You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ASAN says negative size param, but it is actually stack buffer overflow.
While declaring pmtBuffer as 4096 bytes as the destination Buffer in TSDemuxer::simpleDemuxBlock, it does not check if pmtBufferLen + TS_FRAME_SIZE - tsPacket->getHeaderSize() used in memcpy is smaller than 4096, so stack based BOF occurs.
We can confirm that the return address of main is actually destroyed by the stack BOF in this POC as well.
Ricerca Security, Inc.
The text was updated successfully, but these errors were encountered:
Our fuzzer found stack buffer overflow in tsDemuxer. in the current master(94cafe7).
PoC is here.
Following is an output of ASAN.
vuln21.ts is in poc21.zip
It is caused by these line.
tsMuxer/tsMuxer/tsDemuxer.cpp
Lines 295 to 296 in 94cafe7
ASAN says negative size param, but it is actually stack buffer overflow.
While declaring pmtBuffer as 4096 bytes as the destination Buffer in TSDemuxer::simpleDemuxBlock, it does not check if
pmtBufferLen
+TS_FRAME_SIZE
-tsPacket->getHeaderSize()
used in memcpy is smaller than 4096, so stack based BOF occurs.We can confirm that the return address of main is actually destroyed by the stack BOF in this POC as well.
Ricerca Security, Inc.
The text was updated successfully, but these errors were encountered: