of segments in edit list
    
    Fixes crash with fuzzed file.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=777940