You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
However, the array index nr is set to 7 therefore [nr-1] is larger than boundary of array ff_vc1_fps_nr.
(gdb) b *0x0000000000934072
Breakpoint 7 at 0x934072: file ../tsMuxer/vc1Parser.cpp, line 274.
(gdb) p nr
$7 = 7
(gdb) p ff_vc1_fps_nr
$8 = {24, 25, 30, 50, 60}
(gdb) p ff_vc1_fps_dr
$17 = {1000, 1001}
line 276:
if (nr && nr < 8 && dr && dr < 3)
line: 279:
time_base_den = ff_vc1_fps_nr[nr - 1] * 1000;
I'm sharing the link above, because ASAN declares this issue as "global-buffer-overflow" but as shared in References and root-cause sections this is actually a OOB read issue.
Recommendation:
Editing size-check of "array index" within "if condition" in line 276 might fix this "particular" issue.
An additional check of index variables (dr and nr) for ">= 0" is recommended.
PoC Fix:
- if (nr && nr < 8 && dr && dr < 3)
+ if (nr && nr < 5 && nr >= 0 && dr && dr < 3 && dr >= 0)
Greetings,
tsMuxer has an Out-of-bounds Read issue whenever runs with the PoC sample.
Found by Cem Onat Karagun of Diesec
System info:
To run PoC after unzip:
global_oob.zip
Chronological Function-Call Trace:
Root Cause of The Issue:
Constant integer arrays are defined in vc1Parser.h:
However, the array index nr is set to 7 therefore [nr-1] is larger than boundary of array ff_vc1_fps_nr.
A similar "demo" issue is also shared in following page:
https://github.com/google/sanitizers/wiki/AddressSanitizerExampleGlobalOutOfBounds
I'm sharing the link above, because ASAN declares this issue as "global-buffer-overflow" but as shared in References and root-cause sections this is actually a OOB read issue.
Recommendation:
Editing size-check of "array index" within "if condition" in line 276 might fix this "particular" issue.
An additional check of index variables (dr and nr) for ">= 0" is recommended.
PoC Fix:
References:
https://cwe.mitre.org/data/definitions/125.html
Address Sanitizer Output:
The text was updated successfully, but these errors were encountered: