After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 777265 - (CVE-2017-5839) riff: stack overflow in gst_riff_create_audio_caps
(CVE-2017-5839)
riff: stack overflow in gst_riff_create_audio_caps
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-base
unspecified
Other Linux
: Normal normal
: 1.10.3
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2017-01-15 09:45 UTC by Hanno Böck
Modified: 2017-02-14 06:22 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
poc file (352 bytes, video/x-msvideo)
2017-01-15 09:45 UTC, Hanno Böck
  Details
riff-media: Don't recurse in for nested WAVEFORMATEX (1.36 KB, patch)
2017-01-15 17:44 UTC, Sebastian Dröge (slomo)
committed Details | Review

Description Hanno Böck 2017-01-15 09:45:44 UTC
Created attachment 343491 [details]
poc file

An endless recursion leading to a stack overflow:
==10305==ERROR: AddressSanitizer: stack-overflow on address 0x7f9ef214cfe0 (pc 0x7f9effc89a7c bp 0x7f9ef214d230 sp 0x7f9ef214cfe0 T2)
    #0 0x7f9effc89a7b in _get_merged_memory /f/gstreamer/gstreamer/gst/gstbuffer.c:208
    #1 0x7f9effc8f57e in gst_buffer_map_range /f/gstreamer/gstreamer/gst/gstbuffer.c:1732:9
    #2 0x7f9ef2963845 in gst_riff_create_audio_caps /f/gstreamer/gst-plugins-base/gst-libs/gst/riff/riff-media.c:1600:7
    #3 0x7f9ef2965c6f in gst_riff_create_audio_caps /f/gstreamer/gst-plugins-base/gst-libs/gst/riff/riff-media.c:1721:18
    #4 0x7f9ef2965c6f in gst_riff_create_audio_caps /f/gstreamer/gst-plugins-base/gst-libs/gst/riff/riff-media.c:1721:18
    #5 0x7f9ef2965c6f in gst_riff_create_audio_caps /f/gstreamer/gst-plugins-base/gst-libs/gst/riff/riff-media.c:1721:18
Comment 1 Sebastian Dröge (slomo) 2017-01-15 17:28:20 UTC
Confirmed here
Comment 2 Sebastian Dröge (slomo) 2017-01-15 17:42:25 UTC
This recursive call there does not seem to make any sense at all to me. subformat_guid[0] is guint32, codec_id is guint16. It's going to get clipped anyway.

Do we have any files that go into this branch for a valid reason? In any case, following patch would fix it... but it all looks suspicious.
Comment 3 Sebastian Dröge (slomo) 2017-01-15 17:44:16 UTC
Created attachment 343506 [details] [review]
riff-media: Don't recurse in for nested WAVEFORMATEX

There was already a check for that, but it failed because
subformat_guid[0] is a guint32 and that is then casted implicitely to a
guint16 when recursing... just that we checked the uncasted value.

This caused an infinite recursion and thus stack overflow.
Comment 4 Sebastian Dröge (slomo) 2017-01-18 11:11:17 UTC
Attachment 343506 [details] pushed as ef55c8a - riff-media: Don't recurse in for nested WAVEFORMATEX
Comment 5 Salvatore Bonaccorso 2017-02-14 06:22:18 UTC
This is CVE-2017-5839