Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

An Integer Overflow in DTSStreamReader::findFrame() #510

Closed
aug5t7 opened this issue Dec 21, 2021 · 0 comments
Closed

An Integer Overflow in DTSStreamReader::findFrame() #510

aug5t7 opened this issue Dec 21, 2021 · 0 comments
Labels
bug Something isn't working

Comments

@aug5t7
Copy link
Contributor

aug5t7 commented Dec 21, 2021

Hi, I found a integer overflow in DTSStreamReader::findFrame()

else if (hdrType == AUPR_HDR)
{
if (buff + hdrSize > end)
return 0; // need more data
// determine skipping frames amount
m_skippingSamples = (buff[35] << 8) + buff[36];
buff += hdrSize;
}
else if (hdrType == STRMDATA)

POC
poc.zip

With this poc, the buffer is too small but the condition on line 206 results true.

gdb

[----------------------------------registers-----------------------------------]
RAX: 0x415550522d484452 ('RDH-RPUA')
RBX: 0x6aba60 (<__libc_csu_init>:	endbr64)
RCX: 0x0
RDX: 0x0
RSI: 0xffffff0000000000
RDI: 0x0
RBP: 0x7fffffff5930 --> 0x7fffffff5a60 --> 0x7fffffffbc70 --> 0x7fffffffc740 --> 0x7fffffffcb40 --> 0x7fffffffe210 (--> ...)
RSP: 0x7fffffff58d0 --> 0x7fffffff6da0 --> 0x6ade00 --> 0x5556d0 (<BaseAbstractStreamReader::writeAdditionData(unsigned char*, unsigned char*, AVPacket&, std::vector<std::pair<int, int>, std::allocator<std::pair<int, int> > >*)>:	push   rbp)
RIP: 0x57d9a6 (<DTSStreamReader::findFrame(unsigned char*, unsigned char*)+406>:	mov    rax,QWORD PTR [rbp-0x18])
R8 : 0x0
R9 : 0x0
R10: 0x0
R11: 0x57d810 (<DTSStreamReader::findFrame(unsigned char*, unsigned char*)>:	push   rbp)
R12: 0x554060 (<_start>:	endbr64)
R13: 0x7fffffffe300 --> 0x2
R14: 0x0
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x57d992 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+386>:	movabs rax,0x415550522d484452
   0x57d99c <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+396>:	cmp    QWORD PTR [rbp-0x30],rax
   0x57d9a0 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+400>:
    jne    0x57d9f5 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+485>:	    jne    0x57d9f5 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+485>
=> 0x57d9a6 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+406>:	mov    rax,QWORD PTR [rbp-0x18]
   0x57d9aa <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+410>:	add    rax,QWORD PTR [rbp-0x40]
   0x57d9ae <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+414>:	cmp    rax,QWORD PTR [rbp-0x20]
   0x57d9b2 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+418>:
    jbe    0x57d9c5 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+437>:	    jbe    0x57d9c5 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+437>
   0x57d9b8 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+424>:	mov    QWORD PTR [rbp-0x8],0x0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff58d0 --> 0x7fffffff6da0 --> 0x6ade00 --> 0x5556d0 (<BaseAbstractStreamReader::writeAdditionData(unsigned char*, unsigned char*, AVPacket&, std::vector<std::pair<int, int>, std::allocator<std::pair<int, int> > >*)>:	push   rbp)
0008| 0x7fffffff58d8 --> 0x0
0016| 0x7fffffff58e0 --> 0x7fff00000000
0024| 0x7fffffff58e8 --> 0xffffff
0032| 0x7fffffff58f0 --> 0xffffff0000000010
0040| 0x7fffffff58f8 ("AUPR-HDRRDH-RPUA\020\260\223\363\377\177")
0048| 0x7fffffff5900 ("RDH-RPUA\020\260\223\363\377\177")
0056| 0x7fffffff5908 --> 0x7ffff393b010 ("AUPR-HDR\377\377\377")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
206	            if (buff + hdrSize > end)
gdb-peda$ p hdrSize
$12 = 0xffffff0000000010
gdb-peda$ p buff + hdrSize
$14 = (uint8_t *) 0x7efff393b020 <error: Cannot access memory at address 0x7efff393b020>
gdb-peda$ p buff
$17 = (uint8_t *) 0x7ffff393b010 "AUPR-HDR\377\377\377"
gdb-peda$ p end
$15 = (uint8_t *) 0x7ffff393b093 ""
gdb-peda$ p end-buff
$21 = 0x83
gdb-peda$ p buff + hdrSize > end
$22 = 0x0
jcdr428 added a commit to jcdr428/tsMuxer that referenced this issue Dec 21, 2021
@jcdr428 jcdr428 closed this as completed Dec 21, 2021
@jcdr428 jcdr428 added the bug Something isn't working label Jun 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants