Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mkvalidator libebml2/ebmlcrc.c EBML_CRCMatches function heap buffer overflow read #56

Open
giantbranch opened this issue Sep 22, 2020 · 0 comments
Open

mkvalidator libebml2/ebmlcrc.c EBML_CRCMatches function heap buffer overflow read #56

giantbranch opened this issue Sep 22, 2020 · 0 comments
Labels
libebml2

Comments

@giantbranch
Copy link

Credit: giantbranch of NSFOCUS Security Team

What's the problem?

A heap buffer overflow read in libebml2/ebmlcrc.c EBML_CRCMatches function in mkvalidator v0.5.2.

ASAN reports:

$ ./mkvalidator ./tests_76.mkv
WRN00C: Unknown element in Info [90] at 48 (size 33 total 35)
WRN00C: Unknown element in Info [31][57][41] at 84 (size 43 total 47)
WRN00C: Unknown element in Info [4A][89] at 150 (size 4 total 7)
ERR203: Invalid checksum for element 'Info' at 36
ERR200: Missing element 'MuxingApp' in Info at 36
ERR200: Missing element 'WritingApp' in Info at 36
WRN080: Unknown element [11][4D][9B][8A] at 168 size 801
.=================================================================
==12863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f000000869 at pc 0x00000050f66d bp 0x7fff61470a60 sp 0x7fff61470a58
READ of size 4 at 0x60f000000869 thread T0
    #0 0x50f66c in EBML_CRCMatches /root/debug-fuzz-reslut/mkvalidator/foundation-source/libebml2/ebmlcrc.c:244:14
    #1 0x518e92 in ReadData /root/debug-fuzz-reslut/mkvalidator/foundation-source/libebml2/ebmlmaster.c:416:35
    #2 0x4e0788 in ReadTrackEntry /root/debug-fuzz-reslut/mkvalidator/foundation-source/libmatroska2/matroskamain.c:2261:20
    #3 0x5186eb in ReadData /root/debug-fuzz-reslut/mkvalidator/foundation-source/libebml2/ebmlmaster.c:331:21
    #4 0x4c9c74 in main /root/debug-fuzz-reslut/mkvalidator/foundation-source/mkvalidator/mkvalidator.c:1136:17
    #5 0x7f70c848e83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #6 0x41bf58 in _start (/root/reproduce/mkvalidator+0x41bf58)

0x60f000000869 is located 1 bytes to the right of 168-byte region [0x60f0000007c0,0x60f000000868)
allocated by thread T0 here:
    #0 0x495dcd in malloc (/root/reproduce/mkvalidator+0x495dcd)
    #1 0x51fbb8 in Data_ReAlloc /root/debug-fuzz-reslut/mkvalidator/foundation-source/corec/corec/array/array.c:87:24

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/debug-fuzz-reslut/mkvalidator/foundation-source/libebml2/ebmlcrc.c:244:14 in EBML_CRCMatches
Shadow bytes around the buggy address:
  0x0c1e7fff80b0: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1e7fff80c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff80d0: 00 fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c1e7fff80e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1e7fff80f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1e7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa
  0x0c1e7fff8110: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff8120: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c1e7fff8130: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff8140: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c1e7fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==12863==ABORTING

location: foundation-source/libebml2/ebmlcrc.c:244

How can we reproduce the issue?

Compile command I use:

clang corec/tools/coremake/coremake.c -o coremake && ./coremake gcc_linux_x64

make -C mkvalidator -e CC="clang -g -O2 -fsanitize=address -fsanitize-address-use-after-scope" -e CXX="clang++ -g -O2 -fsanitize=address -fsanitize-address-use-after-scope" -e STRIP=""

reproduce the issue

unzip tests_xx.zip
mkvalidator ./tests_xx.mkv

poc:
tests_76.zip

the details about my environment.

  • mkvalidator version:
$ ./mkvalidator --version
mkvalidator v0.5.2, Copyright (c) 2010-2015 Matroska Foundation
	file "--version"
  • Host Operating System and version: Ubuntu 16.04.3 LTS
  • Host CPU architecture: x86_64
  • clang: clang version 11.0.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
libebml2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robUx4 @giantbranch