Discussion:
[Bug 775451] New: out of bounds read in gst_tag_freeform_string_to_utf8 / qtdemux_tag_add_str_full
(too old to reply)
"GStreamer" (GNOME Bugzilla)
2016-12-01 10:40:06 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=775451

Bug ID: 775451
Summary: out of bounds read in gst_tag_freeform_string_to_utf8
/ qtdemux_tag_add_str_full
Classification: Platform
Product: GStreamer
Version: git master
OS: Linux
Status: NEW
Severity: normal
Priority: Normal
Component: gst-plugins-base
Assignee: gstreamer-***@lists.freedesktop.org
Reporter: ***@hboeck.de
QA Contact: gstreamer-***@lists.freedesktop.org
GNOME version: ---

Created attachment 341135
--> https://bugzilla.gnome.org/attachment.cgi?id=341135&action=edit
poc file

Note: Based on the stack trace tihs involves both code from gst-plugins-good
and -base, so it may be in the wrong category.

The attached file causes an out of bounds heap memory read. Found with afl,
current gut.

==22354==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x620000072f37 at pc 0x7f6b9579cc89 bp 0x7f6b870610b0 sp 0x7f6b870610a8
READ of size 1 at 0x620000072f37 thread T2 (qtdemux0:sink)
#0 0x7f6b9579cc88 in gst_tag_freeform_string_to_utf8
/f/gstreamer/gst-plugins-base/gst-libs/gst/tag/tags.c:400:22
#1 0x7f6b875d0604 in qtdemux_tag_add_str_full
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:11797:11
#2 0x7f6b875ad93d in qtdemux_parse_udta
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:12438:9
#3 0x7f6b87574c6e in qtdemux_parse_tree
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:12803:5
#4 0x7f6b875658ed in gst_qtdemux_loop_state_header
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:4221:7
#5 0x7f6b875658ed in gst_qtdemux_loop
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:5753
#6 0x7f6b94d8f5d3 in gst_task_func
/f/gstreamer/gstreamer/gst/gsttask.c:334:5
#7 0x7f6b93f8c627 (/usr/lib64/libglib-2.0.so.0+0x72627)
#8 0x7f6b93f8bc94 (/usr/lib64/libglib-2.0.so.0+0x71c94)
#9 0x7f6b93a08453 in start_thread (/lib64/libpthread.so.0+0x7453)
#10 0x7f6b935385dc in clone (/lib64/libc.so.6+0xe75dc)

AddressSanitizer can not describe address in more detail (wild memory access
suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow
/f/gstreamer/gst-plugins-base/gst-libs/gst/tag/tags.c:400:22 in
gst_tag_freeform_string_to_utf8
Shadow bytes around the buggy address:
0x0c4080006590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c40800065a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c40800065b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c40800065c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c40800065d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c40800065e0: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
0x0c40800065f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4080006600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4080006610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4080006620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4080006630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2016-12-01 11:03:11 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=775451

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@coaxion.net
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2016-12-01 11:10:29 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=775451

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED

--- Comment #1 from Sebastian Dröge (slomo) <***@coaxion.net> ---
valgrind is also unhappy about this, fwiw
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2016-12-01 11:33:53 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=775451

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED

--- Comment #2 from Sebastian Dröge (slomo) <***@coaxion.net> ---
commit d0949baf3dadea6021d54abef6802fed5a06af75
Author: Sebastian Dröge <***@centricular.com>
Date: Thu Dec 1 13:32:22 2016 +0200

qtdemux: Fix out of bounds read in tag parsing code

We can't simply assume that the length of the tag value as given
inside the stream is correct but should also check against the amount of
data we have actually available.

https://bugzilla.gnome.org/show_bug.cgi?id=775451
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2016-12-01 11:34:46 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=775451

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Component|gst-plugins-base |gst-plugins-good
Target Milestone|git master |1.11.1
Summary|out of bounds read in |qtdemux: out of bounds read
|gst_tag_freeform_string_to_ |in qtdemux_tag_add_str_full
|utf8 / |
|qtdemux_tag_add_str_full |

--- Comment #3 from Sebastian Dröge (slomo) <***@coaxion.net> ---
Will backport to 1.10 in a bit
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2016-12-05 09:12:12 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=775451

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|1.11.1 |1.10.3
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-02-14 06:20:27 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=775451

Salvatore Bonaccorso <***@debian.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@debian.org
Alias| |CVE-2016-10199
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-02-14 06:20:36 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=775451

--- Comment #4 from Salvatore Bonaccorso <***@debian.org> ---
This is CVE-2016-10199
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
Loading...