Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

buffer overflow issue 5# #1188

Closed
niugx opened this issue Dec 22, 2018 · 2 comments
Closed

buffer overflow issue 5# #1188

niugx opened this issue Dec 22, 2018 · 2 comments

Comments

@niugx
Copy link

niugx commented Dec 22, 2018

There is a buffer overflow issue in gf_text_get_utf8_line () function, text_import.c

in line 429 of gf_text_import_srt, parameter lineSize is 2048, but in gf_text_get_utf8_line (), the size of szLineConv is 1024, so, when the size of szLine is more than 1024, the buffer of szLineConv will overflow.

429 char *sOK = gf_text_get_utf8_line(szLine, 2048, srt_in, unicode_type);

char *gf_text_get_utf8_line(char *szLine, u32 lineSize, FILE *txt_in, s32 unicode_type)
{
……
char szLineConv[1024];
……
len = (u32) strlen(szLine); // len might be more than 1024
for (i=0; i<len; i++) {
if (!unicode_type && (szLine[i] & 0x80)) {
/non UTF8 (likely some win-CP)/
if ((szLine[i+1] & 0xc0) != 0x80) {
szLineConv[j] = 0xc0 | ( (szLine[i] >> 6) & 0x3 ); // j may more than 1024 here
j++;
szLine[i] &= 0xbf;
}
……
}

root@ubuntu:/opt/niugx/cov_product/gpac/gpac-master/bin/gcc# ./MP4Box -srt 0 crafted_text.srt
Timed Text (SRT) import - text track 400 x 60, font Serif (size 18)
*** stack smashing detected ***: ./MP4Box terminated
Aborted (core dumped)

root@ubuntu:/opt/niugx/cov_product/gpac/gpac-master/bin/gcc# gdb ./MP4Box
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.3) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./MP4Box...done.
(gdb) set args -srt 0 crafted_text.srt
(gdb) b text_import.c:250
No source file named text_import.c.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (text_import.c:250) pending.
(gdb) r
Starting program: /opt/niugx/cov_product/gpac/gpac-master/bin/gcc/MP4Box -srt 0 crafted_text.srt
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Timed Text (SRT) import - text track 400 x 60, font Serif (size 18)

Breakpoint 1, gf_text_get_utf8_line (szLine=0x7fffffff88e0 "1\n", lineSize=2048, txt_in=0x65d570, unicode_type=0) at media_tools/text_import.c:250
250 szLineConv[j] = 0;
(gdb) c
Continuing.

Breakpoint 1, gf_text_get_utf8_line (szLine=0x7fffffff88e0 "00:00:12,375 --> 00:00:13,425\n", lineSize=2048, txt_in=0x65d570, unicode_type=0) at media_tools/text_import.c:250
250 szLineConv[j] = 0;
(gdb) c
Continuing.

Breakpoint 1, gf_text_get_utf8_line (
szLine=0x7fffffff88e0 "hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello wo"..., lineSize=2048, txt_in=0x65d570, unicode_type=0) at media_tools/text_import.c:250
250 szLineConv[j] = 0;
(gdb) p j
$1 = 1729
(gdb) c
Continuing.
*** stack smashing detected ***: /opt/niugx/cov_product/gpac/gpac-master/bin/gcc/MP4Box terminated

Program received signal SIGABRT, Aborted.
0x00007ffff72b7c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb)

Guoxiang Niu, EaglEye Team

@niugx
Copy link
Author

niugx commented Feb 7, 2019

this is CVE-2018-20763.

@niugx
Copy link
Author

niugx commented Apr 19, 2019

Fixed.

Patch:
1c449a3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants