heap-buffer-overflow in /tsMuxer/bitStream.h:166:20 in BitStreamReader::getCurVal(unsigned int*) const

[gandalf4a]

Version​

$ git show​
commit 2539d074cd4da0547b97aedd8bc12252b973907c (HEAD -> master, tag: nightly-2023-10-05-01-55-56, origin/master, origin/HEAD)​
Author: jcdr428 <jessiedeer@hotmail.com>​
Date:   Wed Oct 4 10:17:02 2023 +0100​
```​
​
# Platform​
```​
$ uname -a​
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux​
```​
​
# Asan​
```​
tsMuxeR version git-2539d07. github.com/justdan96/tsMuxer
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
Bad SEI detected. SEI too short
=================================================================
==534502==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e75b at pc 0x561935bfe922 bp 0x7ffe0eafa030 sp 0x7ffe0eafa028
READ of size 1 at 0x60200000e75b thread T0
    #0 0x561935bfe921 in BitStreamReader::getCurVal(unsigned int*) const /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/bitStream.h:166:20
    #1 0x561935bfe921 in BitStreamReader::getBits(unsigned int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/bitStream.h:75:24
    #2 0x561935f9444c in signed char BitStreamReader::getBits<signed char>(unsigned int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/bitStream.h:60:31
    #3 0x561935f9444c in SEIUnit::pic_timing(SPSUnit const&, bool) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:1680:32
    #4 0x561935f9444c in SEIUnit::mvc_scalable_nesting(SPSUnit const&, unsigned char*, int, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:1785:13
    #5 0x561935f909f4 in SEIUnit::sei_payload(SPSUnit const&, int, unsigned char*, int, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:1550:9
    #6 0x561935f909f4 in SEIUnit::deserialize(SPSUnit const&, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:1368:13
    #7 0x561935c9cd7f in H264StreamReader::checkStream(unsigned char*, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/h264StreamReader.cpp:131:25
    #8 0x561935e86535 in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/metaDemuxer.cpp:749:22
    #9 0x561935e7a766 in METADemuxer::DetectStreamReader(BufferedReaderManager const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/metaDemuxer.cpp:685:35
    #10 0x561935d9fa7a in detectStreamReader(char const*, MPLSParser*, bool) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/main.cpp:114:34
    #11 0x561935db3efb in main /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/main.cpp:689:17
    #12 0x7f67c2629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x7f67c2629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #14 0x561935b3ad24 in _start (/home/user/fuzzing_tsMuxer/tsMuxer/build/tsMuxer/tsmuxer+0x249d24) (BuildId: 93aa533ae68cbad6d874b6199ee386d19d3a575e)

0x60200000e75b is located 0 bytes to the right of 11-byte region [0x60200000e750,0x60200000e75b)
allocated by thread T0 here:
    #0 0x561935bf8a4d in operator new[](unsigned long) (/home/user/fuzzing_tsMuxer/tsMuxer/build/tsMuxer/tsmuxer+0x307a4d) (BuildId: 93aa533ae68cbad6d874b6199ee386d19d3a575e)
    #1 0x561935f5e1bc in NALUnit::decodeBuffer(unsigned char const*, unsigned char const*) /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/nalUnits.cpp:270:19

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/fuzzing_tsMuxer/tsMuxer/tsMuxer/bitStream.h:166:20 in BitStreamReader::getCurVal(unsigned int*) const
Shadow bytes around the buggy address:
  0x0c047fff9c90: fa fa 00 00 fa fa 01 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff9ca0: fa fa 01 fa fa fa 04 fa fa fa 04 fa fa fa 00 02
  0x0c047fff9cb0: fa fa 00 00 fa fa 00 00 fa fa 01 fa fa fa 04 fa
  0x0c047fff9cc0: fa fa 04 fa fa fa 01 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff9cd0: fa fa 01 fa fa fa 04 fa fa fa 04 fa fa fa 01 fa
=>0x0c047fff9ce0: fa fa 04 fa fa fa 04 fa fa fa 00[03]fa fa fa fa
  0x0c047fff9cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==534502==ABORTING
```​
​
# Reproduce​
```​
./tsmuxer poc​
```​
 ​
# POC File​
​https://github.com/gandalf4a/crash_report/blob/main/tsMuxer/poc_hbo_166

# Credit​
```​
Gandalf4a​

[jcdr428]

Edit: ok, got it. Thanks @gandalf4a

[gandalf4a]

build reproduce

$ cd tsMuxer
$ mkdir build && cd build
$ cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address"
$ make 

Give me a second to see if windows can reproduce