Discussion:
[Bug 775450] New: aac invalid memory read in gst_aac_parse_sink_setcaps
(too old to reply)
"GStreamer" (GNOME Bugzilla)
2016-12-01 10:32:35 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=775450

Bug ID: 775450
Summary: aac invalid memory read in gst_aac_parse_sink_setcaps
Classification: Platform
Product: GStreamer
Version: git master
OS: Linux
Status: NEW
Severity: normal
Priority: Normal
Component: gst-plugins-good
Assignee: gstreamer-***@lists.freedesktop.org
Reporter: ***@hboeck.de
QA Contact: gstreamer-***@lists.freedesktop.org
GNOME version: ---

Created attachment 341134
--> https://bugzilla.gnome.org/attachment.cgi?id=341134&action=edit
poc file

The attached file causes an invalid memory read. Found with afl, current git.

asan error:
==14926==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7fc5b05fd9ff bp 0x7fc5b1060270 sp 0x7fc5b10600c0 T2)
==14926==The signal is caused by a READ memory access.
==14926==Hint: address points to the zero page.
#0 0x7fc5b05fd9fe in gst_aac_parse_sink_setcaps
/f/gstreamer/gst-plugins-good/gst/audioparsers/gstaacparse.c:315:18
#1 0x7fc5bf22f5fa in gst_base_parse_sink_event_default
/f/gstreamer/gstreamer/libs/gst/base/gstbaseparse.c:1186:15
#2 0x7fc5bed0d70d in gst_pad_send_event_unchecked
/f/gstreamer/gstreamer/gst/gstpad.c:5609:14
#3 0x7fc5beceb3cd in gst_pad_send_event
/f/gstreamer/gstreamer/gst/gstpad.c:5779:7
#4 0x7fc5b37f3c2d in send_sticky_event
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1961:9
#5 0x7fc5bed10409 in foreach_dispatch_function
/f/gstreamer/gstreamer/gst/gstpad.c:5878:11
#6 0x7fc5becf4d44 in events_foreach
/f/gstreamer/gstreamer/gst/gstpad.c:603:11
#7 0x7fc5bed10215 in gst_pad_sticky_events_foreach
/f/gstreamer/gstreamer/gst/gstpad.c:5909:3
#8 0x7fc5b37df9ee in send_sticky_events
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1976:3
#9 0x7fc5b37df9ee in connect_pad
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:2496
#10 0x7fc5b37df9ee in analyze_new_pad
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1791
#11 0x7fc5b37f1b80 in pad_added_cb
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:2929:7
#12 0x7fc5bd28301f in ffi_call_unix64 (/usr/lib64/libffi.so.6+0x601f)
#13 0x7fc5bd282a87 in ffi_call (/usr/lib64/libffi.so.6+0x5a87)
#14 0x7fc5be2737e3 in g_cclosure_marshal_generic
(/usr/lib64/libgobject-2.0.so.0+0x107e3)
#15 0x7fc5be272fd4 in g_closure_invoke
(/usr/lib64/libgobject-2.0.so.0+0xffd4)
#16 0x7fc5be285320 (/usr/lib64/libgobject-2.0.so.0+0x22320)
#17 0x7fc5be28ddd4 in g_signal_emit_valist
(/usr/lib64/libgobject-2.0.so.0+0x2add4)
#18 0x7fc5be28e036 in g_signal_emit
(/usr/lib64/libgobject-2.0.so.0+0x2b036)
#19 0x7fc5bec7e7bb in gst_element_add_pad
/f/gstreamer/gstreamer/gst/gstelement.c:713:3
#20 0x7fc5b157af6f in gst_qtdemux_add_stream
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:7798:5
#21 0x7fc5b157af6f in qtdemux_expose_streams
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:11472
#22 0x7fc5b1568b6f in gst_qtdemux_loop_state_header
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:4297:11
#23 0x7fc5b1568b6f in gst_qtdemux_loop
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:5753
#24 0x7fc5bedc45d3 in gst_task_func
/f/gstreamer/gstreamer/gst/gsttask.c:334:5
#25 0x7fc5bdfc1627 (/usr/lib64/libglib-2.0.so.0+0x72627)
#26 0x7fc5bdfc0c94 (/usr/lib64/libglib-2.0.so.0+0x71c94)
#27 0x7fc5bda3d453 in start_thread (/lib64/libpthread.so.0+0x7453)
#28 0x7fc5bd56d5dc in clone (/lib64/libc.so.6+0xe75dc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/f/gstreamer/gst-plugins-good/gst/audioparsers/gstaacparse.c:315:18 in
gst_aac_parse_sink_setcaps
Thread T2 (qtdemux0:sink) created by T1 (task2) here:
#0 0x42e26d in __interceptor_pthread_create
(/usr/bin/gst-discoverer-1.0+0x42e26d)
#1 0x7fc5bdfde95f (/usr/lib64/libglib-2.0.so.0+0x8f95f)

Thread T1 (task2) created by T0 here:
#0 0x42e26d in __interceptor_pthread_create
(/usr/bin/gst-discoverer-1.0+0x42e26d)
#1 0x7fc5bdfde95f (/usr/lib64/libglib-2.0.so.0+0x8f95f)

==14926==ABORTING
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2016-12-01 11:03:10 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=775450

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@coaxion.net
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2016-12-01 11:39:17 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=775450

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED

--- Comment #1 from Sebastian Dröge (slomo) <***@coaxion.net> ---
commit 87a2c140ca54c5128093377e9b25a5c24b346727
Author: Sebastian Dröge <***@centricular.com>
Date: Thu Dec 1 13:38:16 2016 +0200

aacparse: Make sure we have enough data in the codec_data to be able to
parse it

Also error out cleanly if mapping the buffer failed.

https://bugzilla.gnome.org/show_bug.cgi?id=775450
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2016-12-01 11:45:59 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=775450

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|git master |1.11.1
Summary|aac invalid memory read in |aacparse: invalid memory
|gst_aac_parse_sink_setcaps |read in
| |gst_aac_parse_sink_setcaps

--- Comment #2 from Sebastian Dröge (slomo) <***@coaxion.net> ---
Backport to 1.10 comes in a bit
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2016-12-05 09:12:20 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=775450

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|1.11.1 |1.10.3
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-02-14 06:19:12 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=775450

Salvatore Bonaccorso <***@debian.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@debian.org
Alias| |CVE-2016-10198
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-02-14 06:19:58 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=775450

--- Comment #3 from Salvatore Bonaccorso <***@debian.org> ---
This is CVE-2016-10198
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
Loading...