AddressSanitizer: heap-buffer-overflow on address in ASDCP::TimedText::MXFReader::h__Reader::MD_to_TimedText_TDesc

[0xd4n10]

Title: AddressSanitizer: heap-buffer-overflow on address in ASDCP::TimedText::MXFReader::h__Reader::MD_to_TimedText_TDesc

Description:
I found a heap-buffer-overflow when testing the asdcplib library, specifically in the MD_to_TimedText_TDesc function.

Affected Software:

Software: asdcplib
Version: 2.13.1
Operating System: Debian 11
Kernel: Linux debian 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64 GNU/Linux

Impact:
A heap-buffer-overflow vulnerability can lead to application crashes, data corruption, security vulnerabilities, and system instability.

Steps to Reproduce:

Build the affected software (asdcplib) after enabling AddressSanitizer.
Execute any of the affected binaries (asdcp-info, asdcp-unwrap) with provided poc that triggers the vulnerable code path.
Observe the AddressSanitizer report indicating a heap-buffer-overflow error.

Example Output (AddressSanitizer):

=================================================================
==3302077==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000008c9 at pc 0x7f438b4876ae bp 0x7fff15258e00 sp 0x7fff15258df8
READ of size 16 at 0x60e0000008c9 thread T0
    #0 0x7f438b4876ad in ASDCP::TimedText::MXFReader::h__Reader::MD_to_TimedText_TDesc(ASDCP::TimedText::TimedTextDescriptor&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38b6ad)
    #1 0x7f438b487ff6 in ASDCP::TimedText::MXFReader::h__Reader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38bff6)
    #2 0x7f438b48934b in ASDCP::TimedText::MXFReader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38d34b)
    #3 0x5607797159f7 in FileInfoWrapper<ASDCP::TimedText::MXFReader, MyTextDescriptor>::file_info(CommandOptions&, char const*, _IO_FILE*) (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x269f7)
    #4 0x560779703ffa in show_file_info(CommandOptions&, Kumu::IFileReaderFactory const&) (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x14ffa)
    #5 0x560779705652 in main (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x16652)
    #6 0x7f438ad0fd09 in __libc_start_main ../csu/libc-start.c:308
    #7 0x560779702859 in _start (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x13859)

0x60e0000008c9 is located 9 bytes to the right of 160-byte region [0x60e000000820,0x60e0000008c0)
allocated by thread T0 here:
    #0 0x7f438b7c8647 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
    #1 0x7f438b38ccef in ContainerConstraintsSubDescriptor_Factory(ASDCP::Dictionary const*) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x290cef)
    #2 0x7f438b346f1d in ASDCP::MXF::CreateObject(ASDCP::Dictionary const*, ASDCP::UL const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x24af1d)
    #3 0x7f438b33de72 in ASDCP::MXF::OP1aHeader::InitFromBuffer(unsigned char const*, unsigned int) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x241e72)
    #4 0x7f438b33d389 in ASDCP::MXF::OP1aHeader::InitFromFile(Kumu::IFileReader const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x241389)
    #5 0x7f438b43c97a in ASDCP::MXF::TrackFileReader<ASDCP::MXF::OP1aHeader, ASDCP::MXF::OPAtomIndexFooter>::OpenMXFRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x34097a)
    #6 0x7f438b431f6e in ASDCP::h__ASDCPReader::OpenMXFRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x335f6e)
    #7 0x7f438b487cf6 in ASDCP::TimedText::MXFReader::h__Reader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38bcf6)
    #8 0x7f438b48934b in ASDCP::TimedText::MXFReader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38d34b)
    #9 0x5607797159f7 in FileInfoWrapper<ASDCP::TimedText::MXFReader, MyTextDescriptor>::file_info(CommandOptions&, char const*, _IO_FILE*) (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x269f7)
    #10 0x560779703ffa in show_file_info(CommandOptions&, Kumu::IFileReaderFactory const&) (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x14ffa)
    #11 0x560779705652 in main (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x16652)
    #12 0x7f438ad0fd09 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38b6ad) in ASDCP::TimedText::MXFReader::h__Reader::MD_to_TimedText_TDesc(ASDCP::TimedText::TimedTextDescriptor&)
Shadow bytes around the buggy address:
  0x0c1c7fff80c0: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff80e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1c7fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c1c7fff8100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1c7fff8110: 00 00 00 00 00 00 00 00 fa[fa]fa fa fa fa fa fa
  0x0c1c7fff8120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c7fff8130: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1c7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff8150: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1c7fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3302077==ABORTING

POC:
poc.zip

Disclosure Timeline:

Date of Discovery: 26/05/2024
Date Reported to Vendor: 26/05/2024

Acknowledgments:
This vulnerability was discovered and reported by 0xd4n.

Please let me know if you require any further information or assistance.