[Bug 774896] New: h264 parser: Off by one read in gst_h264_parse_set_caps()

GStreamer (GNOME Bugzilla) bugzilla at gnome.org
Wed Nov 23 08:37:41 UTC 2016 

https://bugzilla.gnome.org/show_bug.cgi?id=774896

            Bug ID: 774896
           Summary: h264 parser: Off by one read in
                    gst_h264_parse_set_caps()
    Classification: Platform
           Product: GStreamer
           Version: git master
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: gst-plugins-bad
          Assignee: gstreamer-bugs at lists.freedesktop.org
          Reporter: hanno at hboeck.de
        QA Contact: gstreamer-bugs at lists.freedesktop.org
     GNOME version: ---

Created attachment 340578
  --> https://bugzilla.gnome.org/attachment.cgi?id=340578&action=edit
sample poc mkv/h264 file

The attached file will cause an off by one out of bounds read in the function
gst_h264_parse_set_caps. This doesn't crash gstreamer, you need some kind of
memory safety tool like address sanitizer (or valgrind) to see this bug.

Affects current git code, found with afl.

Stack trace from address sanitizer:
==5418==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400001dfbd
at pc 0x7f67a1f7deac bp 0x7f67a320a8d0 sp 0x7f67a320a8c8
READ of size 1 at 0x60400001dfbd thread T3 (matroskademux0:)
    #0 0x7f67a1f7deab in gst_h264_parse_set_caps
/f/gstreamer/gst-plugins-bad/gst/videoparsers/gsth264parse.c:2586:15
    #1 0x7f67a6a1f5ed in gst_base_parse_sink_event_default
/f/gstreamer/gstreamer/libs/gst/base/gstbaseparse.c:1186:15
    #2 0x7f67a1f7eb48 in gst_h264_parse_event
/f/gstreamer/gst-plugins-bad/gst/videoparsers/gsth264parse.c:2801:13
    #3 0x7f67b219371a in gst_pad_send_event_unchecked
/f/gstreamer/gstreamer/gst/gstpad.c:5609:14
    #4 0x7f67b21713dd in gst_pad_send_event
/f/gstreamer/gstreamer/gst/gstpad.c:5779:7
    #5 0x7f67a6612c3d in send_sticky_event
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1961:9
    #6 0x7f67b2196419 in foreach_dispatch_function
/f/gstreamer/gstreamer/gst/gstpad.c:5878:11
    #7 0x7f67b217ad64 in events_foreach
/f/gstreamer/gstreamer/gst/gstpad.c:603:11
    #8 0x7f67b2196225 in gst_pad_sticky_events_foreach
/f/gstreamer/gstreamer/gst/gstpad.c:5909:3
    #9 0x7f67a65fe9fe in send_sticky_events
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1976:3
    #10 0x7f67a65fe9fe in connect_pad
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:2496
    #11 0x7f67a65fe9fe in analyze_new_pad
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:1791
    #12 0x7f67a6610b90 in pad_added_cb
/f/gstreamer/gst-plugins-base/gst/playback/gstdecodebin2.c:2929:7
    #13 0x7f67b1a0e276 in g_cclosure_marshal_VOID__OBJECTv
(/usr/lib64/libgobject-2.0.so.0+0x13276)
    #14 0x7f67b1a0b203  (/usr/lib64/libgobject-2.0.so.0+0x10203)
    #15 0x7f67b1a256b6 in g_signal_emit_valist
(/usr/lib64/libgobject-2.0.so.0+0x2a6b6)
    #16 0x7f67b1a26026 in g_signal_emit
(/usr/lib64/libgobject-2.0.so.0+0x2b026)
    #17 0x7f67b21047cb in gst_element_add_pad
/f/gstreamer/gstreamer/gst/gstelement.c:713:3
    #18 0x7f67a36ce46b in gst_matroska_demux_add_stream
/f/gstreamer/gst-plugins-good/gst/matroska/matroska-demux.c:1350:3
    #19 0x7f67a36b00e6 in gst_matroska_demux_parse_tracks
/f/gstreamer/gst-plugins-good/gst/matroska/matroska-demux.c:2520:15
    #20 0x7f67a36b00e6 in gst_matroska_demux_parse_id
/f/gstreamer/gst-plugins-good/gst/matroska/matroska-demux.c:4422
    #21 0x7f67a36dc386 in gst_matroska_demux_parse_contents_seekentry
/f/gstreamer/gst-plugins-good/gst/matroska/matroska-demux.c:4042:15
    #22 0x7f67a36af8b7 in gst_matroska_demux_parse_contents
/f/gstreamer/gst-plugins-good/gst/matroska/matroska-demux.c:4091:15
    #23 0x7f67a36af8b7 in gst_matroska_demux_parse_id
/f/gstreamer/gst-plugins-good/gst/matroska/matroska-demux.c:4544
    #24 0x7f67a36a7f2a in gst_matroska_demux_loop
/f/gstreamer/gst-plugins-good/gst/matroska/matroska-demux.c:4683:9
    #25 0x7f67b224a5c3 in gst_task_func
/f/gstreamer/gstreamer/gst/gsttask.c:334:5
    #26 0x7f67b1557867  (/usr/lib64/libglib-2.0.so.0+0x70867)
    #27 0x7f67b1556ed4  (/usr/lib64/libglib-2.0.so.0+0x6fed4)
    #28 0x7f67b0ec6443 in start_thread (/lib64/libpthread.so.0+0x7443)
    #29 0x7f67b09f592c in clone (/lib64/libc.so.6+0xe792c)

0x60400001dfbd is located 0 bytes to the right of 45-byte region
[0x60400001df90,0x60400001dfbd)
allocated by thread T3 (matroskademux0:) here:
    #0 0x4d53d8 in malloc (/usr/bin/gst-launch-1.0+0x4d53d8)
    #1 0x7f67b15363a8 in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4f3a8)

Thread T3 (matroskademux0:) created by T1 (typefind:sink) here:
    #0 0x42e81d in __interceptor_pthread_create
(/usr/bin/gst-launch-1.0+0x42e81d)
    #1 0x7f67b1574adf  (/usr/lib64/libglib-2.0.so.0+0x8dadf)

Thread T1 (typefind:sink) created by T0 here:
    #0 0x42e81d in __interceptor_pthread_create
(/usr/bin/gst-launch-1.0+0x42e81d)
    #1 0x7f67b1574adf  (/usr/lib64/libglib-2.0.so.0+0x8dadf)

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.

More information about the gstreamer-bugs mailing list