Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memory allocation failure in xml_on_metadata_tag_only() at dump_xml.c:271 #19

Closed
fengzhengzhan opened this issue Jun 13, 2023 · 2 comments
Closed

Memory allocation failure in xml_on_metadata_tag_only() at dump_xml.c:271 #19

fengzhengzhan opened this issue Jun 13, 2023 · 2 comments

Comments

@fengzhengzhan
Copy link

Memory allocation failure in xml_on_metadata_tag_only() at dump_xml.c:271

Memory allocation failure in the flvmeta at function xml_on_metadata_tag_only in dump_xml.c:271.

Environment

Ubuntu 18.04, 64 bit
FLVMeta 1.2.1

Steps to reproduce

  1. download file
wget https://github.com/noirotm/flvmeta/archive/refs/tags/v1.2.1.tar.gz
tar -zxvf v1.2.1.tar.gz
  1. compile libming with ASAN
cd flvmeta-1.2.1
export FORCE_UNSAFE_CONFIGURE=1
export LLVM_COMPILER=clang
CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -Wno-error" cmake -DCMAKE_C_COMPILER=wllvm -DCMAKE_CXX_COMPILER=wllvm++ -B obj-bc -G"Unix Makefiles" 
cd obj-bc
make

cd src
extract-bc flvmeta
clang -fsanitize=address flvmeta.bc -o flvmeta_asan
  1. command for reproducing the error
./flvmeta_asan poc

Download poc:
flvmeta_memory-allocation-failure_dumpxml271.zip

ASAN report

root@a71b82b5d288:~/dataset/flvmeta-1.2.1/obj-bc/src# ./flvmeta_asan flvmeta_memory-allocation-failure_dumpxml271 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==30124==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000489d7b bp 0x7fff17e62cb0 sp 0x7fff17e62440 T0)
==30124==The signal is caused by a READ memory access.
==30124==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x489d7b in __interceptor_strcmp.part.298 /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:444
    #1 0x4fe908 in xml_on_metadata_tag_only /root/dataset/flvmeta-1.2.1/src/dump_xml.c:271:14
    #2 0x502563 in flv_parse /root/dataset/flvmeta-1.2.1/src/flv.c:506:26
    #3 0x4fd491 in dump_metadata /root/dataset/flvmeta-1.2.1/src/dump.c:160:14
    #4 0x502855 in main /root/dataset/flvmeta-1.2.1/src/flvmeta.c:385:50
    #5 0x7f8aa5304c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41b819 in _start (/root/dataset/flvmeta-1.2.1/obj-bc/src/flvmeta_asan+0x41b819)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:444 in __interceptor_strcmp.part.298
==30124==ABORTING
@noirotm
Copy link
Owner

noirotm commented Jun 13, 2023

Hi,
thanks for the bug report.

Could you please check this against the HEAD version of flvmeta? A very similar bug has been reported some time ago and has been fixed in commit 7b91e56.

Regards

@fengzhengzhan
Copy link
Author

Thank you very much for your reply.
I am using the latest submitted version of the software and the vulnerability has been tested and fixed.
The latest version executes as follows:

./flvmeta_asan: unexpected end of file

Thank you very much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@noirotm @fengzhengzhan