Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A integer (heap) overflow in function adts_dmx_process #1723

Closed
treebacker opened this issue Mar 29, 2021 · 1 comment
Closed

A integer (heap) overflow in function adts_dmx_process #1723

treebacker opened this issue Mar 29, 2021 · 1 comment

Comments

@treebacker
Copy link

In filters/reframe_adts.c, function adts_dmx_process.
There is a sub codes like as below:
`
size = ctx->hdr.frame_size - ctx->hdr.hdr_size;
offset = ctx->hdr.hdr_size;
......
memcpy(output, sync + offset, size);

`
However, with crafted file, ctx->hdr.frame_size may be smaller than ctx->hdr.hdr_size.
So, the size may be a negative number, which results a heap overflow in memcpy.

In Command line:
gpac -info bug6
bug6_cmd

In gdb:
bug6

The crafted file is in the attached zip:
bug6.zip
jeanlf added a commit that referenced this issue Mar 29, 2021
@jeanlf
fixed potential crash in adts reframer with broken streams - cf #1723
22774aa
@jeanlf
Copy link
Member

jeanlf commented Mar 29, 2021

could not reproduce crash with latest master, but added safety checks. Thanks for the report

@jeanlf jeanlf closed this as completed Mar 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeanlf @treebacker