After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 775450 - (CVE-2016-10198) aacparse: invalid memory read in gst_aac_parse_sink_setcaps
(CVE-2016-10198)
aacparse: invalid memory read in gst_aac_parse_sink_setcaps
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-good
git master
Other Linux
: Normal normal
: 1.10.3
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2016-12-01 10:32 UTC by Hanno Böck
Modified: 2017-02-14 06:19 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
poc file (3.55 KB, audio/aac)
2016-12-01 10:32 UTC, Hanno Böck
Details

Description Hanno Böck 2016-12-01 10:32:35 UTC
Created attachment 341134 [details]
poc file

The attached file causes an invalid memory read. Found with afl, current git.

asan error:
==14926==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc5b05fd9ff bp 0x7fc5b1060270 sp 0x7fc5b10600c0 T2)
==14926==The signal is caused by a READ memory access.
==14926==Hint: address points to the zero page.
    #0 0x7fc5b05fd9fe in gst_aac_parse_sink_setcaps /f/gstreamer/gst-plugins-good/gst/audioparsers/gstaacparse.c:315:18
    #1 0x7fc5bf22f5fa in gst_base_parse_sink_event_default /f/gstreamer/gstreamer/libs/gst/base/gstbaseparse.c:1186:15
    #2 0x7fc5bed0d70d in gst_pad_send_event_unchecked /f/gstreamer/gstreamer/gst/gstpad.c:5609:14
    #3 0x7fc5beceb3cd in gst_pad_send_event /f/gstreamer/gstreamer/gst/gstpad.c:5779:7
    #4 0x7fc5b37f3c2d in send_sticky_event /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1961:9
    #5 0x7fc5bed10409 in foreach_dispatch_function /f/gstreamer/gstreamer/gst/gstpad.c:5878:11
    #6 0x7fc5becf4d44 in events_foreach /f/gstreamer/gstreamer/gst/gstpad.c:603:11
    #7 0x7fc5bed10215 in gst_pad_sticky_events_foreach /f/gstreamer/gstreamer/gst/gstpad.c:5909:3
    #8 0x7fc5b37df9ee in send_sticky_events /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1976:3
    #9 0x7fc5b37df9ee in connect_pad /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:2496
    #10 0x7fc5b37df9ee in analyze_new_pad /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1791
    #11 0x7fc5b37f1b80 in pad_added_cb /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:2929:7
    #12 0x7fc5bd28301f in ffi_call_unix64 (/usr/lib64/libffi.so.6+0x601f)
    #13 0x7fc5bd282a87 in ffi_call (/usr/lib64/libffi.so.6+0x5a87)
    #14 0x7fc5be2737e3 in g_cclosure_marshal_generic (/usr/lib64/libgobject-2.0.so.0+0x107e3)
    #15 0x7fc5be272fd4 in g_closure_invoke (/usr/lib64/libgobject-2.0.so.0+0xffd4)
    #16 0x7fc5be285320  (/usr/lib64/libgobject-2.0.so.0+0x22320)
    #17 0x7fc5be28ddd4 in g_signal_emit_valist (/usr/lib64/libgobject-2.0.so.0+0x2add4)
    #18 0x7fc5be28e036 in g_signal_emit (/usr/lib64/libgobject-2.0.so.0+0x2b036)
    #19 0x7fc5bec7e7bb in gst_element_add_pad /f/gstreamer/gstreamer/gst/gstelement.c:713:3
    #20 0x7fc5b157af6f in gst_qtdemux_add_stream /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:7798:5
    #21 0x7fc5b157af6f in qtdemux_expose_streams /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:11472
    #22 0x7fc5b1568b6f in gst_qtdemux_loop_state_header /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:4297:11
    #23 0x7fc5b1568b6f in gst_qtdemux_loop /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:5753
    #24 0x7fc5bedc45d3 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
    #25 0x7fc5bdfc1627  (/usr/lib64/libglib-2.0.so.0+0x72627)
    #26 0x7fc5bdfc0c94  (/usr/lib64/libglib-2.0.so.0+0x71c94)
    #27 0x7fc5bda3d453 in start_thread (/lib64/libpthread.so.0+0x7453)
    #28 0x7fc5bd56d5dc in clone (/lib64/libc.so.6+0xe75dc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /f/gstreamer/gst-plugins-good/gst/audioparsers/gstaacparse.c:315:18 in gst_aac_parse_sink_setcaps
Thread T2 (qtdemux0:sink) created by T1 (task2) here:
    #0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
    #1 0x7fc5bdfde95f  (/usr/lib64/libglib-2.0.so.0+0x8f95f)

Thread T1 (task2) created by T0 here:
    #0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
    #1 0x7fc5bdfde95f  (/usr/lib64/libglib-2.0.so.0+0x8f95f)

==14926==ABORTING
Comment 1 Sebastian Dröge (slomo) 2016-12-01 11:39:17 UTC
commit 87a2c140ca54c5128093377e9b25a5c24b346727
Author: Sebastian Dröge <sebastian@centricular.com>
Date:   Thu Dec 1 13:38:16 2016 +0200

    aacparse: Make sure we have enough data in the codec_data to be able to parse it
    
    Also error out cleanly if mapping the buffer failed.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=775450
Comment 2 Sebastian Dröge (slomo) 2016-12-01 11:45:59 UTC
Backport to 1.10 comes in a bit
Comment 3 Salvatore Bonaccorso 2017-02-14 06:19:58 UTC
This is CVE-2016-10198