System info:
Ubuntu 21.04
tsMuxeR version git-f6ab2a2
To run PoC:
$ ./tsmuxer crash_1
Asan output:
tsMuxeR version git-f6ab2a2. github.com/justdan96/tsMuxer
=================================================================
==2834234==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6100000007f5 at pc 0x00000077f724 bp 0x7ffebdd7b690 sp 0x7ffebdd7b688
READ of size 1 at 0x6100000007f5 thread T0
#0 0x77f723 in SEIUnit::deserialize(SPSUnit&, int) /src/build/../tsMuxer/nalUnits.cpp:2009:20
#1 0x4e3408 in H264StreamReader::checkStream(unsigned char*, int) /src/build/../tsMuxer/h264StreamReader.cpp:142:25
#2 0x6ceacc in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) /src/build/../tsMuxer/metaDemuxer.cpp:745:21
#3 0x6c7255 in METADemuxer::DetectStreamReader(BufferedReaderManager&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /src/build/../tsMuxer/metaDemuxer.cpp:684:35
#4 0x5df87e in detectStreamReader(char const*, MPLSParser*, bool) /src/build/../tsMuxer/main.cpp:120:34
#5 0x5efd05 in main /src/build/../tsMuxer/main.cpp:698:17
#6 0x7fb1de23a564 in __libc_start_main csu/../csu/libc-start.c:332:16
#7 0x2ebded in _start (/home/Fuzzer_Instance_4/txmux/tsMuxer/bin/tsMuxeR+0x2ebded)
0x6100000007f5 is located 0 bytes to the right of 181-byte region [0x610000000740,0x6100000007f5)
allocated by thread T0 here:
#0 0x39823d in operator new[](unsigned long) (/home/Fuzzer_Instance_4/txmux/tsMuxer/bin/tsMuxeR+0x39823d)
#1 0x74f45d in NALUnit::decodeBuffer(unsigned char const*, unsigned char const*) /src/build/../tsMuxer/nalUnits.cpp:282:19
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/build/../tsMuxer/nalUnits.cpp:2009:20 in SEIUnit::deserialize(SPSUnit&, int)
Shadow bytes around the buggy address:
0x0c207fff80a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c207fff80b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c207fff80c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c207fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c207fff80e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c207fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[05]fa
0x0c207fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c207fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2834234==ABORTING
The text was updated successfully, but these errors were encountered:
Hi, please see asan output and poc file below.
Found by Cem Onat Karagun of Diesec
System info:
Ubuntu 21.04
tsMuxeR version git-f6ab2a2
To run PoC:
Asan output:
The text was updated successfully, but these errors were encountered: