GNOME Bugzilla – Bug 775451
qtdemux: out of bounds read in qtdemux_tag_add_str_full
Last modified: 2017-02-14 06:20:36 UTC
Created attachment 341135 [details] poc file Note: Based on the stack trace tihs involves both code from gst-plugins-good and -base, so it may be in the wrong category. The attached file causes an out of bounds heap memory read. Found with afl, current gut. ==22354==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x620000072f37 at pc 0x7f6b9579cc89 bp 0x7f6b870610b0 sp 0x7f6b870610a8 READ of size 1 at 0x620000072f37 thread T2 (qtdemux0:sink) #0 0x7f6b9579cc88 in gst_tag_freeform_string_to_utf8 /f/gstreamer/gst-plugins-base/gst-libs/gst/tag/tags.c:400:22 #1 0x7f6b875d0604 in qtdemux_tag_add_str_full /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:11797:11 #2 0x7f6b875ad93d in qtdemux_parse_udta /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:12438:9 #3 0x7f6b87574c6e in qtdemux_parse_tree /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:12803:5 #4 0x7f6b875658ed in gst_qtdemux_loop_state_header /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:4221:7 #5 0x7f6b875658ed in gst_qtdemux_loop /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:5753 #6 0x7f6b94d8f5d3 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5 #7 0x7f6b93f8c627 (/usr/lib64/libglib-2.0.so.0+0x72627) #8 0x7f6b93f8bc94 (/usr/lib64/libglib-2.0.so.0+0x71c94) #9 0x7f6b93a08453 in start_thread (/lib64/libpthread.so.0+0x7453) #10 0x7f6b935385dc in clone (/lib64/libc.so.6+0xe75dc) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: heap-buffer-overflow /f/gstreamer/gst-plugins-base/gst-libs/gst/tag/tags.c:400:22 in gst_tag_freeform_string_to_utf8 Shadow bytes around the buggy address: 0x0c4080006590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c40800065a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c40800065b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c40800065c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c40800065d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c40800065e0: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa 0x0c40800065f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4080006600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4080006610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4080006620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4080006630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb
valgrind is also unhappy about this, fwiw
commit d0949baf3dadea6021d54abef6802fed5a06af75 Author: Sebastian Dröge <sebastian@centricular.com> Date: Thu Dec 1 13:32:22 2016 +0200 qtdemux: Fix out of bounds read in tag parsing code We can't simply assume that the length of the tag value as given inside the stream is correct but should also check against the amount of data we have actually available. https://bugzilla.gnome.org/show_bug.cgi?id=775451
Will backport to 1.10 in a bit
This is CVE-2016-10199