GNOME Bugzilla – Bug 775450
aacparse: invalid memory read in gst_aac_parse_sink_setcaps
Last modified: 2017-02-14 06:19:58 UTC
Created attachment 341134 [details] poc file The attached file causes an invalid memory read. Found with afl, current git. asan error: ==14926==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc5b05fd9ff bp 0x7fc5b1060270 sp 0x7fc5b10600c0 T2) ==14926==The signal is caused by a READ memory access. ==14926==Hint: address points to the zero page. #0 0x7fc5b05fd9fe in gst_aac_parse_sink_setcaps /f/gstreamer/gst-plugins-good/gst/audioparsers/gstaacparse.c:315:18 #1 0x7fc5bf22f5fa in gst_base_parse_sink_event_default /f/gstreamer/gstreamer/libs/gst/base/gstbaseparse.c:1186:15 #2 0x7fc5bed0d70d in gst_pad_send_event_unchecked /f/gstreamer/gstreamer/gst/gstpad.c:5609:14 #3 0x7fc5beceb3cd in gst_pad_send_event /f/gstreamer/gstreamer/gst/gstpad.c:5779:7 #4 0x7fc5b37f3c2d in send_sticky_event /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1961:9 #5 0x7fc5bed10409 in foreach_dispatch_function /f/gstreamer/gstreamer/gst/gstpad.c:5878:11 #6 0x7fc5becf4d44 in events_foreach /f/gstreamer/gstreamer/gst/gstpad.c:603:11 #7 0x7fc5bed10215 in gst_pad_sticky_events_foreach /f/gstreamer/gstreamer/gst/gstpad.c:5909:3 #8 0x7fc5b37df9ee in send_sticky_events /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1976:3 #9 0x7fc5b37df9ee in connect_pad /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:2496 #10 0x7fc5b37df9ee in analyze_new_pad /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1791 #11 0x7fc5b37f1b80 in pad_added_cb /f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:2929:7 #12 0x7fc5bd28301f in ffi_call_unix64 (/usr/lib64/libffi.so.6+0x601f) #13 0x7fc5bd282a87 in ffi_call (/usr/lib64/libffi.so.6+0x5a87) #14 0x7fc5be2737e3 in g_cclosure_marshal_generic (/usr/lib64/libgobject-2.0.so.0+0x107e3) #15 0x7fc5be272fd4 in g_closure_invoke (/usr/lib64/libgobject-2.0.so.0+0xffd4) #16 0x7fc5be285320 (/usr/lib64/libgobject-2.0.so.0+0x22320) #17 0x7fc5be28ddd4 in g_signal_emit_valist (/usr/lib64/libgobject-2.0.so.0+0x2add4) #18 0x7fc5be28e036 in g_signal_emit (/usr/lib64/libgobject-2.0.so.0+0x2b036) #19 0x7fc5bec7e7bb in gst_element_add_pad /f/gstreamer/gstreamer/gst/gstelement.c:713:3 #20 0x7fc5b157af6f in gst_qtdemux_add_stream /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:7798:5 #21 0x7fc5b157af6f in qtdemux_expose_streams /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:11472 #22 0x7fc5b1568b6f in gst_qtdemux_loop_state_header /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:4297:11 #23 0x7fc5b1568b6f in gst_qtdemux_loop /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:5753 #24 0x7fc5bedc45d3 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5 #25 0x7fc5bdfc1627 (/usr/lib64/libglib-2.0.so.0+0x72627) #26 0x7fc5bdfc0c94 (/usr/lib64/libglib-2.0.so.0+0x71c94) #27 0x7fc5bda3d453 in start_thread (/lib64/libpthread.so.0+0x7453) #28 0x7fc5bd56d5dc in clone (/lib64/libc.so.6+0xe75dc) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /f/gstreamer/gst-plugins-good/gst/audioparsers/gstaacparse.c:315:18 in gst_aac_parse_sink_setcaps Thread T2 (qtdemux0:sink) created by T1 (task2) here: #0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d) #1 0x7fc5bdfde95f (/usr/lib64/libglib-2.0.so.0+0x8f95f) Thread T1 (task2) created by T0 here: #0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d) #1 0x7fc5bdfde95f (/usr/lib64/libglib-2.0.so.0+0x8f95f) ==14926==ABORTING
commit 87a2c140ca54c5128093377e9b25a5c24b346727 Author: Sebastian Dröge <sebastian@centricular.com> Date: Thu Dec 1 13:38:16 2016 +0200 aacparse: Make sure we have enough data in the codec_data to be able to parse it Also error out cleanly if mapping the buffer failed. https://bugzilla.gnome.org/show_bug.cgi?id=775450
Backport to 1.10 comes in a bit
This is CVE-2016-10198