Skip to content

libmpeg memory overflow

Moderate
ireader published GHSA-p7jj-x4pf-33fv May 16, 2022

Package

libmpeg (c)

Affected versions

master

Patched versions

None

Description

Impact

=================================================================
==62461==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe95b8a37d at pc 0x5597f2b9b16c bp 0x7ffe95b8a050 sp 0x7ffe95b8a048
READ of size 1 at 0x7ffe95b8a37d thread T0
    #0 0x5597f2b9b16b in pmt_read source/mpeg-pmt.c:148
    #1 0x5597f2b9ff0c in ts_demuxer_input source/mpeg-ts-dec.c:229
    #2 0x5597f2b8db37 in mpeg_ts_file /home/fuzz/media-server/libmpeg/fuzz/ts-harness.cpp:79
    #3 0x5597f2b8db37 in mpeg_ts_test(char const*) /home/fuzz/media-server/libmpeg/fuzz/ts-harness.cpp:97
    #4 0x5597f2b8d338 in main /home/fuzz/media-server/libmpeg/fuzz/ts-harness.cpp:108
    #5 0x7fe66e33c2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #6 0x5597f2b8d7b9 in _start (/data00/home/fuzz/media-server/libmpeg/fuzz/ts-harness+0x27b9)

Address 0x7ffe95b8a37d is located in stack of thread T0 at offset 301 in frame
    #0 0x5597f2b8d9ff in mpeg_ts_test(char const*) /home/fuzz/media-server/libmpeg/fuzz/ts-harness.cpp:88

=================================================================
==71887==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff452fc9be at pc 0x56457a296ad9 bp 0x7fff452fc710 sp 0x7fff452fc708
READ of size 1 at 0x7fff452fc9be thread T0
    #0 0x56457a296ad8 in adaptation_filed_read source/mpeg-ts-dec.c:85
    #1 0x56457a296ad8 in ts_demuxer_input source/mpeg-ts-dec.c:188
    #2 0x56457a283b37 in mpeg_ts_file /home/fuzz/media-server/libmpeg/fuzz/ts-harness.cpp:79
    #3 0x56457a283b37 in mpeg_ts_test(char const*) /home/fuzz/media-server/libmpeg/fuzz/ts-harness.cpp:97
    #4 0x56457a283338 in main /home/fuzz/media-server/libmpeg/fuzz/ts-harness.cpp:108
    #5 0x7faadc3ac2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #6 0x56457a2837b9 in _start (/data00/home/fuzz/media-server/libmpeg/fuzz/ts-harness+0x27b9)

Address 0x7fff452fc9be is located in stack of thread T0 at offset 302 in frame
    #0 0x56457a2839ff in mpeg_ts_test(char const*) /home/fuzz/media-server/libmpeg/fuzz/ts-harness.cpp:88

Patches

fix GHSA-p7jj-x4pf-33fv mpeg pmt/pat/sdt/AF memory access overrun

Workarounds

检查PAT/PMT/SDT头部长度

References

@Cossack9989

For more information

If you have any questions or comments about this advisory:

Open an issue in ireader/media-server

Severity

Moderate

CVE ID

No known CVE

Weaknesses

Credits