heap-buffer-overflow in ./tsMuxer/bitStream.h:164:41 in BitStreamReader::getCurVal(unsigned int*) const

[gandalf4a]

Version

$ git show
commit 2539d074cd4da0547b97aedd8bc12252b973907c (HEAD -> master, tag: nightly-2023-10-05-01-55-56, origin/master, origin/HEAD)
Author: jcdr428 <jessiedeer@hotmail.com>
Date:   Wed Oct 4 10:17:02 2023 +0100

Platform

$ uname -a
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Asan

tsMuxeR version git-2539d07. github.com/justdan96/tsMuxer
=================================================================
==518458==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000d538 at pc 0x558cd3c038d5 bp 0x7ffc16fe1010 sp 0x7ffc16fe1008
READ of size 1 at 0x60200000d538 thread T0
    #0 0x558cd3c038d4 in BitStreamReader::getCurVal(unsigned int*) const /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/bitStream.h:164:41
    #1 0x558cd3c038d4 in BitStreamReader::getBits(unsigned int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/bitStream.h:75:24
    #2 0x558cd3f98edd in unsigned char BitStreamReader::getBits<unsigned char>(unsigned int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/bitStream.h:60:31
    #3 0x558cd3f98edd in SEIUnit::mvc_scalable_nesting(SPSUnit const&, unsigned char*, int, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:1746:44
    #4 0x558cd3f959f4 in SEIUnit::sei_payload(SPSUnit const&, int, unsigned char*, int, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:1550:9
    #5 0x558cd3f959f4 in SEIUnit::deserialize(SPSUnit const&, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:1368:13
    #6 0x558cd3ca1d7f in H264StreamReader::checkStream(unsigned char*, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/h264StreamReader.cpp:131:25
    #7 0x558cd3e8b535 in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/metaDemuxer.cpp:749:22
    #8 0x558cd3e7f766 in METADemuxer::DetectStreamReader(BufferedReaderManager const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/metaDemuxer.cpp:685:35
    #9 0x558cd3da4a7a in detectStreamReader(char const*, MPLSParser*, bool) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/main.cpp:114:34
    #10 0x558cd3db8efb in main /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/main.cpp:689:17
    #11 0x7f47a3629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7f47a3629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x558cd3b3fd24 in _start (/home/user/fuzzing_tsMuxer/tsMuxer/build/tsMuxer/tsmuxer+0x249d24) (BuildId: 93aa533ae68cbad6d874b6199ee386d19d3a575e)

0x60200000d538 is located 0 bytes to the right of 8-byte region [0x60200000d530,0x60200000d538)
allocated by thread T0 here:
    #0 0x558cd3bfda4d in operator new[](unsigned long) (/home/user/fuzzing_tsMuxer/tsMuxer/build/tsMuxer/tsmuxer+0x307a4d) (BuildId: 93aa533ae68cbad6d874b6199ee386d19d3a575e)
    #1 0x558cd3f631bc in NALUnit::decodeBuffer(unsigned char const*, unsigned char const*) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:270:19

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/bitStream.h:164:41 in BitStreamReader::getCurVal(unsigned int*) const
Shadow bytes around the buggy address:
  0x0c047fff9a50: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fff9a60: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff9a70: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 00
  0x0c047fff9a80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9a90: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa 00 fa
=>0x0c047fff9aa0: fa fa 02 fa fa fa 00[fa]fa fa fa fa fa fa fa fa
  0x0c047fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==518458==ABORTING

Reproduce

./tsmuxer poc

POC File

https://github.com/gandalf4a/crash_report/blob/main/tsMuxer/poc_hbo_164

Credit

Gandalf4a

[jcdr428]

@gandalf4a Not reproducible on Windows.
Same under Linux Bullseye, all I have is:

./tsMuxeR poc_hbo_164
tsMuxeR version git-a5cc8ba. github.com/justdan96/tsMuxer
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Can't detect stream type

[gandalf4a]

build reproduce

$ cd tsMuxer
$ mkdir build && cd build
$ cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address"
$ make 

Give me a second to see if windows can reproduce

[jcdr428]

Ok, got it. Thanks @gandalf4a