New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack buffer overflow in av_parsers.c #997
Comments
|
Can I get an ack on this? :) |
|
It is acknowledged :) And you're right, there is a size check missing here. Do you have a bunch of these or just the two you've already opened for now? (to see if we're waiting for the other ones to fix them all in one go) More generally we should take a look at all these statically allocated arrays that are filled from input data and add a check on length by checking against |
|
@aureliendavid These are the only two I've found so far, but I've only just started looking through this. I think you should go ahead and fix these two since there's no telling how long it'll take for me to find any more, or even if more exist. |
|
should now be ok - thanks for the report, reopen if needed |
|
This issue was assigned CVE-2018-7752. |
The stack buffer overflow occurs here:
I don't know exactly how
bs_get_ueworks, but it seems to return au32. The size ofoffset_for_ref_frameis only 256 entries, so we can get this to overflow. The sps variable is a stack variable that comes from a parent function, for example inavcc_Read.Using this bug, I can craft an MP4 file that can overwrite anything above this variable in the stack, such as other fields in
AVC_SPS, stack variables, etc.The text was updated successfully, but these errors were encountered: