Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

overflow of bitStream.h in function putBits #419

Closed
NigelX opened this issue May 19, 2021 · 0 comments
Closed

overflow of bitStream.h in function putBits #419

NigelX opened this issue May 19, 2021 · 0 comments
Labels
bug Something isn't working

Comments

@NigelX
Copy link

NigelX commented May 19, 2021

Hi
I found an crash error.

System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0

tsMuxeR version git-5a9adef

Verification steps:
1.Get the source code of tsMuxer
2.Compile the tsMuxer

$ cd tsMuxer
$ mkdir build && cd build
$ cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address"
$ make -j 32

3.run poc

$ cd tsMuxer
$ ./tsmuxer poc

file:
poc.zip

info:

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x28 ('(')
RBX: 0x3 
RCX: 0x20 (' ')
RDX: 0x666eb0 --> 0x0 
RSI: 0x0 
RDI: 0x40420f00 
RBP: 0x0 
RSP: 0x7fffffff7690 --> 0x0 
RIP: 0x2d378b (<HevcUnit::updateBits(int, int, int)+491>:	mov    DWORD PTR [r8],edi)
R8 : 0xd30150 
R9 : 0xc77170 --> 0x2f534d5f56005743 ('CW')
R10: 0xf4240 
R11: 0x5c7f20 --> 0x0 
R12: 0x7ffff38141b6 --> 0x2f534d5f56005743 ('CW')
R13: 0x7fffffff83e8 --> 0x231760 --> 0x2dd1e0 (<HEVCStreamReader::writeAdditionData(unsigned char*, unsigned char*, AVPacket&, std::vector<std::pair<int, int>, std::allocator<std::pair<int, int> > >*)>:	push   r15)
R14: 0x0 
R15: 0x7ffff38141d3 --> 0x5f567f6943010000
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x2d3784 <HevcUnit::updateBits(int, int, int)+484>:	add    esi,0xffffffe0
   0x2d3787 <HevcUnit::updateBits(int, int, int)+487>:	add    edi,ebp
   0x2d3789 <HevcUnit::updateBits(int, int, int)+489>:	bswap  edi
=> 0x2d378b <HevcUnit::updateBits(int, int, int)+491>:	mov    DWORD PTR [r8],edi
   0x2d378e <HevcUnit::updateBits(int, int, int)+494>:	add    r8,0x4
   0x2d3792 <HevcUnit::updateBits(int, int, int)+498>:	and    r10d,DWORD PTR [rsi*4+0x652c20]
   0x2d379a <HevcUnit::updateBits(int, int, int)+506>:	test   r14d,r14d
   0x2d379d <HevcUnit::updateBits(int, int, int)+509>:	jle    0x2d3740 <HevcUnit::updateBits(int, int, int)+416>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff7690 --> 0x0 
0008| 0x7fffffff7698 --> 0x7ffff38141b6 --> 0x2f534d5f56005743 ('CW')
0016| 0x7fffffff76a0 --> 0xc77060 --> 0x2318a0 --> 0x2d5520 (<HevcSpsUnit::deserialize()>:	push   rbp)
0024| 0x7fffffff76a8 --> 0x2de818 (<HEVCStreamReader::updateStreamFps(void*, unsigned char*, unsigned char*, int)+136>:	mov    ecx,DWORD PTR [rbp+0x94])
0032| 0x7fffffff76b0 --> 0x7ffff7da3d60 --> 0x7ffff7d9cac8 --> 0x7ffff7ccf650 (<_ZN9__gnu_cxx18stdio_sync_filebufIcSt11char_traitsIcEED1Ev>:	endbr64)
0040| 0x7fffffff76b8 --> 0x7ffff78fa7b2 (<_IO_new_file_xsputn+98>:	add    r12,r13)
0048| 0x7fffffff76c0 --> 0x0 
0056| 0x7fffffff76c8 --> 0x6 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
HevcUnit::updateBits (this=<optimized out>, bitOffset=<optimized out>, bitLen=<optimized out>, value=<optimized out>)
    at /home/hh/Downloads/tsMuxer/tsMuxer/bitStream.h:195
195	            *m_buffer++ = my_htonl(m_curVal);



asan:
tsMuxeR version git-f6ab2a2. github.com/justdan96/tsMuxer
This HEVC stream doesn't contain fps value. Muxing fps is absent too. Set muxing FPS to default 25.0 value.
HEVC manual defined fps doesn't equal to stream fps. Change HEVC fps from 0.993523 to 25
AddressSanitizer:DEADLYSIGNAL
=================================================================
==262816==ERROR: AddressSanitizer: SEGV on unknown address 0x6030000c67f0 (pc 0x00000051c3dc bp 0x0000015fa460 sp 0x7ffcecb95d00 T0)
==262816==The signal is caused by a WRITE memory access.
    #0 0x51c3dc in BitStreamWriter::putBits(unsigned int, unsigned int) /home/hh/Downloads/tsMuxer/tsMuxer/bitStream.h:195:25
    #1 0x51c3dc in HevcUnit::updateBits(int, int, int) /home/hh/Downloads/tsMuxer/tsMuxer/hevc.cpp:78:15
    #2 0x51f4b9 in HevcVpsUnit::setFPS(double) /home/hh/Downloads/tsMuxer/tsMuxer/hevc.cpp:246:5
    #3 0x52d87f in HEVCStreamReader::updateStreamFps(void*, unsigned char*, unsigned char*, int) /home/hh/Downloads/tsMuxer/tsMuxer/hevcStreamReader.cpp:364:10
    #4 0x73daa6 in MPEGStreamReader::updateFPS(void*, unsigned char*, unsigned char*, int) /home/hh/Downloads/tsMuxer/tsMuxer/mpegStreamReader.cpp:310:9
    #5 0x533175 in HEVCStreamReader::checkStream(unsigned char*, int) /home/hh/Downloads/tsMuxer/tsMuxer/hevcStreamReader.cpp:77:13
    #6 0x6dea5a in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) /home/hh/Downloads/tsMuxer/tsMuxer/metaDemuxer.cpp:770:21
    #7 0x6d408a in METADemuxer::DetectStreamReader(BufferedReaderManager&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /home/hh/Downloads/tsMuxer/tsMuxer/metaDemuxer.cpp:684:35
    #8 0x5e83b1 in detectStreamReader(char const*, MPLSParser*, bool) /home/hh/Downloads/tsMuxer/tsMuxer/main.cpp:120:34
    #9 0x5f8ca4 in main /home/hh/Downloads/tsMuxer/tsMuxer/main.cpp:698:17
    #10 0x7faf8da360b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x2e9b7d in _start (/home/hh/Downloads/tsMuxer/asan_build/tsMuxer/tsmuxer+0x2e9b7d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/hh/Downloads/tsMuxer/tsMuxer/bitStream.h:195:25 in BitStreamWriter::putBits(unsigned int, unsigned int)
==262816==ABORTING

Thanks
@jcdr428 jcdr428 mentioned this issue May 21, 2021
Merged
xavery pushed a commit that referenced this issue Jun 9, 2021
@jcdr428
[Bug] Buffer overflow with non-hevc stream (#422)
d77ed5e 
As per T-REC-H265 standard sub-clause 7.4.2.2., when nal_unit_type == VPS_NUT or SPS_NUT or EOS_NUT or EOB_NUT, nuh_temporal_id shall be equal to 0.

This patch allows early return when this condition is not fulfilled therefore the stream is obviously not hevc.

Fixes #418, #419, #420, #424, #436, #437.
@xavery xavery closed this as completed Jun 9, 2021
@jcdr428 jcdr428 added the bug Something isn't working label Jun 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xavery @NigelX @jcdr428