[Bug 774834] New: gst-plugins-good / flic decoder: Buffer overflow in flx_decode_delta_fli
GStreamer (GNOME Bugzilla)
bugzilla at gnome.org
Tue Nov 22 11:23:02 UTC 2016
https://bugzilla.gnome.org/show_bug.cgi?id=774834
Bug ID: 774834
Summary: gst-plugins-good / flic decoder: Buffer overflow in
flx_decode_delta_fli
Classification: Platform
Product: GStreamer
Version: git master
OS: Linux
Status: NEW
Severity: normal
Priority: Normal
Component: gst-plugins-good
Assignee: gstreamer-bugs at lists.freedesktop.org
Reporter: hanno at hboeck.de
QA Contact: gstreamer-bugs at lists.freedesktop.org
GNOME version: ---
Created attachment 340511
--> https://bugzilla.gnome.org/attachment.cgi?id=340511&action=edit
crash proof of concept from Chris Evans
I haven't seen a bug report yet and it's unfixed in gstreamer's git code, so
I'm reporting this:
https://scarybeastsecurity.blogspot.dk/2016/11/0day-exploit-advancing-exploitation.html
Chris Evans has written an exploit based on a buffer overflow in the flic
decoder of gst-plugins-good. Here's a stack trace from address sanitizer with
the sample file he provides and the current git head code:
==29835==ERROR: AddressSanitizer: SEGV on unknown address 0x60200003e6ae (pc
0x7fba1667b508 bp 0x7fba184ec770 sp 0x7fba184ec520 T1)
==29835==The signal is caused by a WRITE memory access.
New clock: GstSystemClock
#0 0x7fba1667b507 in flx_decode_delta_fli
/f/gstreamer/gst-plugins-good/gst/flx/gstflxdec.c:375:26
#1 0x7fba1667b507 in flx_decode_chunks
/f/gstreamer/gst-plugins-good/gst/flx/gstflxdec.c:236
#2 0x7fba1667b507 in gst_flxdec_chain
/f/gstreamer/gst-plugins-good/gst/flx/gstflxdec.c:574
#3 0x7fba250e60b7 in gst_pad_chain_data_unchecked
/f/gstreamer/gstreamer/gst/gstpad.c:4206:11
#4 0x7fba250e9887 in gst_pad_push_data
/f/gstreamer/gstreamer/gst/gstpad.c:4458:9
#5 0x7fba250e8eff in gst_pad_push
/f/gstreamer/gstreamer/gst/gstpad.c:4577:9
#6 0x7fba19d33af9 in gst_type_find_element_loop
/f/gstreamer/gstreamer/plugins/elements/gsttypefindelement.c:1180:11
#7 0x7fba251b05c3 in gst_task_func
/f/gstreamer/gstreamer/gst/gsttask.c:334:5
#8 0x7fba244bd867 (/usr/lib64/libglib-2.0.so.0+0x70867)
#9 0x7fba244bced4 (/usr/lib64/libglib-2.0.so.0+0x6fed4)
#10 0x7fba23e2c443 in start_thread (/lib64/libpthread.so.0+0x7443)
#11 0x7fba2395b92c in clone (/lib64/libc.so.6+0xe792c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/f/gstreamer/gst-plugins-good/gst/flx/gstflxdec.c:375:26 in
flx_decode_delta_fli
Thread T1 (typefind:sink) created by T0 here:
#0 0x42e81d in __interceptor_pthread_create
(/usr/bin/gst-launch-1.0+0x42e81d)
#1 0x7fba244daadf (/usr/lib64/libglib-2.0.so.0+0x8dadf)
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
More information about the gstreamer-bugs
mailing list