Bug 777265 – riff: stack overflow in gst_riff_create_audio_caps

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 777265 - (CVE-2017-5839) riff: stack overflow in gst_riff_create_audio_caps

(CVE-2017-5839)
Summary:	riff: stack overflow in gst_riff_create_audio_caps


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-base
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	1.10.3
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2017-01-15 09:45 UTC by Hanno Böck
Modified:	2017-02-14 06:22 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
poc file (352 bytes, video/x-msvideo) 2017-01-15 09:45 UTC, Hanno Böck		Details
riff-media: Don't recurse in for nested WAVEFORMATEX (1.36 KB, patch) 2017-01-15 17:44 UTC, Sebastian Dröge (slomo)	committed	Details \| Review

Description Hanno Böck 2017-01-15 09:45:44 UTC

Created attachment 343491 [details]
poc file

An endless recursion leading to a stack overflow:
==10305==ERROR: AddressSanitizer: stack-overflow on address 0x7f9ef214cfe0 (pc 0x7f9effc89a7c bp 0x7f9ef214d230 sp 0x7f9ef214cfe0 T2)
    #0 0x7f9effc89a7b in _get_merged_memory /f/gstreamer/gstreamer/gst/gstbuffer.c:208
    #1 0x7f9effc8f57e in gst_buffer_map_range /f/gstreamer/gstreamer/gst/gstbuffer.c:1732:9
    #2 0x7f9ef2963845 in gst_riff_create_audio_caps /f/gstreamer/gst-plugins-base/gst-libs/gst/riff/riff-media.c:1600:7
    #3 0x7f9ef2965c6f in gst_riff_create_audio_caps /f/gstreamer/gst-plugins-base/gst-libs/gst/riff/riff-media.c:1721:18
    #4 0x7f9ef2965c6f in gst_riff_create_audio_caps /f/gstreamer/gst-plugins-base/gst-libs/gst/riff/riff-media.c:1721:18
    #5 0x7f9ef2965c6f in gst_riff_create_audio_caps /f/gstreamer/gst-plugins-base/gst-libs/gst/riff/riff-media.c:1721:18

Comment 1 Sebastian Dröge (slomo) 2017-01-15 17:28:20 UTC

Confirmed here

Comment 2 Sebastian Dröge (slomo) 2017-01-15 17:42:25 UTC

This recursive call there does not seem to make any sense at all to me. subformat_guid[0] is guint32, codec_id is guint16. It's going to get clipped anyway.

Do we have any files that go into this branch for a valid reason? In any case, following patch would fix it... but it all looks suspicious.

Comment 3 Sebastian Dröge (slomo) 2017-01-15 17:44:16 UTC

Created attachment 343506 [details] [review]
riff-media: Don't recurse in for nested WAVEFORMATEX

There was already a check for that, but it failed because
subformat_guid[0] is a guint32 and that is then casted implicitely to a
guint16 when recursing... just that we checked the uncasted value.

This caused an infinite recursion and thus stack overflow.

Comment 4 Sebastian Dröge (slomo) 2017-01-18 11:11:17 UTC

Attachment 343506 [details] pushed as ef55c8a - riff-media: Don't recurse in for nested WAVEFORMATEX

Comment 5 Salvatore Bonaccorso 2017-02-14 06:22:18 UTC

This is CVE-2017-5839