Opened 5 years ago
Closed 4 years ago
#2358 closed defect (fixed)
Mplayer-1.4-8 libmpdemux/asfheader.c file memcpy function Out-of-bounds-copy
| Reported by: | Taolaw | Owned by: | Taolaw |
|---|---|---|---|
| Priority: | normal | Component: | demuxer |
| Version: | unspecified | Severity: | blocker |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
Summary of the bug: Mplayer-1.4-8 libmpdemux/asfheader.c file memcpy function Out-of-bounds-copy
How to reproduce:
A out-of-bounds in line 349 of the asf_init_audio_stream function.Value streamh->type_size and buffer from the input file, and occurs out-of-bounds when streamh->type_size is greater than the size of buffer. Because some validation was done at line 349, code execution is not very possible, but since it can control the size of bytes copied, a denial of service attack can be initiated.
```
sh_audio->wf=calloc(FFMAX(streamh->type_size, sizeof(*sh_audio->wf)), 1);
memcpy(sh_audio->wf,buffer,streamh->type_size);
```
gdb-peda$ r -ao null -vo null out-of-bounds-copy
Starting program: /root/tmp/crash/audio/mplayer -ao null -vo null out-of-bounds-copy
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
MPlayer 1.4-8 (C) 2000-2019 MPlayer Team
Playing out-of-bounds-copy.
libavformat version 58.27.102 (internal)
ASF file format detected.
[asfheader] Audio stream found, -aid 115
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x7fff03728010 --> 0x0
RBX: 0xf3fdba51
RCX: 0x7fff03728010 --> 0x0
RDX: 0xf3fdba51
RSI: 0x555556d3790b --> 0x6034ba78194f6652
RDI: 0x7fff03728010 --> 0x0
RBP: 0x555556d36f10 --> 0x11cf668e75b22630
RSP: 0x7fffffffccc8 --> 0x55555572ceec (<asf_init_audio_stream+76>: movzx eax,WORD PTR [rax])
RIP: 0x7ffff78b58d4 (<__memmove_avx_unaligned_erms+548>: vmovdqu ymm8,YMMWORD PTR [rsi+rdx*1-0x20])
R8 : 0x7fff03728010 --> 0x0
R9 : 0x0
R10: 0x22 ('"')
R11: 0x246
R12: 0x555556d378d5 --> 0x11cf5b4df8699e40
R13: 0x555556d37a80 --> 0x7fff03728010 --> 0x0
R14: 0x555556d3790b --> 0x6034ba78194f6652
R15: 0x555556d37990 --> 0x0
EFLAGS: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff78b58c5 <__memmove_avx_unaligned_erms+533>: vmovdqu ymm5,YMMWORD PTR [rsi+0x20]
0x7ffff78b58ca <__memmove_avx_unaligned_erms+538>: vmovdqu ymm6,YMMWORD PTR [rsi+0x40]
0x7ffff78b58cf <__memmove_avx_unaligned_erms+543>: vmovdqu ymm7,YMMWORD PTR [rsi+0x60]
=> 0x7ffff78b58d4 <__memmove_avx_unaligned_erms+548>: vmovdqu ymm8,YMMWORD PTR [rsi+rdx*1-0x20]
0x7ffff78b58da <__memmove_avx_unaligned_erms+554>: lea r11,[rdi+rdx*1-0x20]
0x7ffff78b58df <__memmove_avx_unaligned_erms+559>: lea rcx,[rsi+rdx*1-0x20]
0x7ffff78b58e4 <__memmove_avx_unaligned_erms+564>: mov r9,r11
0x7ffff78b58e7 <__memmove_avx_unaligned_erms+567>: mov r8,r11
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffccc8 --> 0x55555572ceec (<asf_init_audio_stream+76>: movzx eax,WORD PTR [rax])
0008| 0x7fffffffccd0 --> 0x555556d35480 --> 0x55555648ffc0 --> 0x555556161841 ("ASF demuxer")
0016| 0x7fffffffccd8 --> 0xf3fdc36cf3fdc36c
0024| 0x7fffffffcce0 --> 0x73 ('s')
0032| 0x7fffffffcce8 --> 0x555556d37980 --> 0x555556d36e70 --> 0x0
0040| 0x7fffffffccf0 --> 0x555556d378d5 --> 0x11cf5b4df8699e40
0048| 0x7fffffffccf8 --> 0x555556d36ff0 --> 0x11cf668e75b22633
0056| 0x7fffffffcd00 --> 0xf3fdc36c
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
440 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S.
gdb-peda$ bt
#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
#1 0x000055555572ceec in asf_init_audio_stream (asf=asf@entry=0x555556d36f10,
streamh=streamh@entry=0x555556d378d5,
hdr=0x555556d36ff0 "3&\262u\216f\317\021\246", <incomplete sequence \331>, hdr_len=0x983,
buf=<optimized out>, ppos=<optimized out>, sh_audio=<optimized out>, sh_audio=<optimized out>,
demuxer=0x555556d35480) at libmpdemux/asfheader.c:349
#2 0x000055555572d64e in read_asf_header (demuxer=demuxer@entry=0x555556d35480,
asf=asf@entry=0x555556d36f10) at libmpdemux/asfheader.c:483
#3 0x00005555557385fa in demux_open_asf (demuxer=0x555556d35480) at libmpdemux/demux_asf.c:629
#4 0x000055555573562b in demux_open_stream (stream=stream@entry=0x555556d333e0, file_format=0x6,
file_format@entry=0x0, force=force@entry=0x0, audio_id=0xffffffff,
video_id=video_id@entry=0xffffffff, dvdsub_id=0xffffffff,
filename=0x555556d17510 "out-of-bounds-copy") at libmpdemux/demuxer.c:1120
#5 0x0000555555735e84 in demux_open (vs=0x555556d333e0, file_format=0x0, audio_id=0xffffffff,
video_id=0xffffffff, dvdsub_id=0xffffffff, filename=0x555556d17510 "out-of-bounds-copy")
at libmpdemux/demuxer.c:1295
#6 0x000055555569d4b6 in main (argc=<optimized out>, argc@entry=0x6, argv=<optimized out>,
argv@entry=0x7fffffffe088) at mplayer.c:3387
#7 0x00007ffff777d09b in __libc_start_main (main=0x55555569c580 <main>, argc=0x6,
argv=0x7fffffffe088, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffe078) at ../csu/libc-start.c:308
#8 0x00005555556a0c3a in _start () at mplayer.c:2242
Patches should be submitted to the mplayer-dev-eng mailing list and not this bug tracker.
Attachments (1)
Change History (2)
by , 5 years ago
| Attachment: | out-of-bounds-copy added |
|---|
comment:1 by , 4 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Fixed in r38223.