[Bug 774834] New: gst-plugins-good / flic decoder: Buffer overflow in flx_decode_delta_fli

GStreamer (GNOME Bugzilla) bugzilla at gnome.org
Tue Nov 22 11:23:02 UTC 2016 

https://bugzilla.gnome.org/show_bug.cgi?id=774834

            Bug ID: 774834
           Summary: gst-plugins-good / flic decoder: Buffer overflow in
                    flx_decode_delta_fli
    Classification: Platform
           Product: GStreamer
           Version: git master
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: gst-plugins-good
          Assignee: gstreamer-bugs at lists.freedesktop.org
          Reporter: hanno at hboeck.de
        QA Contact: gstreamer-bugs at lists.freedesktop.org
     GNOME version: ---

Created attachment 340511
  --> https://bugzilla.gnome.org/attachment.cgi?id=340511&action=edit
crash proof of concept from Chris Evans

I haven't seen a bug report yet and it's unfixed in gstreamer's git code, so
I'm reporting this:
https://scarybeastsecurity.blogspot.dk/2016/11/0day-exploit-advancing-exploitation.html

Chris Evans has written an exploit based on a buffer overflow in the flic
decoder of gst-plugins-good. Here's a stack trace from address sanitizer with
the sample file he provides and the current git head code:

==29835==ERROR: AddressSanitizer: SEGV on unknown address 0x60200003e6ae (pc
0x7fba1667b508 bp 0x7fba184ec770 sp 0x7fba184ec520 T1)
==29835==The signal is caused by a WRITE memory access.
New clock: GstSystemClock
    #0 0x7fba1667b507 in flx_decode_delta_fli
/f/gstreamer/gst-plugins-good/gst/flx/gstflxdec.c:375:26
    #1 0x7fba1667b507 in flx_decode_chunks
/f/gstreamer/gst-plugins-good/gst/flx/gstflxdec.c:236
    #2 0x7fba1667b507 in gst_flxdec_chain
/f/gstreamer/gst-plugins-good/gst/flx/gstflxdec.c:574
    #3 0x7fba250e60b7 in gst_pad_chain_data_unchecked
/f/gstreamer/gstreamer/gst/gstpad.c:4206:11
    #4 0x7fba250e9887 in gst_pad_push_data
/f/gstreamer/gstreamer/gst/gstpad.c:4458:9
    #5 0x7fba250e8eff in gst_pad_push
/f/gstreamer/gstreamer/gst/gstpad.c:4577:9
    #6 0x7fba19d33af9 in gst_type_find_element_loop
/f/gstreamer/gstreamer/plugins/elements/gsttypefindelement.c:1180:11
    #7 0x7fba251b05c3 in gst_task_func
/f/gstreamer/gstreamer/gst/gsttask.c:334:5
    #8 0x7fba244bd867  (/usr/lib64/libglib-2.0.so.0+0x70867)
    #9 0x7fba244bced4  (/usr/lib64/libglib-2.0.so.0+0x6fed4)
    #10 0x7fba23e2c443 in start_thread (/lib64/libpthread.so.0+0x7443)
    #11 0x7fba2395b92c in clone (/lib64/libc.so.6+0xe792c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/f/gstreamer/gst-plugins-good/gst/flx/gstflxdec.c:375:26 in
flx_decode_delta_fli
Thread T1 (typefind:sink) created by T0 here:
    #0 0x42e81d in __interceptor_pthread_create
(/usr/bin/gst-launch-1.0+0x42e81d)
    #1 0x7fba244daadf  (/usr/lib64/libglib-2.0.so.0+0x8dadf)

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.

More information about the gstreamer-bugs mailing list