Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mkvalidator libmatroska2/matroskamain.c MATROSKA_LinkBlockWithReadTracks function null pointer dereference #51

Open
giantbranch opened this issue Sep 22, 2020 · 0 comments
Open

mkvalidator libmatroska2/matroskamain.c MATROSKA_LinkBlockWithReadTracks function null pointer dereference #51

giantbranch opened this issue Sep 22, 2020 · 0 comments
Labels
libmatroska2

Comments

@giantbranch
Copy link

Credit: giantbranch of NSFOCUS Security Team

What's the problem?

The MATROSKA_LinkBlockWithReadTracks function in libmatroska2/matroskamain.c in mkvalidator v0.5.2 can be cause a denial of service (Null pointer dereference and application crash) via a crafted mkv file.

ASAN reports:

$ ./mkvalidator ./tests_71.mkv
ERR007: The EBML max size length is not supported: -2130427149
ERR200: Missing element 'WritingApp' in Info at 45
WRN080: Unknown element [73][C5] at 112 size 1
WRN080: Unknown element [83] at 116 size 1
WRN080: Unknown element [9C] at 119 size 1
WRN080: Unknown element [86] at 122 size 15
WRN080: Unknown element [63][A2] at 139 size 43
WRN080: Unknown element [E0] at 185 size 22
WRN801: The segment has no SeekHead section
.AddressSanitizer:DEADLYSIGNAL
=================================================================
==12631==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x0000004d0f93 bp 0x7ffda33b1c10 sp 0x7ffda33b1b40 T0)
==12631==The signal is caused by a READ memory access.
==12631==Hint: address points to the zero page.
    #0 0x4d0f93 in MATROSKA_LinkBlockWithReadTracks /root/debug-fuzz-reslut/mkvalidator/foundation-source/libmatroska2/matroskamain.c
    #1 0x4d5608 in MATROSKA_LinkClusterBlocks /root/debug-fuzz-reslut/mkvalidator/foundation-source/libmatroska2/matroskamain.c:852:8
    #2 0x4cb41e in LinkClusterBlocks /root/debug-fuzz-reslut/mkvalidator/foundation-source/mkvalidator/mkvalidator.c:585:3
    #3 0x4cb41e in main /root/debug-fuzz-reslut/mkvalidator/foundation-source/mkvalidator/mkvalidator.c:1352:3
    #4 0x7f628613c83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #5 0x41bf58 in _start (/root/reproduce/mkvalidator+0x41bf58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/debug-fuzz-reslut/mkvalidator/foundation-source/libmatroska2/matroskamain.c in MATROSKA_LinkBlockWithReadTracks
==12631==ABORTING

location:foundation-source/libmatroska2/matroskamain.c:220
image

RTrackInfo is initialized to NULL, because it is referenced in the MATROSKA_LinkBlockWithReadTracks function of matroskamain.c without assigning a value to RTrackInfo.

How can we reproduce the issue?

Compile command I use:

clang corec/tools/coremake/coremake.c -o coremake && ./coremake gcc_linux_x64

make -C mkvalidator -e CC="clang -g -O2 -fsanitize=address -fsanitize-address-use-after-scope" -e CXX="clang++ -g -O2 -fsanitize=address -fsanitize-address-use-after-scope" -e STRIP=""

reproduce the issue

unzip tests_xx.zip
mkvalidator ./tests_xx.mkv

poc:
tests_71.zip

the details about my environment.

  • mkvalidator version:
$ ./mkvalidator --version
mkvalidator v0.5.2, Copyright (c) 2010-2015 Matroska Foundation
	file "--version"
  • Host Operating System and version: Ubuntu 16.04.3 LTS
  • Host CPU architecture: x86_64
  • clang: clang version 11.0.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
libmatroska2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robUx4 @giantbranch