#2394 closed defect (invalid)

An integer overflow is occurred on the argument of calloc in the function lschunks_intrak () of libmpdemux/demux_mov.c

Reported by: ylzs Owned by: beastd
Priority: normal Component: undetermined
Version: HEAD Severity: major
Keywords: Cc:
Blocked By: Blocking:
Reproduced by developer: no Analyzed by developer: no

Description (last modified by ylzs)

Version: SVN-r38374-13.0.1

Build command: ../configure --disable-ffmpeg_a && make (compiling with asan)

Summary of the bug: An Integer overflow is found in fucnction lschunks_intrak () which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).

How to reproduce:

1.Command: ./mplayer testcase


MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

libavformat version 58.29.100 (external)
libavformat file format detected.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f1604003600]error reading header
LAVF_header: av_open_input_stream() failed
Quicktime/MOV file format detected.
==10708==ERROR: AddressSanitizer: calloc parameters overflow: count * size (-16777215 * 8) cannot be represented in type size_t (thread T0)
    #0 0x563fa4698362 in __interceptor_calloc (/home/jlx/good_mplayer/asan_mplayer/mplayer+0x343362)
    #1 0x563fa4a61287 in lschunks_intrak /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1774:22
    #2 0x563fa4a61287 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1305:8
    #3 0x563fa4a61576 in lschunks_intrak /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c
    #4 0x563fa4a61576 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1305:8
    #5 0x563fa4a61576 in lschunks_intrak /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c
    #6 0x563fa4a61576 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1305:8
    #7 0x563fa4a61576 in lschunks_intrak /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c
    #8 0x563fa4a61576 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1305:8
    #9 0x563fa4a62068 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1332:6
    #10 0x563fa4a5a88c in mov_read_header /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1961:5

==10708==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: calloc-overflow (/home/jlx/good_mplayer/asan_mplayer/mplayer+0x343362) in __interceptor_calloc

Attachments (1)

testcase (52.1 KB ) - added by ylzs 16 months ago.

Download all attachments as: .zip

Change History (6)

by ylzs, 16 months ago

Attachment: testcase added

comment:1 by ylzs, 16 months ago

Description: modified (diff)

comment:2 by ylzs, 16 months ago

Severity: criticalmajor

comment:3 by reimar, 16 months ago

I do not see how this is an MPlayer bug. An integer overflow not handled correctly by libc would be a libc bug (one that has been fixed many many years ago in glibc and has a CVE, so any libc having this issue has not cared about security for a good decade).
We have no intention of working around libc security issues, these are up to the libc maintainers to fix.

comment:4 by ylzs, 15 months ago

I'm sorry I didn't realize that this is a libc bug in my report. This is the first time I've submitted a bug Reporte to a project

comment:5 by reimar, 15 months ago

Resolution: invalid
Status: newclosed

No worries, the ASAN error is really badly written.
The only real hint that the issue is not really a security/integer overflow issues is the part where it says that allocator_may_return_null=1 disables it.
I double-checked that we handle allocation failure properly in this case:

trak->durmap = calloc(len, sizeof(mov_durmap_t));
trak->durmap_size = trak->durmap ? len : 0;

So I'll close this one.

Note: See TracTickets for help on using tickets.