Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack buffer overflow in av_parsers.c #997

Closed
gsingh93 opened this issue Feb 26, 2018 · 5 comments
Closed

Stack buffer overflow in av_parsers.c #997

gsingh93 opened this issue Feb 26, 2018 · 5 comments

Comments

@gsingh93
Copy link

The stack buffer overflow occurs here:

sps->poc_cycle_length = bs_get_ue(bs);
for(i=0; i<sps->poc_cycle_length; i++) sps->offset_for_ref_frame[i] = bs_get_se(bs);

I don't know exactly how bs_get_ue works, but it seems to return a u32. The size of offset_for_ref_frame is only 256 entries, so we can get this to overflow. The sps variable is a stack variable that comes from a parent function, for example in avcc_Read.

Using this bug, I can craft an MP4 file that can overwrite anything above this variable in the stack, such as other fields in AVC_SPS, stack variables, etc.

@gsingh93
Copy link
Author

Can I get an ack on this? :)

@aureliendavid
Copy link
Contributor

It is acknowledged :)

And you're right, there is a size check missing here.

Do you have a bunch of these or just the two you've already opened for now? (to see if we're waiting for the other ones to fix them all in one go)

More generally we should take a look at all these statically allocated arrays that are filled from input data and add a check on length by checking against sizeof(array)/sizeof(array[0])

@gsingh93
Copy link
Author

gsingh93 commented Mar 2, 2018

@aureliendavid These are the only two I've found so far, but I've only just started looking through this. I think you should go ahead and fix these two since there's no telling how long it'll take for me to find any more, or even if more exist.

@aureliendavid
Copy link
Contributor

should now be ok - thanks for the report, reopen if needed

@gsingh93 gsingh93 changed the title Stack buffer overflow in avc_parsers.c Stack buffer overflow in av_parsers.c Mar 9, 2018
@gsingh93
Copy link
Author

This issue was assigned CVE-2018-7752.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants