However, the array index nr is set to 7 therefore [nr-1] is larger than boundary of array ff_vc1_fps_nr.
(gdb) b *0x0000000000934072
Breakpoint 7 at 0x934072: file ../tsMuxer/vc1Parser.cpp, line 274.
(gdb) p nr
$7 = 7
(gdb) p ff_vc1_fps_nr
$8 = {24, 25, 30, 50, 60}
(gdb) p ff_vc1_fps_dr
$17 = {1000, 1001}
line 276:
if (nr && nr < 8 && dr && dr < 3)
line: 279:
time_base_den = ff_vc1_fps_nr[nr - 1] * 1000;
I'm sharing the link above, because ASAN declares this issue as "global-buffer-overflow" but as shared in References and root-cause sections this is actually a OOB read issue.
Recommendation:
Editing size-check of "array index" within "if condition" in line 276 might fix this "particular" issue.
An additional check of index variables (dr and nr) for ">= 0" is recommended.
PoC Fix:
- if (nr && nr < 8 && dr && dr < 3)
+ if (nr && nr < 5 && nr >= 0 && dr && dr < 3 && dr >= 0)
Greetings,
tsMuxer has an Out-of-bounds Read issue whenever runs with the PoC sample.
Found by Cem Onat Karagun of Diesec
System info:
To run PoC after unzip:
global_oob.zip
Chronological Function-Call Trace:
Root Cause of The Issue:
Constant integer arrays are defined in vc1Parser.h:
However, the array index nr is set to 7 therefore [nr-1] is larger than boundary of array ff_vc1_fps_nr.
A similar "demo" issue is also shared in following page:
https://github.com/google/sanitizers/wiki/AddressSanitizerExampleGlobalOutOfBounds
I'm sharing the link above, because ASAN declares this issue as "global-buffer-overflow" but as shared in References and root-cause sections this is actually a OOB read issue.
Recommendation:
Editing size-check of "array index" within "if condition" in line 276 might fix this "particular" issue.
An additional check of index variables (dr and nr) for ">= 0" is recommended.
PoC Fix:
References:
https://cwe.mitre.org/data/definitions/125.html
Address Sanitizer Output:
The text was updated successfully, but these errors were encountered: