the Node_GetData function in corec/corec/node/node.c in mkvalidator 0.5.1 can cause a denial of service(Null pointer dereference and application crash) via a crafted mkv file.
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x0000000000421767 in Node_GetData (p=0x0, Id=256, Type=1)
at ../corec/corec/node/node.c:681
681 for (i=p->Data;i;i=i->Next)
(gdb) bt
#0 0x0000000000421767 in Node_GetData (p=0x0, Id=256, Type=1)
at ../corec/corec/node/node.c:681 #1 0x000000000042cb29 in EBML_ElementIsFiniteSize (Element=0x0)
at ebmlelement.c:98 #2 0x000000000042cf51 in EBML_ElementPositionEnd (Element=0x0)
at ebmlelement.c:195 #3 0x0000000000405917 in main (argc=2, argv=0x7fffffffdf78)
at mkvalidator.c:1036
(gdb) disassemble
Dump of assembler code for function Node_GetData:
0x0000000000421743 <+0>: push %rbp
0x0000000000421744 <+1>: mov %rsp,%rbp
0x0000000000421747 <+4>: mov %rdi,-0x18(%rbp)
0x000000000042174b <+8>: mov %rsi,-0x20(%rbp)
0x000000000042174f <+12>: mov %rdx,-0x28(%rbp)
0x0000000000421753 <+16>: mov -0x20(%rbp),%rax
0x0000000000421757 <+20>: shl $0x8,%rax
0x000000000042175b <+24>: or -0x28(%rbp),%rax
0x000000000042175f <+28>: mov %rax,-0x8(%rbp)
0x0000000000421763 <+32>: mov -0x18(%rbp),%rax
=> 0x0000000000421767 <+36>: mov 0x10(%rax),%rax
0x000000000042176b <+40>: mov %rax,-0x10(%rbp)
0x000000000042176f <+44>: jmp 0x421794 <Node_GetData+81>
0x0000000000421771 <+46>: mov -0x10(%rbp),%rax
0x0000000000421775 <+50>: mov 0x8(%rax),%rax
0x0000000000421779 <+54>: cmp -0x8(%rbp),%rax
0x000000000042177d <+58>: jne 0x421789 <Node_GetData+70>
0x000000000042177f <+60>: mov -0x10(%rbp),%rax
0x0000000000421783 <+64>: add $0x10,%rax
0x0000000000421787 <+68>: jmp 0x4217a0 <Node_GetData+93>
0x0000000000421789 <+70>: mov -0x10(%rbp),%rax
0x000000000042178d <+74>: mov (%rax),%rax
---Type to continue, or q to quit---q
Quit
(gdb) i r
rax 0x0 0
rbx 0x1 1
rcx 0x7ffff7b00810 140737348896784
rdx 0x1 1
rsi 0x100 256
rdi 0x0 0
rbp 0x7fffffffb740 0x7fffffffb740
rsp 0x7fffffffb740 0x7fffffffb740
r8 0x411e10 4267536
r9 0x7fffffffb370 140737488335728
r10 0xfffffffffffffa82 -1406
r11 0x246 582
r12 0x401420 4199456
r13 0x7fffffffdf70 140737488346992
r14 0x0 0
r15 0x0 0
rip 0x421767 0x421767 <Node_GetData+36>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb)
POC:mkvalidator_0.5.1_null_pointer_dereference.mkv
It has been assigned as CVE-2017-12779
the ReadData function in ebmlstring.c in libebml2(through 2012-08-26) can cause a denial of service(invalid free and application crash) via a crafted mkv file.
./mkvalidator libebml2_invalid_free.mkv
----debug info:----
.*** Error in `/home/a/Downloads/mkvalidator-0.5.1/release/gcc_linux_x64/mkvalidator': free(): invalid next size (fast): 0x000000000066fa40 ***
Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89 #2 0x00007ffff7a88394 in __libc_message (do_abort=do_abort@entry=1,
fmt=fmt@entry=0x7ffff7b96b28 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007ffff7a9466e in malloc_printerr (ptr=,
str=0x7ffff7b96cc8 "free(): invalid next size (fast)", action=1)
at malloc.c:4996 #4 _int_free (av=, p=, have_lock=0)
at malloc.c:3840 #5 0x0000000000431c0e in ReadData (Element=0x678c90, Input=0x675c40,
ParserContext=0x7fffffffb750, AllowDummyElt=0, Scope=1, DepthCheckCRC=0)
at ebmlstring.c:102 #6 0x000000000042fc8e in ReadData (Element=0x673b70, Input=0x675c40,
ParserContext=0x7fffffffb880, AllowDummyElt=0, Scope=1, DepthCheckCRC=1)
at ebmlmaster.c:331 #7 0x000000000040549d in main (argc=2, argv=0x7fffffffdf68)
at mkvalidator.c:974
(gdb)
POC:libebml2_invalid_free.mkv
It has been assigned as CVE-2017-12780.
the EBML_BufferToID function in ebmlelement.c in libebml2(through 2012-08-26) can cause a denial of service(Null pointer dereference and application crash) via a crafted mkv file.
Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89 #2 0x00007ffff7a44b86 in __assert_fail_base (
fmt=0x7ffff7b95830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x43b93f "SubElement!=((void *)0)",
file=file@entry=0x43b5d0 "ebmlmaster.c", line=line@entry=427,
function=function@entry=0x43ba73 <PRETTY_FUNCTION.4885> "ReadData")
at assert.c:92 #3 0x00007ffff7a44c32 in __GI___assert_fail (
assertion=0x43b93f "SubElement!=((void *)0)",
file=0x43b5d0 "ebmlmaster.c", line=427,
function=0x43ba73 <PRETTY_FUNCTION.4885> "ReadData") at assert.c:101 #4 0x000000000043032e in ReadData (Element=0x678fa0, Input=0x675c40,
ParserContext=0x7fffffffb8a0, AllowDummyElt=1, Scope=1, DepthCheckCRC=2)
at ebmlmaster.c:427 #5 0x0000000000405c5f in main (argc=2, argv=0x7fffffffdf68)
at mkvalidator.c:1074
(gdb)
POC:libebml2_assert_fault_1.mkv
It has been assigned as CVE-2017-12782.
the ReadDataFloat function in ebmlnumber.c in libebml2(through 2012-08-26) can cause a denial of service(assert fault) via a crafted mkv file.
Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89 #2 0x00007ffff7a44b86 in __assert_fail_base (
fmt=0x7ffff7b95830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x43bb08 "Element->Base.DataSize == 8 || Element->Base.DataSize == 4", file=file@entry=0x43bab0 "ebmlnumber.c",
line=line@entry=222,
function=function@entry=0x43bcb2 <PRETTY_FUNCTION.4760> "ReadDataFloat") at assert.c:92 #3 0x00007ffff7a44c32 in __GI___assert_fail (
assertion=0x43bb08 "Element->Base.DataSize == 8 || Element->Base.DataSize == 4", file=0x43bab0 "ebmlnumber.c", line=222,
function=0x43bcb2 <PRETTY_FUNCTION.4760> "ReadDataFloat")
at assert.c:101 #4 0x0000000000430e8b in ReadDataFloat (Element=0x67abc0, Input=0x675c40,
ParserContext=0x7fffffffb520, AllowDummyElt=1, Scope=1, DepthCheckCRC=1)
at ebmlnumber.c:222 #5 0x000000000042fc8e in ReadData (Element=0x67aae0, Input=0x675c40,
ParserContext=0x7fffffffb600, AllowDummyElt=1, Scope=1, DepthCheckCRC=2)
at ebmlmaster.c:331 #6 0x000000000042fc8e in ReadData (Element=0x67a400, Input=0x675c40,
ParserContext=0x7fffffffb750, AllowDummyElt=1, Scope=1, DepthCheckCRC=3)
---Type to continue, or q to quit---
at ebmlmaster.c:331 #7 0x000000000040e558 in ReadTrackEntry (Element=0x67a400, Input=0x675c40,
ParserContext=0x7fffffffb750, AllowDummyElt=1, Scope=1, DepthCheckCRC=3)
at matroskamain.c:2257 #8 0x000000000042fc8e in ReadData (Element=0x679980, Input=0x675c40,
ParserContext=0x7fffffffb8a0, AllowDummyElt=1, Scope=1, DepthCheckCRC=4)
at ebmlmaster.c:331 #9 0x0000000000406097 in main (argc=2, argv=0x7fffffffdf68)
at mkvalidator.c:1124
(gdb)
POC:libebml2_assert_fault_2.mkv
It has been assigned as CVE-2017-12783.
the EBML_FindNextElement function in ebmlmain.c in libebml2(through 2012-08-26) can cause a denial of service(Null pointer dereference and application crash) via a crafted mkv file.
Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89 #2 0x00007ffff7a44b86 in __assert_fail_base (
fmt=0x7ffff7b95830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x47feb8 "CheckMandatory((ebml_master*)Element, bWithDefault)", file=file@entry=0x47fcd0 "ebmlmaster.c", line=line@entry=244,
function=function@entry=0x480334 <PRETTY_FUNCTION.4876> "UpdateDataSize") at assert.c:92 #3 0x00007ffff7a44c32 in __GI___assert_fail (
assertion=0x47feb8 "CheckMandatory((ebml_master*)Element, bWithDefault)",
file=0x47fcd0 "ebmlmaster.c", line=244,
function=0x480334 <PRETTY_FUNCTION.4876> "UpdateDataSize")
at assert.c:101 #4 0x0000000000449223 in UpdateDataSize (Element=0x6d1ec0, bWithDefault=0,
bForceWithoutMandatory=0) at ebmlmaster.c:244 #5 0x0000000000419f3e in UpdateDataSizeTrackEntry (Element=0x6d1ec0,
bWithDefault=0, bForceWithoutMandatory=0) at matroskamain.c:2343 #6 0x00000000004492ee in UpdateDataSize (Element=0x6d1e50, bWithDefault=0,
bForceWithoutMandatory=0) at ebmlmaster.c:256 #7 0x0000000000409672 in main (argc=2, argv=0x7fffffffdf78) at mkclean.c:2012
(gdb)
POC:libebml2_assert_fault_3.mkv
It has been assigned as CVE-2017-12801.
the EBML_IntegerValue function in ebmlnumber.c in libebml2(through 2012-08-26) can cause a denial of service(assert fault) via a crafted mkv file.
Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89 #2 0x00007ffff7a44b86 in __assert_fail_base (
fmt=0x7ffff7b95830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x480478 "Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)('B') << 8) | ((uint8_t)('I') << 16) | ((uint8_t)('T')<< 24))) || Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)"..., file=file@entry=0x480390 "ebmlnumber.c", line=line@entry=428,
function=function@entry=0x480650 <PRETTY_FUNCTION.4901> "EBML_IntegerValue") at assert.c:92 #3 0x00007ffff7a44c32 in __GI___assert_fail (
assertion=0x480478 "Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)('B') << 8) | ((uint8_t)('I') << 16) | ((uint8_t)('T')<< 24))) || Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)"...,
file=0x480390 "ebmlnumber.c", line=428,
function=0x480650 <PRETTY_FUNCTION.4901> "EBML_IntegerValue")
at assert.c:101 #4 0x000000000044c07a in EBML_IntegerValue (Element=0x6d1190)
at ebmlnumber.c:428 #5 0x000000000040850a in main (argc=2, argv=0x7fffffffdf78) at mkclean.c:1764
(gdb)
POC:libebml2_assert_fault_4.mkv
It has been assigned as CVE-2017-12802.
the Node_ValidatePtr function in corec/corec/node/node.c in mkclean 0.8.9 can cause a denial of service(assert fault) via a crafted mkv file.
./mkclean mkclean_0.8.9_assert_fault.mkv
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x000000000043d3d2 in Node_ValidatePtr (Node=0x0)
at ../corec/corec/node/node.c:155
155 assert(((node*)Node)->Magic==NODE_MAGIC);
(gdb) bt
#0 0x000000000043d3d2 in Node_ValidatePtr (Node=0x0)
at ../corec/corec/node/node.c:155 #1 Node_IsPartOf (Node=0x0, PartOfClass=1414087237)
at ../corec/corec/node/node.c:1534 #2 0x000000000044c040 in EBML_IntegerValue (Element=0x0) at ebmlnumber.c:428 #3 0x0000000000404a87 in CleanTracks (Tracks=0x6d1160, SrcProfile=1,
DstProfile=0x6a0584 , Attachments=0x0,
Alternate3DTracks=0x7fffffffb410) at mkclean.c:962 #4 0x0000000000408812 in main (argc=2, argv=0x7fffffffdf88) at mkclean.c:1811
POC:mkclean_0.8.9_assert_fault.mkv
It has been assigned as CVE-2017-12803.
the Node_GetData function in corec/corec/node/node.c in mkvalidator 0.5.1 can cause a denial of service(Null pointer dereference and application crash) via a crafted mkv file.
./mkvalidator mkvalidator_0.5.1_null_pointer_dereference.mkv
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x0000000000421767 in Node_GetData (p=0x0, Id=256, Type=1)
at ../corec/corec/node/node.c:681
681 for (i=p->Data;i;i=i->Next)
(gdb) bt
#0 0x0000000000421767 in Node_GetData (p=0x0, Id=256, Type=1)
at ../corec/corec/node/node.c:681
#1 0x000000000042cb29 in EBML_ElementIsFiniteSize (Element=0x0)
at ebmlelement.c:98
#2 0x000000000042cf51 in EBML_ElementPositionEnd (Element=0x0)
at ebmlelement.c:195
#3 0x0000000000405917 in main (argc=2, argv=0x7fffffffdf78)
at mkvalidator.c:1036
(gdb) disassemble
Dump of assembler code for function Node_GetData:
0x0000000000421743 <+0>: push %rbp
0x0000000000421744 <+1>: mov %rsp,%rbp
0x0000000000421747 <+4>: mov %rdi,-0x18(%rbp)
0x000000000042174b <+8>: mov %rsi,-0x20(%rbp)
0x000000000042174f <+12>: mov %rdx,-0x28(%rbp)
0x0000000000421753 <+16>: mov -0x20(%rbp),%rax
0x0000000000421757 <+20>: shl $0x8,%rax
0x000000000042175b <+24>: or -0x28(%rbp),%rax
0x000000000042175f <+28>: mov %rax,-0x8(%rbp)
0x0000000000421763 <+32>: mov -0x18(%rbp),%rax
=> 0x0000000000421767 <+36>: mov 0x10(%rax),%rax
0x000000000042176b <+40>: mov %rax,-0x10(%rbp)
0x000000000042176f <+44>: jmp 0x421794 <Node_GetData+81>
0x0000000000421771 <+46>: mov -0x10(%rbp),%rax
0x0000000000421775 <+50>: mov 0x8(%rax),%rax
0x0000000000421779 <+54>: cmp -0x8(%rbp),%rax
0x000000000042177d <+58>: jne 0x421789 <Node_GetData+70>
0x000000000042177f <+60>: mov -0x10(%rbp),%rax
0x0000000000421783 <+64>: add $0x10,%rax
0x0000000000421787 <+68>: jmp 0x4217a0 <Node_GetData+93>
0x0000000000421789 <+70>: mov -0x10(%rbp),%rax
0x000000000042178d <+74>: mov (%rax),%rax
---Type to continue, or q to quit---q
Quit
(gdb) i r
rax 0x0 0
rbx 0x1 1
rcx 0x7ffff7b00810 140737348896784
rdx 0x1 1
rsi 0x100 256
rdi 0x0 0
rbp 0x7fffffffb740 0x7fffffffb740
rsp 0x7fffffffb740 0x7fffffffb740
r8 0x411e10 4267536
r9 0x7fffffffb370 140737488335728
r10 0xfffffffffffffa82 -1406
r11 0x246 582
r12 0x401420 4199456
r13 0x7fffffffdf70 140737488346992
r14 0x0 0
r15 0x0 0
rip 0x421767 0x421767 <Node_GetData+36>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb)
POC:mkvalidator_0.5.1_null_pointer_dereference.mkv
It has been assigned as CVE-2017-12779
the ReadData function in ebmlstring.c in libebml2(through 2012-08-26) can cause a denial of service(invalid free and application crash) via a crafted mkv file.
./mkvalidator libebml2_invalid_free.mkv
----debug info:----
.*** Error in `/home/a/Downloads/mkvalidator-0.5.1/release/gcc_linux_x64/mkvalidator': free(): invalid next size (fast): 0x000000000066fa40 ***
Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7a88394 in __libc_message (do_abort=do_abort@entry=1,
fmt=fmt@entry=0x7ffff7b96b28 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff7a9466e in malloc_printerr (ptr=,
str=0x7ffff7b96cc8 "free(): invalid next size (fast)", action=1)
at malloc.c:4996
#4 _int_free (av=, p=, have_lock=0)
at malloc.c:3840
#5 0x0000000000431c0e in ReadData (Element=0x678c90, Input=0x675c40,
ParserContext=0x7fffffffb750, AllowDummyElt=0, Scope=1, DepthCheckCRC=0)
at ebmlstring.c:102
#6 0x000000000042fc8e in ReadData (Element=0x673b70, Input=0x675c40,
ParserContext=0x7fffffffb880, AllowDummyElt=0, Scope=1, DepthCheckCRC=1)
at ebmlmaster.c:331
#7 0x000000000040549d in main (argc=2, argv=0x7fffffffdf68)
at mkvalidator.c:974
(gdb)
POC:libebml2_invalid_free.mkv
It has been assigned as CVE-2017-12780.
the EBML_BufferToID function in ebmlelement.c in libebml2(through 2012-08-26) can cause a denial of service(Null pointer dereference and application crash) via a crafted mkv file.
./mkvalidator libebml2_null_pointer_dereference_1.mkv
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x000000000042d233 in EBML_BufferToID (Buffer=0x0) at ebmlelement.c:261
261 if (Buffer[0] & 0x80)
(gdb) bt
#0 0x000000000042d233 in EBML_BufferToID (Buffer=0x0) at ebmlelement.c:261
#1 0x000000000040987a in MATROSKA_MetaSeekID (MetaSeek=0x6792f0)
at matroskamain.c:336
#2 0x00000000004030e6 in CheckSeekHead (SeekHead=0x678fa0)
at mkvalidator.c:472
#3 0x000000000040707b in main (argc=2, argv=0x7fffffffdf68)
at mkvalidator.c:1333
(gdb) disassemble
Dump of assembler code for function EBML_BufferToID:
0x000000000042d227 <+0>: push %rbp
0x000000000042d228 <+1>: mov %rsp,%rbp
0x000000000042d22b <+4>: mov %rdi,-0x8(%rbp)
0x000000000042d22f <+8>: mov -0x8(%rbp),%rax
=> 0x000000000042d233 <+12>: movzbl (%rax),%eax
0x000000000042d236 <+15>: test %al,%al
0x000000000042d238 <+17>: jns 0x42d249 <EBML_BufferToID+34>
0x000000000042d23a <+19>: mov -0x8(%rbp),%rax
0x000000000042d23e <+23>: movzbl (%rax),%eax
0x000000000042d241 <+26>: movzbl %al,%eax
0x000000000042d244 <+29>: jmpq 0x42d320 <EBML_BufferToID+249>
0x000000000042d249 <+34>: mov -0x8(%rbp),%rax
0x000000000042d24d <+38>: movzbl (%rax),%eax
0x000000000042d250 <+41>: movzbl %al,%eax
0x000000000042d253 <+44>: and $0x40,%eax
0x000000000042d256 <+47>: test %eax,%eax
0x000000000042d258 <+49>: je 0x42d27e <EBML_BufferToID+87>
0x000000000042d25a <+51>: mov -0x8(%rbp),%rax
0x000000000042d25e <+55>: movzbl (%rax),%eax
0x000000000042d261 <+58>: movzbl %al,%eax
0x000000000042d264 <+61>: shl $0x8,%eax
0x000000000042d267 <+64>: mov %eax,%edx
---Type to continue, or q to quit---q
Quit
(gdb) i r
rax 0x0 0
rbx 0x67 103
rcx 0x0 0
rdx 0x643ff0 6569968
rsi 0x644980 6572416
rdi 0x0 0
rbp 0x7fffffffb690 0x7fffffffb690
rsp 0x7fffffffb690 0x7fffffffb690
r8 0x7ffff7dd59d0 140737351866832
r9 0x7fffffffa880 140737488332928
r10 0x42bca4 4373668
r11 0x246 582
r12 0x401420 4199456
r13 0x7fffffffdf60 140737488346976
r14 0x0 0
r15 0x0 0
rip 0x42d233 0x42d233 <EBML_BufferToID+12>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb)
POC:libebml2_null_pointer_dereference_1.mkv
It has been assigned as CVE-2017-12781.
the ReadData function in ebmlmaster.c in libebml2(through 2012-08-26) can cause a denial of service(assert fault) via a crafted mkv file.
./mkvalidator libebml2_assert_fault_1.mkv
----debug info:----
..mkvalidator: ebmlmaster.c:427: ReadData: Assertion `SubElement!=((void *)0)' failed.
Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7a44b86 in __assert_fail_base (
fmt=0x7ffff7b95830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x43b93f "SubElement!=((void *)0)",
file=file@entry=0x43b5d0 "ebmlmaster.c", line=line@entry=427,
function=function@entry=0x43ba73 <PRETTY_FUNCTION.4885> "ReadData")
at assert.c:92
#3 0x00007ffff7a44c32 in __GI___assert_fail (
assertion=0x43b93f "SubElement!=((void *)0)",
file=0x43b5d0 "ebmlmaster.c", line=427,
function=0x43ba73 <PRETTY_FUNCTION.4885> "ReadData") at assert.c:101
#4 0x000000000043032e in ReadData (Element=0x678fa0, Input=0x675c40,
ParserContext=0x7fffffffb8a0, AllowDummyElt=1, Scope=1, DepthCheckCRC=2)
at ebmlmaster.c:427
#5 0x0000000000405c5f in main (argc=2, argv=0x7fffffffdf68)
at mkvalidator.c:1074
(gdb)
POC:libebml2_assert_fault_1.mkv
It has been assigned as CVE-2017-12782.
the ReadDataFloat function in ebmlnumber.c in libebml2(through 2012-08-26) can cause a denial of service(assert fault) via a crafted mkv file.
./mkvalidator libebml2_assert_fault_2.mkv
----debug info:----
....mkvalidator: ebmlnumber.c:222: ReadDataFloat: Assertion `Element->Base.DataSize == 8 || Element->Base.DataSize == 4' failed.
Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7a44b86 in __assert_fail_base (
fmt=0x7ffff7b95830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x43bb08 "Element->Base.DataSize == 8 || Element->Base.DataSize == 4", file=file@entry=0x43bab0 "ebmlnumber.c",
line=line@entry=222,
function=function@entry=0x43bcb2 <PRETTY_FUNCTION.4760> "ReadDataFloat") at assert.c:92
#3 0x00007ffff7a44c32 in __GI___assert_fail (
assertion=0x43bb08 "Element->Base.DataSize == 8 || Element->Base.DataSize == 4", file=0x43bab0 "ebmlnumber.c", line=222,
function=0x43bcb2 <PRETTY_FUNCTION.4760> "ReadDataFloat")
at assert.c:101
#4 0x0000000000430e8b in ReadDataFloat (Element=0x67abc0, Input=0x675c40,
ParserContext=0x7fffffffb520, AllowDummyElt=1, Scope=1, DepthCheckCRC=1)
at ebmlnumber.c:222
#5 0x000000000042fc8e in ReadData (Element=0x67aae0, Input=0x675c40,
ParserContext=0x7fffffffb600, AllowDummyElt=1, Scope=1, DepthCheckCRC=2)
at ebmlmaster.c:331
#6 0x000000000042fc8e in ReadData (Element=0x67a400, Input=0x675c40,
ParserContext=0x7fffffffb750, AllowDummyElt=1, Scope=1, DepthCheckCRC=3)
---Type to continue, or q to quit---
at ebmlmaster.c:331
#7 0x000000000040e558 in ReadTrackEntry (Element=0x67a400, Input=0x675c40,
ParserContext=0x7fffffffb750, AllowDummyElt=1, Scope=1, DepthCheckCRC=3)
at matroskamain.c:2257
#8 0x000000000042fc8e in ReadData (Element=0x679980, Input=0x675c40,
ParserContext=0x7fffffffb8a0, AllowDummyElt=1, Scope=1, DepthCheckCRC=4)
at ebmlmaster.c:331
#9 0x0000000000406097 in main (argc=2, argv=0x7fffffffdf68)
at mkvalidator.c:1124
(gdb)
POC:libebml2_assert_fault_2.mkv
It has been assigned as CVE-2017-12783.
the EBML_FindNextElement function in ebmlmain.c in libebml2(through 2012-08-26) can cause a denial of service(Null pointer dereference and application crash) via a crafted mkv file.
./mkclean libebml2_null_pointer_dereference_2.mkv
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x0000000000447ee1 in EBML_FindNextElement (Input=0x6caef0, pContext=0x0,
UpperLevels=0x7fffffffabd4, AllowDummyElt=0) at ebmlmain.c:516
516 OrigContext = *pContext;
(gdb) bt
#0 0x0000000000447ee1 in EBML_FindNextElement (Input=0x6caef0, pContext=0x0,
UpperLevels=0x7fffffffabd4, AllowDummyElt=0) at ebmlmain.c:516
#1 0x0000000000446263 in EBML_ElementSkipData (p=0x6c9060, Input=0x6caef0,
Context=0x0, TestReadElt=0x0, AllowDummyElt=0) at ebmlelement.c:122
#2 0x00000000004039cb in CheckMatroskaHead (Head=0x6c9380,
Parser=0x7fffffffb470, Input=0x6caef0) at mkclean.c:673
#3 0x0000000000407c07 in main (argc=2, argv=0x7fffffffdf78) at mkclean.c:1643
(gdb) disassemble
Dump of assembler code for function EBML_FindNextElement:
0x0000000000447deb <+0>: push %rbp
0x0000000000447dec <+1>: mov %rsp,%rbp
0x0000000000447def <+4>: push %rbx
0x0000000000447df0 <+5>: sub $0xd8,%rsp
0x0000000000447df7 <+12>: mov %rdi,-0xb8(%rbp)
0x0000000000447dfe <+19>: mov %rsi,-0xc0(%rbp)
0x0000000000447e05 <+26>: mov %rdx,-0xc8(%rbp)
0x0000000000447e0c <+33>: mov %rcx,-0xd0(%rbp)
0x0000000000447e13 <+40>: mov %fs:0x28,%rax
0x0000000000447e1c <+49>: mov %rax,-0x18(%rbp)
0x0000000000447e20 <+53>: xor %eax,%eax
0x0000000000447e22 <+55>: movb $0x0,-0xac(%rbp)
0x0000000000447e29 <+62>: movb $0x0,-0xaa(%rbp)
0x0000000000447e30 <+69>: movl $0x0,-0xa0(%rbp)
0x0000000000447e3a <+79>: mov -0xc8(%rbp),%rax
0x0000000000447e41 <+86>: mov (%rax),%eax
0x0000000000447e43 <+88>: mov %eax,-0x9c(%rbp)
0x0000000000447e49 <+94>: cmpq $0x0,-0xb8(%rbp)
0x0000000000447e51 <+102>: jne 0x447e72 <EBML_FindNextElement+135>
0x0000000000447e53 <+104>: lea 0x37e56(%rip),%rcx # 0x47fcb0 <PRETTY_FUNCTION.4925>
0x0000000000447e5a <+111>: mov $0x1fc,%edx
---Type to continue, or q to quit---
0x0000000000447e5f <+116>: lea 0x37b8b(%rip),%rsi # 0x47f9f1
0x0000000000447e66 <+123>: lea 0x37d5b(%rip),%rdi # 0x47fbc8
0x0000000000447e6d <+130>: callq 0x401510 __assert_fail@plt
0x0000000000447e72 <+135>: mov -0xb8(%rbp),%rax
0x0000000000447e79 <+142>: mov 0x8(%rax),%rax
0x0000000000447e7d <+146>: mov 0x78(%rax),%rax
0x0000000000447e81 <+150>: mov -0xb8(%rbp),%rcx
0x0000000000447e88 <+157>: mov $0x1,%edx
0x0000000000447e8d <+162>: mov $0x0,%esi
0x0000000000447e92 <+167>: mov %rcx,%rdi
0x0000000000447e95 <+170>: callq *%rax
0x0000000000447e97 <+172>: mov %rax,-0x70(%rbp)
0x0000000000447e9b <+176>: lea -0x50(%rbp),%rax
0x0000000000447e9f <+180>: mov %rax,-0x80(%rbp)
0x0000000000447ea3 <+184>: cmpq $0xffffffffffffffff,-0x70(%rbp)
0x0000000000447ea8 <+189>: jne 0x447eb4 <EBML_FindNextElement+201>
0x0000000000447eaa <+191>: mov $0x0,%eax
0x0000000000447eaf <+196>: jmpq 0x448814 <EBML_FindNextElement+2601>
0x0000000000447eb4 <+201>: cmpq $0x0,-0x80(%rbp)
0x0000000000447eb9 <+206>: jne 0x447eda <EBML_FindNextElement+239>
0x0000000000447ebb <+208>: lea 0x37dee(%rip),%rcx # 0x47fcb0 <PRETTY_FUNCTION.4925>
0x0000000000447ec2 <+215>: mov $0x203,%edx
---Type to continue, or q to quit---
0x0000000000447ec7 <+220>: lea 0x37b23(%rip),%rsi # 0x47f9f1
0x0000000000447ece <+227>: lea 0x37d2b(%rip),%rdi # 0x47fc00
0x0000000000447ed5 <+234>: callq 0x401510 __assert_fail@plt
0x0000000000447eda <+239>: mov -0xc0(%rbp),%rax
=> 0x0000000000447ee1 <+246>: mov (%rax),%rdx
0x0000000000447ee4 <+249>: mov %rdx,-0x50(%rbp)
0x0000000000447ee8 <+253>: mov 0x8(%rax),%rdx
0x0000000000447eec <+257>: mov %rdx,-0x48(%rbp)
0x0000000000447ef0 <+261>: mov 0x10(%rax),%rdx
0x0000000000447ef4 <+265>: mov %rdx,-0x40(%rbp)
0x0000000000447ef8 <+269>: mov 0x18(%rax),%rax
0x0000000000447efc <+273>: mov %rax,-0x38(%rbp)
0x0000000000447f00 <+277>: jmp 0x447f32 <EBML_FindNextElement+327>
0x0000000000447f02 <+279>: mov -0x80(%rbp),%rax
0x0000000000447f06 <+283>: mov 0x8(%rax),%rax
0x0000000000447f0a <+287>: test %rax,%rax
0x0000000000447f0d <+290>: jne 0x447f11 <EBML_FindNextElement+294>
0x0000000000447f0f <+292>: jmp 0x447f55 <EBML_FindNextElement+362>
0x0000000000447f11 <+294>: mov -0x80(%rbp),%rax
0x0000000000447f15 <+298>: mov 0x8(%rax),%rax
0x0000000000447f19 <+302>: mov %rax,-0x80(%rbp)
0x0000000000447f1d <+306>: mov -0xc8(%rbp),%rax
0x0000000000447f24 <+313>: mov (%rax),%eax
---Type to continue, or q to quit---q
Quit
(gdb) i r
rax 0x0 0
rbx 0x7fffffffb4d0 140737488336080
rcx 0x7ffff7b0f4b0 140737348957360
rdx 0x1 1
rsi 0x0 0
rdi 0x3 3
rbp 0x7fffffffab90 0x7fffffffab90
rsp 0x7fffffffaab0 0x7fffffffaab0
r8 0x0 0
r9 0xb 11
r10 0x7fffffffa9a0 140737488333216
r11 0x246 582
r12 0x4017b0 4200368
r13 0x7fffffffdf70 140737488346992
r14 0x0 0
r15 0x0 0
rip 0x447ee1 0x447ee1 <EBML_FindNextElement+246>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb)
POC:libebml2_null_pointer_dereference_2.mkv
It has been assigned as CVE-2017-12800.
the UpdateDataSize function in ebmlmaster.c in libebml2(through 2012-08-26) can cause a denial of service(assert fault) via a crafted mkv file.
./mkclean libebml2_assert_fault_3.mkv
----debug info:----
mkclean: ebmlmaster.c:244: UpdateDataSize: Assertion `CheckMandatory((ebml_master*)Element, bWithDefault)' failed.
Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7a44b86 in __assert_fail_base (
fmt=0x7ffff7b95830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x47feb8 "CheckMandatory((ebml_master*)Element, bWithDefault)", file=file@entry=0x47fcd0 "ebmlmaster.c", line=line@entry=244,
function=function@entry=0x480334 <PRETTY_FUNCTION.4876> "UpdateDataSize") at assert.c:92
#3 0x00007ffff7a44c32 in __GI___assert_fail (
assertion=0x47feb8 "CheckMandatory((ebml_master*)Element, bWithDefault)",
file=0x47fcd0 "ebmlmaster.c", line=244,
function=0x480334 <PRETTY_FUNCTION.4876> "UpdateDataSize")
at assert.c:101
#4 0x0000000000449223 in UpdateDataSize (Element=0x6d1ec0, bWithDefault=0,
bForceWithoutMandatory=0) at ebmlmaster.c:244
#5 0x0000000000419f3e in UpdateDataSizeTrackEntry (Element=0x6d1ec0,
bWithDefault=0, bForceWithoutMandatory=0) at matroskamain.c:2343
#6 0x00000000004492ee in UpdateDataSize (Element=0x6d1e50, bWithDefault=0,
bForceWithoutMandatory=0) at ebmlmaster.c:256
#7 0x0000000000409672 in main (argc=2, argv=0x7fffffffdf78) at mkclean.c:2012
(gdb)
POC:libebml2_assert_fault_3.mkv
It has been assigned as CVE-2017-12801.
the EBML_IntegerValue function in ebmlnumber.c in libebml2(through 2012-08-26) can cause a denial of service(assert fault) via a crafted mkv file.
./mkclean libebml2_assert_fault_4.mkv
----debug info:----
mkclean: ebmlnumber.c:428: EBML_IntegerValue: Assertion `Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)('B') << 8) | ((uint8_t)('I') << 16) | ((uint8_t)('T')<< 24))) || Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)('B') << 8) | ((uint8_t)('S') << 16) | ((uint8_t)('I')<< 24)))' failed.
Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7a44b86 in __assert_fail_base (
fmt=0x7ffff7b95830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x480478 "Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)('B') << 8) | ((uint8_t)('I') << 16) | ((uint8_t)('T')<< 24))) || Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)"..., file=file@entry=0x480390 "ebmlnumber.c", line=line@entry=428,
function=function@entry=0x480650 <PRETTY_FUNCTION.4901> "EBML_IntegerValue") at assert.c:92
#3 0x00007ffff7a44c32 in __GI___assert_fail (
assertion=0x480478 "Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)('B') << 8) | ((uint8_t)('I') << 16) | ((uint8_t)('T')<< 24))) || Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)"...,
file=0x480390 "ebmlnumber.c", line=428,
function=0x480650 <PRETTY_FUNCTION.4901> "EBML_IntegerValue")
at assert.c:101
#4 0x000000000044c07a in EBML_IntegerValue (Element=0x6d1190)
at ebmlnumber.c:428
#5 0x000000000040850a in main (argc=2, argv=0x7fffffffdf78) at mkclean.c:1764
(gdb)
POC:libebml2_assert_fault_4.mkv
It has been assigned as CVE-2017-12802.
the Node_ValidatePtr function in corec/corec/node/node.c in mkclean 0.8.9 can cause a denial of service(assert fault) via a crafted mkv file.
./mkclean mkclean_0.8.9_assert_fault.mkv
----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x000000000043d3d2 in Node_ValidatePtr (Node=0x0)
at ../corec/corec/node/node.c:155
155 assert(((node*)Node)->Magic==NODE_MAGIC);
(gdb) bt
#0 0x000000000043d3d2 in Node_ValidatePtr (Node=0x0)
at ../corec/corec/node/node.c:155
#1 Node_IsPartOf (Node=0x0, PartOfClass=1414087237)
at ../corec/corec/node/node.c:1534
#2 0x000000000044c040 in EBML_IntegerValue (Element=0x0) at ebmlnumber.c:428
#3 0x0000000000404a87 in CleanTracks (Tracks=0x6d1160, SrcProfile=1,
DstProfile=0x6a0584 , Attachments=0x0,
Alternate3DTracks=0x7fffffffb410) at mkclean.c:962
#4 0x0000000000408812 in main (argc=2, argv=0x7fffffffdf88) at mkclean.c:1811
POC:mkclean_0.8.9_assert_fault.mkv
It has been assigned as CVE-2017-12803.
poc.zip
The text was updated successfully, but these errors were encountered: