You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We found heap buffer under-read in movDemuxer.cpp in the current master(cb04552).
This vulnerability was discovered during the analysis of a fuzzing crash caused by a different root cause.
$ ./tsMuxeR ./15-b.mov
tsMuxeR version git-cb04552. github.com/justdan96/tsMuxer
AddressSanitizer:DEADLYSIGNAL
=================================================================
==72343==ERROR: AddressSanitizer: SEGV on unknown address 0x618ffff966b8 (pc 0x5591c81ed20b bp 0x7ffdd7756d70 sp 0x7ffdd7756ca0 T0)
==72343==The signal is caused by a READ memory access.
#0 0x5591c81ed20b in MovDemuxer::mov_read_trun(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x43320b)#1 0x5591c81eb6e1 in MovDemuxer::ParseTableEntry(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x4316e1)#2 0x5591c81ebdc1 in MovDemuxer::mov_read_default(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x431dc1)#3 0x5591c81efb0f in MovDemuxer::mov_read_moov(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x435b0f)#4 0x5591c81eb500 in MovDemuxer::ParseTableEntry(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x431500)#5 0x5591c81ebdc1 in MovDemuxer::mov_read_default(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x431dc1)#6 0x5591c81e8551 in MovDemuxer::readHeaders() (/home/vagrant/resear/tsMuxer/tsMuxeR+0x42e551)#7 0x5591c81e76b6 in MovDemuxer::openFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x42d6b6)#8 0x5591c817e889 in METADemuxer::DetectStreamReader(BufferedReaderManager const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x3c4889)#9 0x5591c8126b22 in detectStreamReader(char const*, MPLSParser*, bool) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x36cb22)#10 0x5591c812e318 in main (/home/vagrant/resear/tsMuxer/tsMuxeR+0x374318)#11 0x7f6423270d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58#12 0x7f6423270e3f in __libc_start_main_impl ../csu/libc-start.c:392#13 0x5591c803a0f4 in _start (/home/vagrant/resear/tsMuxer/tsMuxeR+0x2800f4)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/vagrant/resear/tsMuxer/tsMuxeR+0x43320b) in MovDemuxer::mov_read_trun(MovDemuxer::MOVAtom)
==72343==ABORTING
It is caused by this line
There is no check for negative track_id values, so it is possible to read in the negative direction of the tracks array
We found heap buffer under-read in movDemuxer.cpp in the current master(cb04552).
This vulnerability was discovered during the analysis of a fuzzing crash caused by a different root cause.
PoC is here.
15-b.mov is in vuln-b.zip
Following is an output of ASAN.
$ ./tsMuxeR ./15-b.mov tsMuxeR version git-cb04552. github.com/justdan96/tsMuxer AddressSanitizer:DEADLYSIGNAL ================================================================= ==72343==ERROR: AddressSanitizer: SEGV on unknown address 0x618ffff966b8 (pc 0x5591c81ed20b bp 0x7ffdd7756d70 sp 0x7ffdd7756ca0 T0) ==72343==The signal is caused by a READ memory access. #0 0x5591c81ed20b in MovDemuxer::mov_read_trun(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x43320b) #1 0x5591c81eb6e1 in MovDemuxer::ParseTableEntry(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x4316e1) #2 0x5591c81ebdc1 in MovDemuxer::mov_read_default(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x431dc1) #3 0x5591c81efb0f in MovDemuxer::mov_read_moov(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x435b0f) #4 0x5591c81eb500 in MovDemuxer::ParseTableEntry(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x431500) #5 0x5591c81ebdc1 in MovDemuxer::mov_read_default(MovDemuxer::MOVAtom) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x431dc1) #6 0x5591c81e8551 in MovDemuxer::readHeaders() (/home/vagrant/resear/tsMuxer/tsMuxeR+0x42e551) #7 0x5591c81e76b6 in MovDemuxer::openFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x42d6b6) #8 0x5591c817e889 in METADemuxer::DetectStreamReader(BufferedReaderManager const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x3c4889) #9 0x5591c8126b22 in detectStreamReader(char const*, MPLSParser*, bool) (/home/vagrant/resear/tsMuxer/tsMuxeR+0x36cb22) #10 0x5591c812e318 in main (/home/vagrant/resear/tsMuxer/tsMuxeR+0x374318) #11 0x7f6423270d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #12 0x7f6423270e3f in __libc_start_main_impl ../csu/libc-start.c:392 #13 0x5591c803a0f4 in _start (/home/vagrant/resear/tsMuxer/tsMuxeR+0x2800f4) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/home/vagrant/resear/tsMuxer/tsMuxeR+0x43320b) in MovDemuxer::mov_read_trun(MovDemuxer::MOVAtom) ==72343==ABORTINGIt is caused by this line
There is no check for negative
track_idvalues, so it is possible to read in the negative direction of thetracksarraytsMuxer/tsMuxer/movDemuxer.cpp
Line 1075 in cb04552
tsMuxer/tsMuxer/movDemuxer.cpp
Line 1156 in cb04552
Ricerca Security, Inc.
The text was updated successfully, but these errors were encountered: