Discussion:
[Bug 777469] New: qtdemux: out of bounds heap read in qtdemux_parse_samples
(too old to reply)
"GStreamer" (GNOME Bugzilla)
2017-01-18 23:37:21 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777469

Bug ID: 777469
Summary: qtdemux: out of bounds heap read in
qtdemux_parse_samples
Classification: Platform
Product: GStreamer
Version: unspecified
OS: Linux
Status: NEW
Severity: normal
Priority: Normal
Component: gst-plugins-good
Assignee: gstreamer-***@lists.freedesktop.org
Reporter: ***@hboeck.de
QA Contact: gstreamer-***@lists.freedesktop.org
GNOME version: ---

Created attachment 343753
--> https://bugzilla.gnome.org/attachment.cgi?id=343753&action=edit
poc file

Another afl/asan finding.

Stack trace:
==31234==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200002bec0 at pc 0x7f97aa3afd71 bp 0x7f97a9e584c0 sp 0x7f97a9e584b8
READ of size 4 at 0x60200002bec0 thread T2 (qtdemux0:sink)
#0 0x7f97aa3afd70 in __gst_fast_read_swap32
/usr/include/gstreamer-1.0/gst/gstutils.h:131:10
#1 0x7f97aa3afd70 in gst_byte_reader_peek_uint32_be_unchecked
/usr/include/gstreamer-1.0/gst/base/gstbytereader.h:205
#2 0x7f97aa3afd70 in gst_byte_reader_get_uint32_be_unchecked
/usr/include/gstreamer-1.0/gst/base/gstbytereader.h:205
#3 0x7f97aa3afd70 in qtdemux_parse_samples
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:8507
#4 0x7f97aa3d80db in gst_qtdemux_advance_sample
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:4928:8
#5 0x7f97aa35cfba in gst_qtdemux_loop_state_movie
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:5759:5
#6 0x7f97aa35cfba in gst_qtdemux_loop
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:5804
#7 0x7f97b7bb3883 in gst_task_func
/f/gstreamer/gstreamer/gst/gsttask.c:334:5
#8 0x7f97b6db0b2d in g_thread_pool_thread_proxy
/var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthreadpool.c:307
#9 0x7f97b6db0154 in g_thread_proxy
/var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread.c:784
#10 0x7f97b682e453 in start_thread (/lib64/libpthread.so.0+0x7453)
#11 0x7f97b635e5dc in clone (/lib64/libc.so.6+0xe75dc)

0x60200002bec0 is located 0 bytes to the right of 16-byte region
[0x60200002beb0,0x60200002bec0)
allocated by thread T2 (qtdemux0:sink) here:
#0 0x4cbbb8 in malloc (/usr/bin/gst-discoverer-1.0+0x4cbbb8)
#1 0x7f97b6d8e768 in g_malloc
/var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gmem.c:94
#2 0x7f97b6da8057 in g_memdup
/var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gstrfuncs.c:391
#3 0x7f97aa39c776 in qtdemux_stbl_init
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:8053:23
#4 0x7f97aa39c776 in qtdemux_parse_trak
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:11292
#5 0x7f97aa36bafa in qtdemux_parse_tree
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:12910:5
#6 0x7f97aa35cc92 in gst_qtdemux_loop_state_header
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:4264:7
#7 0x7f97aa35cc92 in gst_qtdemux_loop
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:5801
#8 0x7f97b7bb3883 in gst_task_func
/f/gstreamer/gstreamer/gst/gsttask.c:334:5
#9 0x7f97b6db0b2d in g_thread_pool_thread_proxy
/var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthreadpool.c:307
#10 0x7f97b6db0154 in g_thread_proxy
/var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread.c:784
#11 0x7f97b682e453 in start_thread (/lib64/libpthread.so.0+0x7453)
#12 0x7f97b635e5dc in clone (/lib64/libc.so.6+0xe75dc)

Thread T2 (qtdemux0:sink) created by T1 (typefind:sink) here:
#0 0x42df2d in __interceptor_pthread_create
(/usr/bin/gst-discoverer-1.0+0x42df2d)
#1 0x7f97b6dcd1bf in g_system_thread_new
/var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread-posix.c:1170

Thread T1 (typefind:sink) created by T0 here:
#0 0x42df2d in __interceptor_pthread_create
(/usr/bin/gst-discoverer-1.0+0x42df2d)
#1 0x7f97b6dcd1bf in g_system_thread_new
/var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread-posix.c:1170
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-19 05:54:52 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777469

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@coaxion.net
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-19 05:54:57 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777469

--- Comment #1 from Sebastian Dröge (slomo) <***@coaxion.net> ---
Created attachment 343774
--> https://bugzilla.gnome.org/attachment.cgi?id=343774&action=edit
qtdemux: Increment current stts index in all code paths after reading one chunk

Otherwise we could read more chunks than there are available, doing an
out of bounds read and potentially crash.
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-19 10:25:51 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777469

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED

--- Comment #2 from Sebastian Dröge (slomo) <***@coaxion.net> ---
Attachment 343774 pushed as 99d5d75 - qtdemux: Increment current stts index in
all code paths after reading one chunk
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-19 10:25:54 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777469

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #343774|none |committed
status| |
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-19 10:27:09 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777469

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|git master |1.11.2
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-19 10:27:34 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777469

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|1.11.2 |1.10.3
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-19 11:26:32 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777469

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---

--- Comment #3 from Sebastian Dröge (slomo) <***@coaxion.net> ---
This broke playback of various valid files.
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-19 11:53:23 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777469

--- Comment #4 from Sebastian Dröge (slomo) <***@coaxion.net> ---
Created attachment 343793
--> https://bugzilla.gnome.org/attachment.cgi?id=343793&action=edit
qtdemux: Increment current stts index whenever we finished one stts entry

Otherwise we could read more chunks than there are available, doing an
out of bounds read and potentially crash.
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-19 12:01:07 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777469

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |FIXED

--- Comment #5 from Sebastian Dröge (slomo) <***@coaxion.net> ---
Attachment 343793 pushed as 1ffef8b - qtdemux: Increment current stts index
whenever we finished one stts entry
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-19 12:01:11 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777469

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #343793|none |committed
status| |
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-02-14 06:22:42 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777469

Salvatore Bonaccorso <***@debian.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@debian.org
Alias| |CVE-2017-5840

--- Comment #6 from Salvatore Bonaccorso <***@debian.org> ---
This is CVE-2017-5840
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
Loading...