New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple bugs #24

Closed
qflb opened this Issue Aug 14, 2017 · 1 comment

Comments

Projects
None yet
3 participants
@qflb

qflb commented Aug 14, 2017

the Node_GetData function in corec/corec/node/node.c in mkvalidator 0.5.1 can cause a denial of service(Null pointer dereference and application crash) via a crafted mkv file.

./mkvalidator mkvalidator_0.5.1_null_pointer_dereference.mkv

----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x0000000000421767 in Node_GetData (p=0x0, Id=256, Type=1)
at ../corec/corec/node/node.c:681
681 for (i=p->Data;i;i=i->Next)
(gdb) bt
#0 0x0000000000421767 in Node_GetData (p=0x0, Id=256, Type=1)
at ../corec/corec/node/node.c:681
#1 0x000000000042cb29 in EBML_ElementIsFiniteSize (Element=0x0)
at ebmlelement.c:98
#2 0x000000000042cf51 in EBML_ElementPositionEnd (Element=0x0)
at ebmlelement.c:195
#3 0x0000000000405917 in main (argc=2, argv=0x7fffffffdf78)
at mkvalidator.c:1036
(gdb) disassemble
Dump of assembler code for function Node_GetData:
0x0000000000421743 <+0>: push %rbp
0x0000000000421744 <+1>: mov %rsp,%rbp
0x0000000000421747 <+4>: mov %rdi,-0x18(%rbp)
0x000000000042174b <+8>: mov %rsi,-0x20(%rbp)
0x000000000042174f <+12>: mov %rdx,-0x28(%rbp)
0x0000000000421753 <+16>: mov -0x20(%rbp),%rax
0x0000000000421757 <+20>: shl $0x8,%rax
0x000000000042175b <+24>: or -0x28(%rbp),%rax
0x000000000042175f <+28>: mov %rax,-0x8(%rbp)
0x0000000000421763 <+32>: mov -0x18(%rbp),%rax
=> 0x0000000000421767 <+36>: mov 0x10(%rax),%rax
0x000000000042176b <+40>: mov %rax,-0x10(%rbp)
0x000000000042176f <+44>: jmp 0x421794 <Node_GetData+81>
0x0000000000421771 <+46>: mov -0x10(%rbp),%rax
0x0000000000421775 <+50>: mov 0x8(%rax),%rax
0x0000000000421779 <+54>: cmp -0x8(%rbp),%rax
0x000000000042177d <+58>: jne 0x421789 <Node_GetData+70>
0x000000000042177f <+60>: mov -0x10(%rbp),%rax
0x0000000000421783 <+64>: add $0x10,%rax
0x0000000000421787 <+68>: jmp 0x4217a0 <Node_GetData+93>
0x0000000000421789 <+70>: mov -0x10(%rbp),%rax
0x000000000042178d <+74>: mov (%rax),%rax
---Type to continue, or q to quit---q
Quit
(gdb) i r
rax 0x0 0
rbx 0x1 1
rcx 0x7ffff7b00810 140737348896784
rdx 0x1 1
rsi 0x100 256
rdi 0x0 0
rbp 0x7fffffffb740 0x7fffffffb740
rsp 0x7fffffffb740 0x7fffffffb740
r8 0x411e10 4267536
r9 0x7fffffffb370 140737488335728
r10 0xfffffffffffffa82 -1406
r11 0x246 582
r12 0x401420 4199456
r13 0x7fffffffdf70 140737488346992
r14 0x0 0
r15 0x0 0
rip 0x421767 0x421767 <Node_GetData+36>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb)

POC:mkvalidator_0.5.1_null_pointer_dereference.mkv
It has been assigned as CVE-2017-12779

the ReadData function in ebmlstring.c in libebml2(through 2012-08-26) can cause a denial of service(invalid free and application crash) via a crafted mkv file.

./mkvalidator libebml2_invalid_free.mkv

----debug info:----
.*** Error in `/home/a/Downloads/mkvalidator-0.5.1/release/gcc_linux_x64/mkvalidator': free(): invalid next size (fast): 0x000000000066fa40 ***

Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7a88394 in __libc_message (do_abort=do_abort@entry=1,
fmt=fmt@entry=0x7ffff7b96b28 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff7a9466e in malloc_printerr (ptr=,
str=0x7ffff7b96cc8 "free(): invalid next size (fast)", action=1)
at malloc.c:4996
#4 _int_free (av=, p=, have_lock=0)
at malloc.c:3840
#5 0x0000000000431c0e in ReadData (Element=0x678c90, Input=0x675c40,
ParserContext=0x7fffffffb750, AllowDummyElt=0, Scope=1, DepthCheckCRC=0)
at ebmlstring.c:102
#6 0x000000000042fc8e in ReadData (Element=0x673b70, Input=0x675c40,
ParserContext=0x7fffffffb880, AllowDummyElt=0, Scope=1, DepthCheckCRC=1)
at ebmlmaster.c:331
#7 0x000000000040549d in main (argc=2, argv=0x7fffffffdf68)
at mkvalidator.c:974
(gdb)

POC:libebml2_invalid_free.mkv
It has been assigned as CVE-2017-12780.

the EBML_BufferToID function in ebmlelement.c in libebml2(through 2012-08-26) can cause a denial of service(Null pointer dereference and application crash) via a crafted mkv file.

./mkvalidator libebml2_null_pointer_dereference_1.mkv

----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x000000000042d233 in EBML_BufferToID (Buffer=0x0) at ebmlelement.c:261
261 if (Buffer[0] & 0x80)
(gdb) bt
#0 0x000000000042d233 in EBML_BufferToID (Buffer=0x0) at ebmlelement.c:261
#1 0x000000000040987a in MATROSKA_MetaSeekID (MetaSeek=0x6792f0)
at matroskamain.c:336
#2 0x00000000004030e6 in CheckSeekHead (SeekHead=0x678fa0)
at mkvalidator.c:472
#3 0x000000000040707b in main (argc=2, argv=0x7fffffffdf68)
at mkvalidator.c:1333
(gdb) disassemble
Dump of assembler code for function EBML_BufferToID:
0x000000000042d227 <+0>: push %rbp
0x000000000042d228 <+1>: mov %rsp,%rbp
0x000000000042d22b <+4>: mov %rdi,-0x8(%rbp)
0x000000000042d22f <+8>: mov -0x8(%rbp),%rax
=> 0x000000000042d233 <+12>: movzbl (%rax),%eax
0x000000000042d236 <+15>: test %al,%al
0x000000000042d238 <+17>: jns 0x42d249 <EBML_BufferToID+34>
0x000000000042d23a <+19>: mov -0x8(%rbp),%rax
0x000000000042d23e <+23>: movzbl (%rax),%eax
0x000000000042d241 <+26>: movzbl %al,%eax
0x000000000042d244 <+29>: jmpq 0x42d320 <EBML_BufferToID+249>
0x000000000042d249 <+34>: mov -0x8(%rbp),%rax
0x000000000042d24d <+38>: movzbl (%rax),%eax
0x000000000042d250 <+41>: movzbl %al,%eax
0x000000000042d253 <+44>: and $0x40,%eax
0x000000000042d256 <+47>: test %eax,%eax
0x000000000042d258 <+49>: je 0x42d27e <EBML_BufferToID+87>
0x000000000042d25a <+51>: mov -0x8(%rbp),%rax
0x000000000042d25e <+55>: movzbl (%rax),%eax
0x000000000042d261 <+58>: movzbl %al,%eax
0x000000000042d264 <+61>: shl $0x8,%eax
0x000000000042d267 <+64>: mov %eax,%edx
---Type to continue, or q to quit---q
Quit
(gdb) i r
rax 0x0 0
rbx 0x67 103
rcx 0x0 0
rdx 0x643ff0 6569968
rsi 0x644980 6572416
rdi 0x0 0
rbp 0x7fffffffb690 0x7fffffffb690
rsp 0x7fffffffb690 0x7fffffffb690
r8 0x7ffff7dd59d0 140737351866832
r9 0x7fffffffa880 140737488332928
r10 0x42bca4 4373668
r11 0x246 582
r12 0x401420 4199456
r13 0x7fffffffdf60 140737488346976
r14 0x0 0
r15 0x0 0
rip 0x42d233 0x42d233 <EBML_BufferToID+12>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb)

POC:libebml2_null_pointer_dereference_1.mkv
It has been assigned as CVE-2017-12781.

the ReadData function in ebmlmaster.c in libebml2(through 2012-08-26) can cause a denial of service(assert fault) via a crafted mkv file.

./mkvalidator libebml2_assert_fault_1.mkv

----debug info:----
..mkvalidator: ebmlmaster.c:427: ReadData: Assertion `SubElement!=((void *)0)' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7a44b86 in __assert_fail_base (
fmt=0x7ffff7b95830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x43b93f "SubElement!=((void *)0)",
file=file@entry=0x43b5d0 "ebmlmaster.c", line=line@entry=427,
function=function@entry=0x43ba73 <PRETTY_FUNCTION.4885> "ReadData")
at assert.c:92
#3 0x00007ffff7a44c32 in __GI___assert_fail (
assertion=0x43b93f "SubElement!=((void *)0)",
file=0x43b5d0 "ebmlmaster.c", line=427,
function=0x43ba73 <PRETTY_FUNCTION.4885> "ReadData") at assert.c:101
#4 0x000000000043032e in ReadData (Element=0x678fa0, Input=0x675c40,
ParserContext=0x7fffffffb8a0, AllowDummyElt=1, Scope=1, DepthCheckCRC=2)
at ebmlmaster.c:427
#5 0x0000000000405c5f in main (argc=2, argv=0x7fffffffdf68)
at mkvalidator.c:1074
(gdb)

POC:libebml2_assert_fault_1.mkv
It has been assigned as CVE-2017-12782.

the ReadDataFloat function in ebmlnumber.c in libebml2(through 2012-08-26) can cause a denial of service(assert fault) via a crafted mkv file.

./mkvalidator libebml2_assert_fault_2.mkv

----debug info:----
....mkvalidator: ebmlnumber.c:222: ReadDataFloat: Assertion `Element->Base.DataSize == 8 || Element->Base.DataSize == 4' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7a44b86 in __assert_fail_base (
fmt=0x7ffff7b95830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x43bb08 "Element->Base.DataSize == 8 || Element->Base.DataSize == 4", file=file@entry=0x43bab0 "ebmlnumber.c",
line=line@entry=222,
function=function@entry=0x43bcb2 <PRETTY_FUNCTION.4760> "ReadDataFloat") at assert.c:92
#3 0x00007ffff7a44c32 in __GI___assert_fail (
assertion=0x43bb08 "Element->Base.DataSize == 8 || Element->Base.DataSize == 4", file=0x43bab0 "ebmlnumber.c", line=222,
function=0x43bcb2 <PRETTY_FUNCTION.4760> "ReadDataFloat")
at assert.c:101
#4 0x0000000000430e8b in ReadDataFloat (Element=0x67abc0, Input=0x675c40,
ParserContext=0x7fffffffb520, AllowDummyElt=1, Scope=1, DepthCheckCRC=1)
at ebmlnumber.c:222
#5 0x000000000042fc8e in ReadData (Element=0x67aae0, Input=0x675c40,
ParserContext=0x7fffffffb600, AllowDummyElt=1, Scope=1, DepthCheckCRC=2)
at ebmlmaster.c:331
#6 0x000000000042fc8e in ReadData (Element=0x67a400, Input=0x675c40,
ParserContext=0x7fffffffb750, AllowDummyElt=1, Scope=1, DepthCheckCRC=3)
---Type to continue, or q to quit---
at ebmlmaster.c:331
#7 0x000000000040e558 in ReadTrackEntry (Element=0x67a400, Input=0x675c40,
ParserContext=0x7fffffffb750, AllowDummyElt=1, Scope=1, DepthCheckCRC=3)
at matroskamain.c:2257
#8 0x000000000042fc8e in ReadData (Element=0x679980, Input=0x675c40,
ParserContext=0x7fffffffb8a0, AllowDummyElt=1, Scope=1, DepthCheckCRC=4)
at ebmlmaster.c:331
#9 0x0000000000406097 in main (argc=2, argv=0x7fffffffdf68)
at mkvalidator.c:1124
(gdb)

POC:libebml2_assert_fault_2.mkv
It has been assigned as CVE-2017-12783.

the EBML_FindNextElement function in ebmlmain.c in libebml2(through 2012-08-26) can cause a denial of service(Null pointer dereference and application crash) via a crafted mkv file.

./mkclean libebml2_null_pointer_dereference_2.mkv

----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x0000000000447ee1 in EBML_FindNextElement (Input=0x6caef0, pContext=0x0,
UpperLevels=0x7fffffffabd4, AllowDummyElt=0) at ebmlmain.c:516
516 OrigContext = *pContext;
(gdb) bt
#0 0x0000000000447ee1 in EBML_FindNextElement (Input=0x6caef0, pContext=0x0,
UpperLevels=0x7fffffffabd4, AllowDummyElt=0) at ebmlmain.c:516
#1 0x0000000000446263 in EBML_ElementSkipData (p=0x6c9060, Input=0x6caef0,
Context=0x0, TestReadElt=0x0, AllowDummyElt=0) at ebmlelement.c:122
#2 0x00000000004039cb in CheckMatroskaHead (Head=0x6c9380,
Parser=0x7fffffffb470, Input=0x6caef0) at mkclean.c:673
#3 0x0000000000407c07 in main (argc=2, argv=0x7fffffffdf78) at mkclean.c:1643
(gdb) disassemble
Dump of assembler code for function EBML_FindNextElement:
0x0000000000447deb <+0>: push %rbp
0x0000000000447dec <+1>: mov %rsp,%rbp
0x0000000000447def <+4>: push %rbx
0x0000000000447df0 <+5>: sub $0xd8,%rsp
0x0000000000447df7 <+12>: mov %rdi,-0xb8(%rbp)
0x0000000000447dfe <+19>: mov %rsi,-0xc0(%rbp)
0x0000000000447e05 <+26>: mov %rdx,-0xc8(%rbp)
0x0000000000447e0c <+33>: mov %rcx,-0xd0(%rbp)
0x0000000000447e13 <+40>: mov %fs:0x28,%rax
0x0000000000447e1c <+49>: mov %rax,-0x18(%rbp)
0x0000000000447e20 <+53>: xor %eax,%eax
0x0000000000447e22 <+55>: movb $0x0,-0xac(%rbp)
0x0000000000447e29 <+62>: movb $0x0,-0xaa(%rbp)
0x0000000000447e30 <+69>: movl $0x0,-0xa0(%rbp)
0x0000000000447e3a <+79>: mov -0xc8(%rbp),%rax
0x0000000000447e41 <+86>: mov (%rax),%eax
0x0000000000447e43 <+88>: mov %eax,-0x9c(%rbp)
0x0000000000447e49 <+94>: cmpq $0x0,-0xb8(%rbp)
0x0000000000447e51 <+102>: jne 0x447e72 <EBML_FindNextElement+135>
0x0000000000447e53 <+104>: lea 0x37e56(%rip),%rcx # 0x47fcb0 <PRETTY_FUNCTION.4925>
0x0000000000447e5a <+111>: mov $0x1fc,%edx
---Type to continue, or q to quit---
0x0000000000447e5f <+116>: lea 0x37b8b(%rip),%rsi # 0x47f9f1
0x0000000000447e66 <+123>: lea 0x37d5b(%rip),%rdi # 0x47fbc8
0x0000000000447e6d <+130>: callq 0x401510 __assert_fail@plt
0x0000000000447e72 <+135>: mov -0xb8(%rbp),%rax
0x0000000000447e79 <+142>: mov 0x8(%rax),%rax
0x0000000000447e7d <+146>: mov 0x78(%rax),%rax
0x0000000000447e81 <+150>: mov -0xb8(%rbp),%rcx
0x0000000000447e88 <+157>: mov $0x1,%edx
0x0000000000447e8d <+162>: mov $0x0,%esi
0x0000000000447e92 <+167>: mov %rcx,%rdi
0x0000000000447e95 <+170>: callq *%rax
0x0000000000447e97 <+172>: mov %rax,-0x70(%rbp)
0x0000000000447e9b <+176>: lea -0x50(%rbp),%rax
0x0000000000447e9f <+180>: mov %rax,-0x80(%rbp)
0x0000000000447ea3 <+184>: cmpq $0xffffffffffffffff,-0x70(%rbp)
0x0000000000447ea8 <+189>: jne 0x447eb4 <EBML_FindNextElement+201>
0x0000000000447eaa <+191>: mov $0x0,%eax
0x0000000000447eaf <+196>: jmpq 0x448814 <EBML_FindNextElement+2601>
0x0000000000447eb4 <+201>: cmpq $0x0,-0x80(%rbp)
0x0000000000447eb9 <+206>: jne 0x447eda <EBML_FindNextElement+239>
0x0000000000447ebb <+208>: lea 0x37dee(%rip),%rcx # 0x47fcb0 <PRETTY_FUNCTION.4925>
0x0000000000447ec2 <+215>: mov $0x203,%edx
---Type to continue, or q to quit---
0x0000000000447ec7 <+220>: lea 0x37b23(%rip),%rsi # 0x47f9f1
0x0000000000447ece <+227>: lea 0x37d2b(%rip),%rdi # 0x47fc00
0x0000000000447ed5 <+234>: callq 0x401510 __assert_fail@plt
0x0000000000447eda <+239>: mov -0xc0(%rbp),%rax
=> 0x0000000000447ee1 <+246>: mov (%rax),%rdx
0x0000000000447ee4 <+249>: mov %rdx,-0x50(%rbp)
0x0000000000447ee8 <+253>: mov 0x8(%rax),%rdx
0x0000000000447eec <+257>: mov %rdx,-0x48(%rbp)
0x0000000000447ef0 <+261>: mov 0x10(%rax),%rdx
0x0000000000447ef4 <+265>: mov %rdx,-0x40(%rbp)
0x0000000000447ef8 <+269>: mov 0x18(%rax),%rax
0x0000000000447efc <+273>: mov %rax,-0x38(%rbp)
0x0000000000447f00 <+277>: jmp 0x447f32 <EBML_FindNextElement+327>
0x0000000000447f02 <+279>: mov -0x80(%rbp),%rax
0x0000000000447f06 <+283>: mov 0x8(%rax),%rax
0x0000000000447f0a <+287>: test %rax,%rax
0x0000000000447f0d <+290>: jne 0x447f11 <EBML_FindNextElement+294>
0x0000000000447f0f <+292>: jmp 0x447f55 <EBML_FindNextElement+362>
0x0000000000447f11 <+294>: mov -0x80(%rbp),%rax
0x0000000000447f15 <+298>: mov 0x8(%rax),%rax
0x0000000000447f19 <+302>: mov %rax,-0x80(%rbp)
0x0000000000447f1d <+306>: mov -0xc8(%rbp),%rax
0x0000000000447f24 <+313>: mov (%rax),%eax
---Type to continue, or q to quit---q
Quit
(gdb) i r
rax 0x0 0
rbx 0x7fffffffb4d0 140737488336080
rcx 0x7ffff7b0f4b0 140737348957360
rdx 0x1 1
rsi 0x0 0
rdi 0x3 3
rbp 0x7fffffffab90 0x7fffffffab90
rsp 0x7fffffffaab0 0x7fffffffaab0
r8 0x0 0
r9 0xb 11
r10 0x7fffffffa9a0 140737488333216
r11 0x246 582
r12 0x4017b0 4200368
r13 0x7fffffffdf70 140737488346992
r14 0x0 0
r15 0x0 0
rip 0x447ee1 0x447ee1 <EBML_FindNextElement+246>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb)

POC:libebml2_null_pointer_dereference_2.mkv
It has been assigned as CVE-2017-12800.

the UpdateDataSize function in ebmlmaster.c in libebml2(through 2012-08-26) can cause a denial of service(assert fault) via a crafted mkv file.

./mkclean libebml2_assert_fault_3.mkv

----debug info:----
mkclean: ebmlmaster.c:244: UpdateDataSize: Assertion `CheckMandatory((ebml_master*)Element, bWithDefault)' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7a44b86 in __assert_fail_base (
fmt=0x7ffff7b95830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x47feb8 "CheckMandatory((ebml_master*)Element, bWithDefault)", file=file@entry=0x47fcd0 "ebmlmaster.c", line=line@entry=244,
function=function@entry=0x480334 <PRETTY_FUNCTION.4876> "UpdateDataSize") at assert.c:92
#3 0x00007ffff7a44c32 in __GI___assert_fail (
assertion=0x47feb8 "CheckMandatory((ebml_master*)Element, bWithDefault)",
file=0x47fcd0 "ebmlmaster.c", line=244,
function=0x480334 <PRETTY_FUNCTION.4876> "UpdateDataSize")
at assert.c:101
#4 0x0000000000449223 in UpdateDataSize (Element=0x6d1ec0, bWithDefault=0,
bForceWithoutMandatory=0) at ebmlmaster.c:244
#5 0x0000000000419f3e in UpdateDataSizeTrackEntry (Element=0x6d1ec0,
bWithDefault=0, bForceWithoutMandatory=0) at matroskamain.c:2343
#6 0x00000000004492ee in UpdateDataSize (Element=0x6d1e50, bWithDefault=0,
bForceWithoutMandatory=0) at ebmlmaster.c:256
#7 0x0000000000409672 in main (argc=2, argv=0x7fffffffdf78) at mkclean.c:2012
(gdb)

POC:libebml2_assert_fault_3.mkv
It has been assigned as CVE-2017-12801.

the EBML_IntegerValue function in ebmlnumber.c in libebml2(through 2012-08-26) can cause a denial of service(assert fault) via a crafted mkv file.

./mkclean libebml2_assert_fault_4.mkv

----debug info:----
mkclean: ebmlnumber.c:428: EBML_IntegerValue: Assertion `Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)('B') << 8) | ((uint8_t)('I') << 16) | ((uint8_t)('T')<< 24))) || Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)('B') << 8) | ((uint8_t)('S') << 16) | ((uint8_t)('I')<< 24)))' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7a44b86 in __assert_fail_base (
fmt=0x7ffff7b95830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x480478 "Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)('B') << 8) | ((uint8_t)('I') << 16) | ((uint8_t)('T')<< 24))) || Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)"..., file=file@entry=0x480390 "ebmlnumber.c", line=line@entry=428,
function=function@entry=0x480650 <PRETTY_FUNCTION.4901> "EBML_IntegerValue") at assert.c:92
#3 0x00007ffff7a44c32 in __GI___assert_fail (
assertion=0x480478 "Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)('B') << 8) | ((uint8_t)('I') << 16) | ((uint8_t)('T')<< 24))) || Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)"...,
file=0x480390 "ebmlnumber.c", line=428,
function=0x480650 <PRETTY_FUNCTION.4901> "EBML_IntegerValue")
at assert.c:101
#4 0x000000000044c07a in EBML_IntegerValue (Element=0x6d1190)
at ebmlnumber.c:428
#5 0x000000000040850a in main (argc=2, argv=0x7fffffffdf78) at mkclean.c:1764
(gdb)

POC:libebml2_assert_fault_4.mkv
It has been assigned as CVE-2017-12802.

the Node_ValidatePtr function in corec/corec/node/node.c in mkclean 0.8.9 can cause a denial of service(assert fault) via a crafted mkv file.

./mkclean mkclean_0.8.9_assert_fault.mkv

----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x000000000043d3d2 in Node_ValidatePtr (Node=0x0)
at ../corec/corec/node/node.c:155
155 assert(((node*)Node)->Magic==NODE_MAGIC);
(gdb) bt
#0 0x000000000043d3d2 in Node_ValidatePtr (Node=0x0)
at ../corec/corec/node/node.c:155
#1 Node_IsPartOf (Node=0x0, PartOfClass=1414087237)
at ../corec/corec/node/node.c:1534
#2 0x000000000044c040 in EBML_IntegerValue (Element=0x0) at ebmlnumber.c:428
#3 0x0000000000404a87 in CleanTracks (Tracks=0x6d1160, SrcProfile=1,
DstProfile=0x6a0584 , Attachments=0x0,
Alternate3DTracks=0x7fffffffb410) at mkclean.c:962
#4 0x0000000000408812 in main (argc=2, argv=0x7fffffffdf88) at mkclean.c:1811

POC:mkclean_0.8.9_assert_fault.mkv
It has been assigned as CVE-2017-12803.

poc.zip

@robUx4

This comment has been minimized.

Contributor

robUx4 commented Aug 22, 2017

Fixed with 18bb41a, fab3097, 458e292, 193481b, dfa8ede, faaba9b and 0b076ef

Thanks for reporting.

@robUx4 robUx4 closed this Aug 22, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment