[Bug 775451] New: out of bounds read in gst_tag_freeform_string_to_utf8 / qtdemux_tag_add_str_full
GStreamer (GNOME Bugzilla)
bugzilla at gnome.org
Thu Dec 1 10:40:06 UTC 2016
https://bugzilla.gnome.org/show_bug.cgi?id=775451
Bug ID: 775451
Summary: out of bounds read in gst_tag_freeform_string_to_utf8
/ qtdemux_tag_add_str_full
Classification: Platform
Product: GStreamer
Version: git master
OS: Linux
Status: NEW
Severity: normal
Priority: Normal
Component: gst-plugins-base
Assignee: gstreamer-bugs at lists.freedesktop.org
Reporter: hanno at hboeck.de
QA Contact: gstreamer-bugs at lists.freedesktop.org
GNOME version: ---
Created attachment 341135
--> https://bugzilla.gnome.org/attachment.cgi?id=341135&action=edit
poc file
Note: Based on the stack trace tihs involves both code from gst-plugins-good
and -base, so it may be in the wrong category.
The attached file causes an out of bounds heap memory read. Found with afl,
current gut.
==22354==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x620000072f37 at pc 0x7f6b9579cc89 bp 0x7f6b870610b0 sp 0x7f6b870610a8
READ of size 1 at 0x620000072f37 thread T2 (qtdemux0:sink)
#0 0x7f6b9579cc88 in gst_tag_freeform_string_to_utf8
/f/gstreamer/gst-plugins-base/gst-libs/gst/tag/tags.c:400:22
#1 0x7f6b875d0604 in qtdemux_tag_add_str_full
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:11797:11
#2 0x7f6b875ad93d in qtdemux_parse_udta
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:12438:9
#3 0x7f6b87574c6e in qtdemux_parse_tree
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:12803:5
#4 0x7f6b875658ed in gst_qtdemux_loop_state_header
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:4221:7
#5 0x7f6b875658ed in gst_qtdemux_loop
/f/gstreamer/gst-plugins-good/gst/isomp4/qtdemux.c:5753
#6 0x7f6b94d8f5d3 in gst_task_func
/f/gstreamer/gstreamer/gst/gsttask.c:334:5
#7 0x7f6b93f8c627 (/usr/lib64/libglib-2.0.so.0+0x72627)
#8 0x7f6b93f8bc94 (/usr/lib64/libglib-2.0.so.0+0x71c94)
#9 0x7f6b93a08453 in start_thread (/lib64/libpthread.so.0+0x7453)
#10 0x7f6b935385dc in clone (/lib64/libc.so.6+0xe75dc)
AddressSanitizer can not describe address in more detail (wild memory access
suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow
/f/gstreamer/gst-plugins-base/gst-libs/gst/tag/tags.c:400:22 in
gst_tag_freeform_string_to_utf8
Shadow bytes around the buggy address:
0x0c4080006590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c40800065a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c40800065b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c40800065c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c40800065d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c40800065e0: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
0x0c40800065f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4080006600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4080006610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4080006620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4080006630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
More information about the gstreamer-bugs
mailing list