Opened 5 years ago

Closed 4 years ago

Last modified 4 years ago

#2361 closed defect (fixed)

Heap memory corruption in libmpdemux/ebml.c

Reported by: Taolaw Owned by: Taolaw
Priority: normal Component: demuxer
Version: unspecified Severity: blocker
Keywords: Cc:
Blocked By: Blocking:
Reproduced by developer: yes Analyzed by developer: no

Description

Summary of the bug: Heap memory corruption in libmpdemux/ebml.c
How to reproduce:

In the 222 line of ebml.c, when the heap allocation fails, it will return null to the str variable, and then
 assigning a value to the str will result in a memory access violation.

```
str = malloc(len + 1);
    if (stream_read(s, str, len) != (int) len) {
        free(str);
        return NULL;
    }
    str[len] = '\0';
```

gdb-peda$ r -ao null -vo null Heap-memory-corruption2 
Starting program: /root/tmp/result/mplayer -ao null -vo null Heap-memory-corruption2
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
MPlayer 1.4-8 (C) 2000-2019 MPlayer Team

Playing Heap-memory-corruption2.
libavformat version 58.27.102 (internal)

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7fffffffcc48 --> 0xffffffffffffff05 
RCX: 0x0 
RDX: 0x0 
RSI: 0xc1000 
RDI: 0xffffffffffffff10 
RBP: 0xffffffffffffff00 
RSP: 0x7fffffffcbe0 --> 0x555556d354a0 --> 0x55555643c080 --> 0x555556163dc2 ("Matroska demuxer")
RIP: 0x555555784de0 (<ebml_read_ascii+256>:	mov    BYTE PTR [r13+rbp*1+0x0],0x0)
R8 : 0x1 
R9 : 0x76 ('v')
R10: 0xfffffffffffff000 
R11: 0x555556dc6000 
R12: 0xffffff00 
R13: 0x0 
R14: 0xffffffff 
R15: 0x555556d33400 --> 0x55555578f9a0 (<fill_buffer>:	push   rbp)
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555784dd1 <ebml_read_ascii+241>:	mov    r8d,DWORD PTR [rsp]
   0x555555784dd5 <ebml_read_ascii+245>:	jmp    0x555555784d44 <ebml_read_ascii+100>
   0x555555784dda <ebml_read_ascii+250>:	nop    WORD PTR [rax+rax*1+0x0]
=> 0x555555784de0 <ebml_read_ascii+256>:	mov    BYTE PTR [r13+rbp*1+0x0],0x0
   0x555555784de6 <ebml_read_ascii+262>:	add    rsp,0x28
   0x555555784dea <ebml_read_ascii+266>:	pop    rbx
   0x555555784deb <ebml_read_ascii+267>:	pop    rbp
   0x555555784dec <ebml_read_ascii+268>:	pop    r12
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcbe0 --> 0x555556d354a0 --> 0x55555643c080 --> 0x555556163dc2 ("Matroska demuxer")
0008| 0x7fffffffcbe8 --> 0x1a45dfa3 
0016| 0x7fffffffcbf0 --> 0x555556d33400 --> 0x55555578f9a0 (<fill_buffer>:	push   rbp)
0024| 0x7fffffffcbf8 --> 0x5ffffcc40 
0032| 0x7fffffffcc00 --> 0x7fffffffcd5c --> 0x56d1751000000001 
0040| 0x7fffffffcc08 --> 0x555556d33400 --> 0x55555578f9a0 (<fill_buffer>:	push   rbp)
0048| 0x7fffffffcc10 --> 0x7fffffffcc48 --> 0xffffffffffffff05 
0056| 0x7fffffffcc18 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
ebml_read_ascii (s=s@entry=0x555556d33400, length=length@entry=0x7fffffffcc48)
    at libmpdemux/ebml.c:227
227	    str[len] = '\0';

gdb-peda$ bt
#0  ebml_read_ascii (s=s@entry=0x555556d33400, length=length@entry=0x7fffffffcc48)
    at libmpdemux/ebml.c:227
#1  0x0000555555785113 in ebml_read_header (s=s@entry=0x555556d33400, 
    version=version@entry=0x7fffffffcd5c) at libmpdemux/ebml.c:327
#2  0x000055555574bc21 in demux_mkv_open (demuxer=0x555556d354a0) at libmpdemux/demux_mkv.c:2024
#3  0x000055555573542d in demux_open_stream (stream=stream@entry=0x555556d33400, 
    file_format=file_format@entry=0x0, force=force@entry=0x0, audio_id=0xffffffff, 
    video_id=video_id@entry=0xffffffff, dvdsub_id=0xffffffff, 
    filename=0x555556d17510 "Heap-memory-corruption2") at libmpdemux/demuxer.c:1113
#4  0x0000555555735e84 in demux_open (vs=0x555556d33400, file_format=0x0, audio_id=0xffffffff, 
    video_id=0xffffffff, dvdsub_id=0xffffffff, filename=0x555556d17510 "Heap-memory-corruption2")
    at libmpdemux/demuxer.c:1295
#5  0x000055555569d4b6 in main (argc=<optimized out>, argc@entry=0x6, argv=<optimized out>, 
    argv@entry=0x7fffffffe088) at mplayer.c:3387
#6  0x00007ffff777d09b in __libc_start_main (main=0x55555569c580 <main>, argc=0x6, 
    argv=0x7fffffffe088, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffe078) at ../csu/libc-start.c:308
#7  0x00005555556a0c3a in _start () at mplayer.c:2242

Patches should be submitted to the mplayer-dev-eng mailing list and not this bug tracker.

Attachments (1)

Heap-memory-corruption2 (10 bytes ) - added by Taolaw 5 years ago.

Download all attachments as: .zip

Change History (4)

by Taolaw, 5 years ago

Attachment: Heap-memory-corruption2 added

comment:1 by reimar, 4 years ago

Reproduced by developer: set

I think nobody got a notification email about these since they ended up with you as owner?
Anyway I think patches for all of your reports are now on the mailing list.
Thanks for your effort.

comment:2 by reimar, 4 years ago

Resolution: fixed
Status: newclosed

comment:3 by reimar, 4 years ago

Fixed in r38220

Note: See TracTickets for help on using tickets.