Discussion:
[Bug 777937] New: asfdemux: invalid memory read in gst_asf_demux_process_ext_stream_props()
(too old to reply)
"GStreamer" (GNOME Bugzilla)
2017-01-30 13:10:21 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777937

Bug ID: 777937
Summary: asfdemux: invalid memory read in
gst_asf_demux_process_ext_stream_props()
Classification: Platform
Product: GStreamer
Version: unspecified
OS: Linux
Status: NEW
Severity: normal
Priority: Normal
Component: gst-plugins-ugly
Assignee: gstreamer-***@lists.freedesktop.org
Reporter: ***@hboeck.de
QA Contact: gstreamer-***@lists.freedesktop.org
GNOME version: ---

Created attachment 344540
--> https://bugzilla.gnome.org/attachment.cgi?id=344540&action=edit
poc file

POC file attached, file will cause an invalid memory read, found with afl+asan.

ASAN Stack trace:
==23967==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000180 (pc
0x7feb66ef82cc bp 0x7feb6653f930 sp 0x7feb6653f540 T2)
==23967==The signal is caused by a READ memory access.
==23967==Hint: address points to the zero page.
#0 0x7feb66ef82cb in gst_asf_demux_process_ext_stream_props
/f/gstreamer/gst-plugins-ugly/gst/asfdemux/gstasfdemux.c:4232:34
#1 0x7feb66ef82cb in gst_asf_demux_process_queued_extended_stream_objects
/f/gstreamer/gst-plugins-ugly/gst/asfdemux/gstasfdemux.c:4321
#2 0x7feb66ef82cb in gst_asf_demux_parse_data_object_start
/f/gstreamer/gst-plugins-ugly/gst/asfdemux/gstasfdemux.c:1178
#3 0x7feb66edea5d in gst_asf_demux_pull_headers
/f/gstreamer/gst-plugins-ugly/gst/asfdemux/gstasfdemux.c:1249:8
#4 0x7feb66edea5d in gst_asf_demux_loop
/f/gstreamer/gst-plugins-ugly/gst/asfdemux/gstasfdemux.c:1984
#5 0x7feb7414b973 in gst_task_func
/f/gstreamer/gstreamer/gst/gsttask.c:334:5
#6 0x7feb73348b2d in g_thread_pool_thread_proxy
/var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthreadpool.c:307
#7 0x7feb73348154 in g_thread_proxy
/var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread.c:784
#8 0x7feb72dc6453 in start_thread (/lib64/libpthread.so.0+0x7453)
#9 0x7feb728f65dc in clone (/lib64/libc.so.6+0xe75dc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/f/gstreamer/gst-plugins-ugly/gst/asfdemux/gstasfdemux.c:4232:34 in
gst_asf_demux_process_ext_stream_props
Thread T2 (asfdemux0:sink) created by T1 (typefind:sink) here:
#0 0x42df2d in __interceptor_pthread_create
(/usr/bin/gst-discoverer-1.0+0x42df2d)
#1 0x7feb733651bf in g_system_thread_new
/var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread-posix.c:1170

Thread T1 (typefind:sink) created by T0 here:
#0 0x42df2d in __interceptor_pthread_create
(/usr/bin/gst-discoverer-1.0+0x42df2d)
#1 0x7feb733651bf in g_system_thread_new
/var/tmp/portage/dev-libs/glib-2.50.2/work/glib-2.50.2/glib/gthread-posix.c:1170

==23967==ABORTING
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-30 13:41:18 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777937

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |***@coaxion.net
Resolution|--- |FIXED
Target Milestone|git master |1.10.3

--- Comment #1 from Sebastian Dröge (slomo) <***@coaxion.net> ---
commit dec880031d16f1ee4919a36f49298419246cf6a8
Author: Sebastian Dröge <***@centricular.com>
Date: Mon Jan 30 15:39:59 2017 +0200

asfdemux: Reset number of languages to 0 when freeing the array because of
errors

Otherwise we will happily index into the array at NULL if the requested
index is smaller than the number of languages that were previously
allocated.

https://bugzilla.gnome.org/show_bug.cgi?id=777937
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-02-14 06:25:01 UTC
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777937

Salvatore Bonaccorso <***@debian.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@debian.org
Alias| |CVE-2017-5846
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
Loading...