Bug 777937 – asfdemux: invalid memory read in gst_asf_demux_process_ext_stream_props()

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 777937 - (CVE-2017-5846) asfdemux: invalid memory read in gst_asf_demux_process_ext_stream_props()

(CVE-2017-5846)
Summary:	asfdemux: invalid memory read in gst_asf_demux_process_ext_stream_props()


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-ugly
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	1.10.3
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2017-01-30 13:10 UTC by Hanno Böck
Modified:	2017-02-14 06:25 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
poc file (3.31 KB, video/x-msvideo) 2017-01-30 13:10 UTC, Hanno Böck	Details

Description Hanno Böck 2017-01-30 13:10:21 UTC

Created attachment 344540 [details]
poc file

POC file attached, file will cause an invalid memory read, found with afl+asan.

ASAN Stack trace:
==23967==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000180 (pc 0x7feb66ef82cc bp 0x7feb6653f930 sp 0x7feb6653f540 T2)
==23967==The signal is caused by a READ memory access.
==23967==Hint: address points to the zero page.
    #0 0x7feb66ef82cb in gst_asf_demux_process_ext_stream_props /f/gstreamer/gst-plugins-ugly/gst/asfdemux/gstasfdemux.c:4232:34
    #1 0x7feb66ef82cb in gst_asf_demux_process_queued_extended_stream_objects /f/gstreamer/gst-plugins-ugly/gst/asfdemux/gstasfdemux.c:4321
    #2 0x7feb66ef82cb in gst_asf_demux_parse_data_object_start /f/gstreamer/gst-plugins-ugly/gst/asfdemux/gstasfdemux.c:1178
    #3 0x7feb66edea5d in gst_asf_demux_pull_headers /f/gstreamer/gst-plugins-ugly/gst/asfdemux/gstasfdemux.c:1249:8
    #4 0x7feb66edea5d in gst_asf_demux_loop /f/gstreamer/gst-plugins-ugly/gst/asfdemux/gstasfdemux.c:1984
    #5 0x7feb7414b973 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
    #6 0x7feb73348b2d in g_thread_pool_thread_proxy /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthreadpool.c:307
    #7 0x7feb73348154 in g_thread_proxy /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread.c:784
    #8 0x7feb72dc6453 in start_thread (/lib64/libpthread.so.0+0x7453)
    #9 0x7feb728f65dc in clone (/lib64/libc.so.6+0xe75dc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /f/gstreamer/gst-plugins-ugly/gst/asfdemux/gstasfdemux.c:4232:34 in gst_asf_demux_process_ext_stream_props
Thread T2 (asfdemux0:sink) created by T1 (typefind:sink) here:
    #0 0x42df2d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42df2d)
    #1 0x7feb733651bf in g_system_thread_new /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread-posix.c:1170

Thread T1 (typefind:sink) created by T0 here:
    #0 0x42df2d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42df2d)
    #1 0x7feb733651bf in g_system_thread_new /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread-posix.c:1170

==23967==ABORTING

Comment 1 Sebastian Dröge (slomo) 2017-01-30 13:41:18 UTC

commit dec880031d16f1ee4919a36f49298419246cf6a8
Author: Sebastian Dröge <sebastian@centricular.com>
Date:   Mon Jan 30 15:39:59 2017 +0200

    asfdemux: Reset number of languages to 0 when freeing the array because of errors
    
    Otherwise we will happily index into the array at NULL if the requested
    index is smaller than the number of languages that were previously
    allocated.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=777937