After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 774896 - h264 parser: Off by one read in gst_h264_parse_set_caps()
h264 parser: Off by one read in gst_h264_parse_set_caps()
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-bad
git master
Other Linux
: Normal normal
: 1.10.2
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2016-11-23 08:37 UTC by Hanno Böck
Modified: 2016-11-23 11:07 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
sample poc mkv/h264 file (566 bytes, video/x-matroska)
2016-11-23 08:37 UTC, Hanno Böck
  Details
h264parse: Ensure codec_data has the required size when reading number of SPS (876 bytes, patch)
2016-11-23 08:53 UTC, Sebastian Dröge (slomo)
committed Details | Review
h265parse: Ensure codec_data has the required size when reading number of NAL arrays (1.46 KB, patch)
2016-11-23 08:53 UTC, Sebastian Dröge (slomo)
committed Details | Review

Description Hanno Böck 2016-11-23 08:37:41 UTC
Created attachment 340578 [details]
sample poc mkv/h264 file

The attached file will cause an off by one out of bounds read in the function gst_h264_parse_set_caps. This doesn't crash gstreamer, you need some kind of memory safety tool like address sanitizer (or valgrind) to see this bug.

Affects current git code, found with afl.

Stack trace from address sanitizer:
==5418==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400001dfbd at pc 0x7f67a1f7deac bp 0x7f67a320a8d0 sp 0x7f67a320a8c8
READ of size 1 at 0x60400001dfbd thread T3 (matroskademux0:)
    #0 0x7f67a1f7deab in gst_h264_parse_set_caps /f/gstreamer/gst-plugins-bad/gst/videoparsers/gsth264parse.c:2586:15
    #1 0x7f67a6a1f5ed in gst_base_parse_sink_event_default /f/gstreamer/gstreamer/libs/gst/base/gstbaseparse.c:1186:15
    #2 0x7f67a1f7eb48 in gst_h264_parse_event /f/gstreamer/gst-plugins-bad/gst/videoparsers/gsth264parse.c:2801:13
    #3 0x7f67b219371a in gst_pad_send_event_unchecked /f/gstreamer/gstreamer/gst/gstpad.c:5609:14
    #4 0x7f67b21713dd in gst_pad_send_event /f/gstreamer/gstreamer/gst/gstpad.c:5779:7
    #5 0x7f67a6612c3d in send_sticky_event /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1961:9
    #6 0x7f67b2196419 in foreach_dispatch_function /f/gstreamer/gstreamer/gst/gstpad.c:5878:11
    #7 0x7f67b217ad64 in events_foreach /f/gstreamer/gstreamer/gst/gstpad.c:603:11
    #8 0x7f67b2196225 in gst_pad_sticky_events_foreach /f/gstreamer/gstreamer/gst/gstpad.c:5909:3
    #9 0x7f67a65fe9fe in send_sticky_events /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1976:3
    #10 0x7f67a65fe9fe in connect_pad /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:2496
    #11 0x7f67a65fe9fe in analyze_new_pad /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1791
    #12 0x7f67a6610b90 in pad_added_cb /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:2929:7
    #13 0x7f67b1a0e276 in g_cclosure_marshal_VOID__OBJECTv (/usr/lib64/libgobject-2.0.so.0+0x13276)
    #14 0x7f67b1a0b203  (/usr/lib64/libgobject-2.0.so.0+0x10203)
    #15 0x7f67b1a256b6 in g_signal_emit_valist (/usr/lib64/libgobject-2.0.so.0+0x2a6b6)
    #16 0x7f67b1a26026 in g_signal_emit (/usr/lib64/libgobject-2.0.so.0+0x2b026)
    #17 0x7f67b21047cb in gst_element_add_pad /f/gstreamer/gstreamer/gst/gstelement.c:713:3
    #18 0x7f67a36ce46b in gst_matroska_demux_add_stream /f/gstreamer/gst-plugins-good/gst/matroska/matroska-demux.c:1350:3
    #19 0x7f67a36b00e6 in gst_matroska_demux_parse_tracks /f/gstreamer/gst-plugins-good/gst/matroska/matroska-demux.c:2520:15
    #20 0x7f67a36b00e6 in gst_matroska_demux_parse_id /f/gstreamer/gst-plugins-good/gst/matroska/matroska-demux.c:4422
    #21 0x7f67a36dc386 in gst_matroska_demux_parse_contents_seekentry /f/gstreamer/gst-plugins-good/gst/matroska/matroska-demux.c:4042:15
    #22 0x7f67a36af8b7 in gst_matroska_demux_parse_contents /f/gstreamer/gst-plugins-good/gst/matroska/matroska-demux.c:4091:15
    #23 0x7f67a36af8b7 in gst_matroska_demux_parse_id /f/gstreamer/gst-plugins-good/gst/matroska/matroska-demux.c:4544
    #24 0x7f67a36a7f2a in gst_matroska_demux_loop /f/gstreamer/gst-plugins-good/gst/matroska/matroska-demux.c:4683:9
    #25 0x7f67b224a5c3 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
    #26 0x7f67b1557867  (/usr/lib64/libglib-2.0.so.0+0x70867)
    #27 0x7f67b1556ed4  (/usr/lib64/libglib-2.0.so.0+0x6fed4)
    #28 0x7f67b0ec6443 in start_thread (/lib64/libpthread.so.0+0x7443)
    #29 0x7f67b09f592c in clone (/lib64/libc.so.6+0xe792c)

0x60400001dfbd is located 0 bytes to the right of 45-byte region [0x60400001df90,0x60400001dfbd)
allocated by thread T3 (matroskademux0:) here:
    #0 0x4d53d8 in malloc (/usr/bin/gst-launch-1.0+0x4d53d8)
    #1 0x7f67b15363a8 in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4f3a8)

Thread T3 (matroskademux0:) created by T1 (typefind:sink) here:
    #0 0x42e81d in __interceptor_pthread_create (/usr/bin/gst-launch-1.0+0x42e81d)
    #1 0x7f67b1574adf  (/usr/lib64/libglib-2.0.so.0+0x8dadf)

Thread T1 (typefind:sink) created by T0 here:
    #0 0x42e81d in __interceptor_pthread_create (/usr/bin/gst-launch-1.0+0x42e81d)
    #1 0x7f67b1574adf  (/usr/lib64/libglib-2.0.so.0+0x8dadf)
Comment 1 Sebastian Dröge (slomo) 2016-11-23 08:53:50 UTC
Created attachment 340581 [details] [review]
h264parse: Ensure codec_data has the required size when reading number of SPS
Comment 2 Sebastian Dröge (slomo) 2016-11-23 08:53:55 UTC
Created attachment 340582 [details] [review]
h265parse: Ensure codec_data has the required size when reading number of NAL arrays
Comment 3 Sebastian Dröge (slomo) 2016-11-23 08:59:57 UTC
Attachment 340581 [details] pushed as 1dbfef9 - h264parse: Ensure codec_data has the required size when reading number of SPS
Attachment 340582 [details] pushed as 43736e5 - h265parse: Ensure codec_data has the required size when reading number of NAL arrays