After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 777469 - (CVE-2017-5840) qtdemux: out of bounds heap read in qtdemux_parse_samples
(CVE-2017-5840)
qtdemux: out of bounds heap read in qtdemux_parse_samples
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-good
unspecified
Other Linux
: Normal normal
: 1.10.3
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2017-01-18 23:37 UTC by Hanno Böck
Modified: 2017-02-14 06:22 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
poc file (1.52 KB, video/mp4)
2017-01-18 23:37 UTC, Hanno Böck 		  Details
qtdemux: Increment current stts index in all code paths after reading one chunk (883 bytes, patch)
2017-01-19 05:54 UTC, Sebastian Dröge (slomo) 		committed Details | Review
qtdemux: Increment current stts index whenever we finished one stts entry (947 bytes, patch)
2017-01-19 11:53 UTC, Sebastian Dröge (slomo) 		committed Details | Review

Description Hanno Böck 2017-01-18 23:37:21 UTC 
Created attachment 343753 [details]
poc file

Another afl/asan finding.

Stack trace:
==31234==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200002bec0 at pc 0x7f97aa3afd71 bp 0x7f97a9e584c0 sp 0x7f97a9e584b8
READ of size 4 at 0x60200002bec0 thread T2 (qtdemux0:sink)
    #0 0x7f97aa3afd70 in __gst_fast_read_swap32 /usr/include/gstreamer-1.0/gst/gstutils.h:131:10
    #1 0x7f97aa3afd70 in gst_byte_reader_peek_uint32_be_unchecked /usr/include/gstreamer-1.0/gst/base/gstbytereader.h:205
    #2 0x7f97aa3afd70 in gst_byte_reader_get_uint32_be_unchecked /usr/include/gstreamer-1.0/gst/base/gstbytereader.h:205
    #3 0x7f97aa3afd70 in qtdemux_parse_samples /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:8507
    #4 0x7f97aa3d80db in gst_qtdemux_advance_sample /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:4928:8
    #5 0x7f97aa35cfba in gst_qtdemux_loop_state_movie /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:5759:5
    #6 0x7f97aa35cfba in gst_qtdemux_loop /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:5804
    #7 0x7f97b7bb3883 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
    #8 0x7f97b6db0b2d in g_thread_pool_thread_proxy /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthreadpool.c:307
    #9 0x7f97b6db0154 in g_thread_proxy /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread.c:784
    #10 0x7f97b682e453 in start_thread (/lib64/libpthread.so.0+0x7453)
    #11 0x7f97b635e5dc in clone (/lib64/libc.so.6+0xe75dc)

0x60200002bec0 is located 0 bytes to the right of 16-byte region [0x60200002beb0,0x60200002bec0)
allocated by thread T2 (qtdemux0:sink) here:
    #0 0x4cbbb8 in malloc (/usr/bin/gst-discoverer-1.0+0x4cbbb8)
    #1 0x7f97b6d8e768 in g_malloc /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gmem.c:94
    #2 0x7f97b6da8057 in g_memdup /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gstrfuncs.c:391
    #3 0x7f97aa39c776 in qtdemux_stbl_init /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:8053:23
    #4 0x7f97aa39c776 in qtdemux_parse_trak /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:11292
    #5 0x7f97aa36bafa in qtdemux_parse_tree /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:12910:5
    #6 0x7f97aa35cc92 in gst_qtdemux_loop_state_header /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:4264:7
    #7 0x7f97aa35cc92 in gst_qtdemux_loop /f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:5801
    #8 0x7f97b7bb3883 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
    #9 0x7f97b6db0b2d in g_thread_pool_thread_proxy /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthreadpool.c:307
    #10 0x7f97b6db0154 in g_thread_proxy /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread.c:784
    #11 0x7f97b682e453 in start_thread (/lib64/libpthread.so.0+0x7453)
    #12 0x7f97b635e5dc in clone (/lib64/libc.so.6+0xe75dc)

Thread T2 (qtdemux0:sink) created by T1 (typefind:sink) here:
    #0 0x42df2d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42df2d)
    #1 0x7f97b6dcd1bf in g_system_thread_new /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread-posix.c:1170

Thread T1 (typefind:sink) created by T0 here:
    #0 0x42df2d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42df2d)
    #1 0x7f97b6dcd1bf in g_system_thread_new /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread-posix.c:1170
Comment 1 Sebastian Dröge (slomo) 2017-01-19 05:54:57 UTC 
Created attachment 343774 [details] [review]
qtdemux: Increment current stts index in all code paths after reading one chunk

Otherwise we could read more chunks than there are available, doing an
out of bounds read and potentially crash.
Comment 2 Sebastian Dröge (slomo) 2017-01-19 10:25:51 UTC 
Attachment 343774 [details] pushed as 99d5d75 - qtdemux: Increment current stts index in all code paths after reading one chunk
Comment 3 Sebastian Dröge (slomo) 2017-01-19 11:26:32 UTC 
This broke playback of various valid files.
Comment 4 Sebastian Dröge (slomo) 2017-01-19 11:53:23 UTC 
Created attachment 343793 [details] [review]
qtdemux: Increment current stts index whenever we finished one stts entry

Otherwise we could read more chunks than there are available, doing an
out of bounds read and potentially crash.
Comment 5 Sebastian Dröge (slomo) 2017-01-19 12:01:07 UTC 
Attachment 343793 [details] pushed as 1ffef8b - qtdemux: Increment current stts index whenever we finished one stts entry
Comment 6 Salvatore Bonaccorso 2017-02-14 06:22:42 UTC 
This is CVE-2017-5840