Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi, I found a integer overflow in DTSStreamReader::findFrame()
tsMuxer/tsMuxer/dtsStreamReader.cpp
Lines 204 to 212 in 380cca3
POC poc.zip
With this poc, the buffer is too small but the condition on line 206 results true.
gdb
[----------------------------------registers-----------------------------------] RAX: 0x415550522d484452 ('RDH-RPUA') RBX: 0x6aba60 (<__libc_csu_init>: endbr64) RCX: 0x0 RDX: 0x0 RSI: 0xffffff0000000000 RDI: 0x0 RBP: 0x7fffffff5930 --> 0x7fffffff5a60 --> 0x7fffffffbc70 --> 0x7fffffffc740 --> 0x7fffffffcb40 --> 0x7fffffffe210 (--> ...) RSP: 0x7fffffff58d0 --> 0x7fffffff6da0 --> 0x6ade00 --> 0x5556d0 (<BaseAbstractStreamReader::writeAdditionData(unsigned char*, unsigned char*, AVPacket&, std::vector<std::pair<int, int>, std::allocator<std::pair<int, int> > >*)>: push rbp) RIP: 0x57d9a6 (<DTSStreamReader::findFrame(unsigned char*, unsigned char*)+406>: mov rax,QWORD PTR [rbp-0x18]) R8 : 0x0 R9 : 0x0 R10: 0x0 R11: 0x57d810 (<DTSStreamReader::findFrame(unsigned char*, unsigned char*)>: push rbp) R12: 0x554060 (<_start>: endbr64) R13: 0x7fffffffe300 --> 0x2 R14: 0x0 R15: 0x0 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x57d992 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+386>: movabs rax,0x415550522d484452 0x57d99c <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+396>: cmp QWORD PTR [rbp-0x30],rax 0x57d9a0 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+400>: jne 0x57d9f5 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+485>: jne 0x57d9f5 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+485> => 0x57d9a6 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+406>: mov rax,QWORD PTR [rbp-0x18] 0x57d9aa <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+410>: add rax,QWORD PTR [rbp-0x40] 0x57d9ae <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+414>: cmp rax,QWORD PTR [rbp-0x20] 0x57d9b2 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+418>: jbe 0x57d9c5 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+437>: jbe 0x57d9c5 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+437> 0x57d9b8 <DTSStreamReader::findFrame(unsigned char*, unsigned char*)+424>: mov QWORD PTR [rbp-0x8],0x0 [------------------------------------stack-------------------------------------] 0000| 0x7fffffff58d0 --> 0x7fffffff6da0 --> 0x6ade00 --> 0x5556d0 (<BaseAbstractStreamReader::writeAdditionData(unsigned char*, unsigned char*, AVPacket&, std::vector<std::pair<int, int>, std::allocator<std::pair<int, int> > >*)>: push rbp) 0008| 0x7fffffff58d8 --> 0x0 0016| 0x7fffffff58e0 --> 0x7fff00000000 0024| 0x7fffffff58e8 --> 0xffffff 0032| 0x7fffffff58f0 --> 0xffffff0000000010 0040| 0x7fffffff58f8 ("AUPR-HDRRDH-RPUA\020\260\223\363\377\177") 0048| 0x7fffffff5900 ("RDH-RPUA\020\260\223\363\377\177") 0056| 0x7fffffff5908 --> 0x7ffff393b010 ("AUPR-HDR\377\377\377") [------------------------------------------------------------------------------] Legend: code, data, rodata, value 206 if (buff + hdrSize > end) gdb-peda$ p hdrSize $12 = 0xffffff0000000010 gdb-peda$ p buff + hdrSize $14 = (uint8_t *) 0x7efff393b020 <error: Cannot access memory at address 0x7efff393b020> gdb-peda$ p buff $17 = (uint8_t *) 0x7ffff393b010 "AUPR-HDR\377\377\377" gdb-peda$ p end $15 = (uint8_t *) 0x7ffff393b093 "" gdb-peda$ p end-buff $21 = 0x83 gdb-peda$ p buff + hdrSize > end $22 = 0x0
The text was updated successfully, but these errors were encountered:
[bug] Fix integer overflow
f6c5c61
Fixes issue justdan96#510.
No branches or pull requests
Hi, I found a integer overflow in DTSStreamReader::findFrame()
tsMuxer/tsMuxer/dtsStreamReader.cpp
Lines 204 to 212 in 380cca3
POC
poc.zip
With this poc, the buffer is too small but the condition on line 206 results true.
gdb
The text was updated successfully, but these errors were encountered: