After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 777502 - (CVE-2017-5842) samiparse: heap oob in html_context_handle_element
(CVE-2017-5842)
samiparse: heap oob in html_context_handle_element
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-base
unspecified
Other Linux
: Normal normal
: 1.10.3
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2017-01-19 17:48 UTC by Hanno Böck
Modified: 2017-02-14 06:23 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
samiparse: Check that the string has a non-zero length before overwriting the last byte with '\0' (944 bytes, patch)
2017-01-20 06:03 UTC, Sebastian Dröge (slomo) 		committed Details | Review

Description Hanno Böck 2017-01-19 17:48:01 UTC 
File:
https://samples.mplayerhq.hu/sub/sami/OneNote_Manager.smi

Causes heap oob. asan error:
==21397==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200003e40f at pc 0x7f7d31ac3ed3 bp 0x7f7d324e5380 sp 0x7f7d324e5378
READ of size 1 at 0x60200003e40f thread T1 (typefind:sink)
    #0 0x7f7d31ac3ed2 in html_context_handle_element /f/gstreamer/gst-plugins-base/gst/subparse/samiparse.c:507:9
    #1 0x7f7d31ac005c in html_context_parse /f/gstreamer/gst-plugins-base/gst/subparse/samiparse.c:550:9
    #2 0x7f7d31ac005c in parse_sami /f/gstreamer/gst-plugins-base/gst/subparse/samiparse.c:881
    #3 0x7f7d31aaf0cc in handle_buffer /f/gstreamer/gst-plugins-base/gst/subparse/gstsubparse.c:1767:16
    #4 0x7f7d31aaf0cc in gst_sub_parse_chain /f/gstreamer/gst-plugins-base/gst/subparse/gstsubparse.c:1831
    #5 0x7f7d3dd97277 in gst_pad_chain_data_unchecked /f/gstreamer/gstreamer/gst/gstpad.c:4204:11
    #6 0x7f7d3dd9aa47 in gst_pad_push_data /f/gstreamer/gstreamer/gst/gstpad.c:4456:9
    #7 0x7f7d3dd9a0bf in gst_pad_push /f/gstreamer/gstreamer/gst/gstpad.c:4575:9
    #8 0x7f7d325f8429 in gst_type_find_element_loop /f/gstreamer/gstreamer/plugins/elements/gsttypefindelement.c:1186:11
    #9 0x7f7d3de61883 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
    #10 0x7f7d3d05eb2d in g_thread_pool_thread_proxy /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthreadpool.c:307
    #11 0x7f7d3d05e154 in g_thread_proxy /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread.c:784
    #12 0x7f7d3cadc453 in start_thread (/lib64/libpthread.so.0+0x7453)
    #13 0x7f7d3c60c5dc in clone (/lib64/libc.so.6+0xe75dc)

0x60200003e40f is located 1 bytes to the left of 1-byte region [0x60200003e410,0x60200003e411)
allocated by thread T1 (typefind:sink) here:
    #0 0x4cbbb8 in malloc (/usr/bin/gst-discoverer-1.0+0x4cbbb8)
    #1 0x7f7d3d03c768 in g_malloc /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gmem.c:94
    #2 0x7f7d3d056097 in g_strndup /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gstrfuncs.c:425
    #3 0x7f7d31ac3b05 in string_token /f/gstreamer/gst-plugins-base/gst/subparse/samiparse.c:458:14
    #4 0x7f7d31ac3b05 in html_context_handle_element /f/gstreamer/gst-plugins-base/gst/subparse/samiparse.c:497
    #5 0x7f7d31ac005c in html_context_parse /f/gstreamer/gst-plugins-base/gst/subparse/samiparse.c:550:9
    #6 0x7f7d31ac005c in parse_sami /f/gstreamer/gst-plugins-base/gst/subparse/samiparse.c:881
    #7 0x7f7d31aaf0cc in handle_buffer /f/gstreamer/gst-plugins-base/gst/subparse/gstsubparse.c:1767:16
    #8 0x7f7d31aaf0cc in gst_sub_parse_chain /f/gstreamer/gst-plugins-base/gst/subparse/gstsubparse.c:1831
    #9 0x7f7d3dd97277 in gst_pad_chain_data_unchecked /f/gstreamer/gstreamer/gst/gstpad.c:4204:11
    #10 0x7f7d3dd9aa47 in gst_pad_push_data /f/gstreamer/gstreamer/gst/gstpad.c:4456:9
    #11 0x7f7d3dd9a0bf in gst_pad_push /f/gstreamer/gstreamer/gst/gstpad.c:4575:9
    #12 0x7f7d325f8429 in gst_type_find_element_loop /f/gstreamer/gstreamer/plugins/elements/gsttypefindelement.c:1186:11
    #13 0x7f7d3de61883 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
    #14 0x7f7d3d05eb2d in g_thread_pool_thread_proxy /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthreadpool.c:307
    #15 0x7f7d3d05e154 in g_thread_proxy /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread.c:784
    #16 0x7f7d3cadc453 in start_thread (/lib64/libpthread.so.0+0x7453)
    #17 0x7f7d3c60c5dc in clone (/lib64/libc.so.6+0xe75dc)

Thread T1 (typefind:sink) created by T0 here:
    #0 0x42df2d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42df2d)
    #1 0x7f7d3d07b1bf in g_system_thread_new /var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread-posix.c:1170

SUMMARY: AddressSanitizer: heap-buffer-overflow /f/gstreamer/gst-plugins-base/gst/subparse/samiparse.c:507:9 in html_context_handle_element
Comment 1 Sebastian Dröge (slomo) 2017-01-20 06:03:42 UTC 
Created attachment 343860 [details] [review]
samiparse: Check that the string has a non-zero length before overwriting the last byte with '\0'
Comment 2 Sebastian Dröge (slomo) 2017-01-20 06:04:04 UTC 
Attachment 343860 [details] pushed as d894c19 - samiparse: Check that the string has a non-zero length before overwriting the last byte with '\0'