Context Navigation

← Previous Ticket
Next Ticket →

#2360 closed defect (fixed)

Heap memory corruption in libmpdemux/demux_realaud.c

Reported by:	Taolaw	Owned by:	Taolaw
Priority:	normal	Component:	demuxer
Version:	unspecified	Severity:	blocker
Keywords:		Cc:
Blocked By:		Blocking:
Reproduced by developer:	no	Analyzed by developer:	no

Description

Summary of the bug: Heap memory corruption in libmpdemux/demux_realaud.c
How to reproduce:

In the 249 line of demux_realaud.c, when the heap allocation fails, it will return null to the buf 
variable, and then assigning a value to the buf will result in a memory access violation.

```
if ((i = stream_read_char(demuxer->stream)) != 0) {
		buf = malloc(i+1);
		stream_read(demuxer->stream, buf, i);
		buf[i] = 0;
		demux_info_add(demuxer, "Copyright", buf);
		free(buf);
	}
```

gdb-peda$ r -ao null -vo null heap-memory-corruption 
Starting program: /root/tmp/crash/audio/mplayer -ao null -vo null heap-memory-corruption
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
MPlayer 1.4-8 (C) 2000-2019 MPlayer Team

Playing heap-memory-corruption.
libavformat version 58.27.102 (internal)
REALAUDIO file format detected.

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x555556d354a0 --> 0x55555643c5c0 --> 0x555556167246 ("Realaudio demuxer")
RCX: 0x0 
RDX: 0x0 
RSI: 0x5555561603fc ("Copyright")
RDI: 0xffffffffffffff10 
RBP: 0x555556d37010 --> 0x3 
RSP: 0x7fffffffcd90 --> 0x555556d33400 --> 0x55555578f9a0 (<fill_buffer>:	push   rbp)
RIP: 0x5555557659f9 (<demux_open_ra+5481>:	mov    BYTE PTR [rax+r15*1],0x0)
R8 : 0x1 
R9 : 0x76 ('v')
R10: 0xfffffffffffff000 
R11: 0x555556dc6000 
R12: 0x555556d37050 --> 0x555556d36e90 --> 0x0 
R13: 0x18 
R14: 0x555556d372c3 --> 0x0 
R15: 0xffffffffffffff00
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5555557659e8 <demux_open_ra+5464>:	movsxd r15,DWORD PTR [rsp+0x10]
   0x5555557659ed <demux_open_ra+5469>:	mov    rax,QWORD PTR [rsp+0x18]
   0x5555557659f2 <demux_open_ra+5474>:	lea    rsi,[rip+0x9faa03]        # 0x5555561603fc
=> 0x5555557659f9 <demux_open_ra+5481>:	mov    BYTE PTR [rax+r15*1],0x0
   0x5555557659fe <demux_open_ra+5486>:	mov    rdx,rax
   0x555555765a01 <demux_open_ra+5489>:	mov    r15,rax
   0x555555765a04 <demux_open_ra+5492>:	mov    rdi,rbx
   0x555555765a07 <demux_open_ra+5495>:	call   0x555555736420 <demux_info_add>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcd90 --> 0x555556d33400 --> 0x55555578f9a0 (<fill_buffer>:	push   rbp)
0008| 0x7fffffffcd98 --> 0x63 ('c')
0016| 0x7fffffffcda0 --> 0x630000007b ('{')
0024| 0x7fffffffcda8 --> 0x0 
0032| 0x7fffffffcdb0 --> 0xffffffff 
0040| 0x7fffffffcdb8 --> 0x55555643c5c0 --> 0x555556167246 ("Realaudio demuxer")
0048| 0x7fffffffcdc0 --> 0x555556d17510 ("heap-memory-corruption")
0056| 0x7fffffffcdc8 --> 0x55555648ff08 --> 0x55555643c940 --> 0x55555616a3f1 ("TwinVQ demuxer")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555557659f9 in demux_open_ra (demuxer=0x555556d354a0) at libmpdemux/demux_realaud.c:249
249			buf[i] = 0;

gdb-peda$ bt
#0  0x00005555557659f9 in demux_open_ra (demuxer=0x555556d354a0) at libmpdemux/demux_realaud.c:249
#1  0x000055555573562b in demux_open_stream (stream=stream@entry=0x555556d33400, file_format=0x20, 
    file_format@entry=0x0, force=force@entry=0x0, audio_id=0xffffffff, 
    video_id=video_id@entry=0xffffffff, dvdsub_id=0xffffffff, 
    filename=0x555556d17510 "heap-memory-corruption") at libmpdemux/demuxer.c:1120
#2  0x0000555555735e84 in demux_open (vs=0x555556d33400, file_format=0x0, audio_id=0xffffffff, 
    video_id=0xffffffff, dvdsub_id=0xffffffff, filename=0x555556d17510 "heap-memory-corruption")
    at libmpdemux/demuxer.c:1295
#3  0x000055555569d4b6 in main (argc=<optimized out>, argc@entry=0x6, argv=<optimized out>, 
    argv@entry=0x7fffffffe078) at mplayer.c:3387
#4  0x00007ffff777d09b in __libc_start_main (main=0x55555569c580 <main>, argc=0x6, 
    argv=0x7fffffffe078, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffe068) at ../csu/libc-start.c:308
#5  0x00005555556a0c3a in _start () at mplayer.c:2242

Patches should be submitted to the mplayer-dev-eng mailing list and not this bug tracker.

Attachments (1)

heap-memory-corruption (312 bytes ) - added by Taolaw 5 years ago.

Download all attachments as: .zip

Change History (2)

by Taolaw, 5 years ago

Attachment:	heap-memory-corruption added

comment:1 by reimar, 4 years ago

Resolution:	→ fixed
Status:	new → closed

Fixed in r38221

Note: See TracTickets for help on using tickets.

Download in other formats: