Discussion:
[Bug 777265] New: riff: stack overflow in gst_riff_create_audio_caps
Add Reply
"GStreamer" (GNOME Bugzilla)
2017-01-15 09:45:44 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777265

Bug ID: 777265
Summary: riff: stack overflow in gst_riff_create_audio_caps
Classification: Platform
Product: GStreamer
Version: unspecified
OS: Linux
Status: NEW
Severity: normal
Priority: Normal
Component: gst-plugins-base
Assignee: gstreamer-***@lists.freedesktop.org
Reporter: ***@hboeck.de
QA Contact: gstreamer-***@lists.freedesktop.org
GNOME version: ---

Created attachment 343491
--> https://bugzilla.gnome.org/attachment.cgi?id=343491&action=edit
poc file

An endless recursion leading to a stack overflow:
==10305==ERROR: AddressSanitizer: stack-overflow on address 0x7f9ef214cfe0 (pc
0x7f9effc89a7c bp 0x7f9ef214d230 sp 0x7f9ef214cfe0 T2)
#0 0x7f9effc89a7b in _get_merged_memory
/f/gstreamer/gstreamer/gst/gstbuffer.c:208
#1 0x7f9effc8f57e in gst_buffer_map_range
/f/gstreamer/gstreamer/gst/gstbuffer.c:1732:9
#2 0x7f9ef2963845 in gst_riff_create_audio_caps
/f/gstreamer/gst-plugins-base/gst-libs/gst/riff/riff-media.c:1600:7
#3 0x7f9ef2965c6f in gst_riff_create_audio_caps
/f/gstreamer/gst-plugins-base/gst-libs/gst/riff/riff-media.c:1721:18
#4 0x7f9ef2965c6f in gst_riff_create_audio_caps
/f/gstreamer/gst-plugins-base/gst-libs/gst/riff/riff-media.c:1721:18
#5 0x7f9ef2965c6f in gst_riff_create_audio_caps
/f/gstreamer/gst-plugins-base/gst-libs/gst/riff/riff-media.c:1721:18
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-15 17:28:20 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777265

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@coaxion.net

--- Comment #1 from Sebastian Dröge (slomo) <***@coaxion.net> ---
Confirmed here
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-15 17:42:25 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777265

--- Comment #2 from Sebastian Dröge (slomo) <***@coaxion.net> ---
This recursive call there does not seem to make any sense at all to me.
subformat_guid[0] is guint32, codec_id is guint16. It's going to get clipped
anyway.

Do we have any files that go into this branch for a valid reason? In any case,
following patch would fix it... but it all looks suspicious.
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-15 17:44:16 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777265

--- Comment #3 from Sebastian Dröge (slomo) <***@coaxion.net> ---
Created attachment 343506
--> https://bugzilla.gnome.org/attachment.cgi?id=343506&action=edit
riff-media: Don't recurse in for nested WAVEFORMATEX

There was already a check for that, but it failed because
subformat_guid[0] is a guint32 and that is then casted implicitely to a
guint16 when recursing... just that we checked the uncasted value.

This caused an infinite recursion and thus stack overflow.
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-18 11:11:17 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777265

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED

--- Comment #4 from Sebastian Dröge (slomo) <***@coaxion.net> ---
Attachment 343506 pushed as ef55c8a - riff-media: Don't recurse in for nested
WAVEFORMATEX
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-18 11:11:22 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777265

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #343506|none |committed
status| |
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-18 11:11:33 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777265

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|git master |1.11.2
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-01-18 11:23:32 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777265

Sebastian Dröge (slomo) <***@coaxion.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|1.11.2 |1.10.3
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
"GStreamer" (GNOME Bugzilla)
2017-02-14 06:22:18 UTC
Reply
Permalink
Raw Message
https://bugzilla.gnome.org/show_bug.cgi?id=777265

Salvatore Bonaccorso <***@debian.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@debian.org
Alias| |CVE-2017-5839

--- Comment #5 from Salvatore Bonaccorso <***@debian.org> ---
This is CVE-2017-5839
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
Loading...