New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow tsmuxer #395
Labels
bug
Something isn't working
Comments
|
@NigelX your poc.wav is actually an incomplete mp4 file, is this intentional ? |
|
I'd say so, given how it's actually the fuzzers' job to generate data that's almost-valid-but-not-really, and thus trigger crashes in code paths which are usually left alone. The extension is irrelevant in this case. |
xavery
added a commit
that referenced
this issue
Feb 3, 2021
The m_nalBuffer member was incremented in the loop while copying, which naturally led to the pointer being invalid when the destructor is executed in order to delete the array. The code was replaced with an equivalent std::copy call. Also, replaced the invalid delete with delete[]. Fixes #395.
|
Should be fixed now, thanks. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
hello,guys.I use afl-fuzz to test tsMuxer.I found a crash.
tsMuxer: 2.6.16
OS:ubuntu 20.04
poc.zip
Asan log
gdb
HX from Topsec alpha Security Team
The text was updated successfully, but these errors were encountered: