You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
$ uname -a
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep 7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Asan
tsMuxeR version git-2539d07. github.com/justdan96/tsMuxer
=================================================================
==518458==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000d538 at pc 0x558cd3c038d5 bp 0x7ffc16fe1010 sp 0x7ffc16fe1008
READ of size 1 at 0x60200000d538 thread T0
#0 0x558cd3c038d4 in BitStreamReader::getCurVal(unsigned int*) const /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/bitStream.h:164:41
#1 0x558cd3c038d4 in BitStreamReader::getBits(unsigned int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/bitStream.h:75:24
#2 0x558cd3f98edd in unsigned char BitStreamReader::getBits<unsigned char>(unsigned int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/bitStream.h:60:31
#3 0x558cd3f98edd in SEIUnit::mvc_scalable_nesting(SPSUnit const&, unsigned char*, int, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:1746:44
#4 0x558cd3f959f4 in SEIUnit::sei_payload(SPSUnit const&, int, unsigned char*, int, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:1550:9
#5 0x558cd3f959f4 in SEIUnit::deserialize(SPSUnit const&, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:1368:13
#6 0x558cd3ca1d7f in H264StreamReader::checkStream(unsigned char*, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/h264StreamReader.cpp:131:25
#7 0x558cd3e8b535 in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/metaDemuxer.cpp:749:22
#8 0x558cd3e7f766 in METADemuxer::DetectStreamReader(BufferedReaderManager const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/metaDemuxer.cpp:685:35
#9 0x558cd3da4a7a in detectStreamReader(char const*, MPLSParser*, bool) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/main.cpp:114:34
#10 0x558cd3db8efb in main /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/main.cpp:689:17
#11 0x7f47a3629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#12 0x7f47a3629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#13 0x558cd3b3fd24 in _start (/home/user/fuzzing_tsMuxer/tsMuxer/build/tsMuxer/tsmuxer+0x249d24) (BuildId: 93aa533ae68cbad6d874b6199ee386d19d3a575e)
0x60200000d538 is located 0 bytes to the right of 8-byte region [0x60200000d530,0x60200000d538)
allocated by thread T0 here:
#0 0x558cd3bfda4d in operator new[](unsigned long) (/home/user/fuzzing_tsMuxer/tsMuxer/build/tsMuxer/tsmuxer+0x307a4d) (BuildId: 93aa533ae68cbad6d874b6199ee386d19d3a575e)
#1 0x558cd3f631bc in NALUnit::decodeBuffer(unsigned char const*, unsigned char const*) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:270:19
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/bitStream.h:164:41 in BitStreamReader::getCurVal(unsigned int*) const
Shadow bytes around the buggy address:
0x0c047fff9a50: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fff9a60: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fff9a70: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 00
0x0c047fff9a80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9a90: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa 00 fa
=>0x0c047fff9aa0: fa fa 02 fa fa fa 00[fa]fa fa fa fa fa fa fa fa
0x0c047fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==518458==ABORTING
@gandalf4a Not reproducible on Windows.
Same under Linux Bullseye, all I have is:
./tsMuxeR poc_hbo_164
tsMuxeR version git-a5cc8ba. github.com/justdan96/tsMuxer
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Can't detect stream type
Version
Platform
Asan
Reproduce
POC File
https://github.com/gandalf4a/crash_report/blob/main/tsMuxer/poc_hbo_164
Credit
The text was updated successfully, but these errors were encountered: