Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in hevc.cpp:76 HevcUnit::updateBits #509

Closed
aug5t7 opened this issue Dec 21, 2021 · 0 comments
Closed

heap-buffer-overflow in hevc.cpp:76 HevcUnit::updateBits #509

aug5t7 opened this issue Dec 21, 2021 · 0 comments
Labels
bug Something isn't working

Comments

@aug5t7
Copy link
Contributor

aug5t7 commented Dec 21, 2021

Hi, I found a heap-buffer-overflow error.

Some Info

Ubuntu 20.04.3 LTS
tsMuxeR version git-2678966.

To reproduce

  1. Compile tsMuxer
  2. run tsmuxer
tsmuxer ./poc

Asan output

$ tsMuxer-asan ./poc  
tsMuxeR version git-2678966. github.com/justdan96/tsMuxer
This HEVC stream doesn't contain fps value. Muxing fps is absent too. Set muxing FPS to default 25.0 value.
HEVC manual defined fps doesn't equal to stream fps. Change HEVC fps from 3.083 to 25
=================================================================
==452652==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000bd53 at pc 0x55fca9458e01 bp 0x7ffe07198940 sp 0x7ffe07198930
READ of size 1 at 0x60d00000bd53 thread T0
    #0 0x55fca9458e00 in HevcUnit::updateBits(int, int, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevc.cpp:76
    #1 0x55fca945ae43 in HevcVpsUnit::setFPS(double) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevc.cpp:247
    #2 0x55fca946c904 in HEVCStreamReader::updateStreamFps(void*, unsigned char*, unsigned char*, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevcStreamReader.cpp:364
    #3 0x55fca958cd7e in MPEGStreamReader::updateFPS(void*, unsigned char*, unsigned char*, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/mpegStreamReader.cpp:310
    #4 0x55fca9469c00 in HEVCStreamReader::checkStream(unsigned char*, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevcStreamReader.cpp:77
    #5 0x55fca94fb1dc in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/metaDemuxer.cpp:771
    #6 0x55fca94f8ede in METADemuxer::DetectStreamReader(BufferedReaderManager&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/metaDemuxer.cpp:685
    #7 0x55fca94a21d5 in detectStreamReader(char const*, MPLSParser*, bool) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/main.cpp:120
    #8 0x55fca94a9d7b in main /path/to/tsMuxer/tsMuxer-asan/tsMuxer/main.cpp:699
    #9 0x7f2c99c360b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #10 0x55fca93b80ed in _start (/path/to/tsMuxer/tsMuxer-asan/build/tsMuxer/tsmuxer+0x28d0ed)

0x60d00000bd53 is located 14 bytes to the right of 133-byte region [0x60d00000bcc0,0x60d00000bd45)
allocated by thread T0 here:
    #0 0x7f2c9a35cb47 in operator new[](unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10fb47)
    #1 0x55fca9458931 in HevcUnit::decodeBuffer(unsigned char const*, unsigned char const*) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevc.cpp:40
    #2 0x55fca9469ac0 in HEVCStreamReader::checkStream(unsigned char*, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevcStreamReader.cpp:73
    #3 0x55fca94fb1dc in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/metaDemuxer.cpp:771
    #4 0x55fca94f8ede in METADemuxer::DetectStreamReader(BufferedReaderManager&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/metaDemuxer.cpp:685
    #5 0x55fca94a21d5 in detectStreamReader(char const*, MPLSParser*, bool) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/main.cpp:120
    #6 0x55fca94a9d7b in main /path/to/tsMuxer/tsMuxer-asan/tsMuxer/main.cpp:699
    #7 0x7f2c99c360b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevc.cpp:76 in HevcUnit::updateBits(int, int, int)
Shadow bytes around the buggy address:
  0x0c1a7fff9750: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c1a7fff9760: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a7fff9770: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
  0x0c1a7fff9780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a7fff9790: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1a7fff97a0: 00 00 00 00 00 00 00 00 05 fa[fa]fa fa fa fa fa
  0x0c1a7fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==452652==ABORTING

POC
poc.zip

jcdr428 added a commit to jcdr428/tsMuxer that referenced this issue Dec 21, 2021
@jcdr428 jcdr428 added the bug Something isn't working label Jun 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants