mkvalidator libebml2/ebmlmaster.c ReadData function null pointer dereference

[giantbranch]

Credit: giantbranch of NSFOCUS Security Team

What's the problem?

The ReadData function in libebml2/ebmlmaster.c in mkvalidator v0.5.2 can be cause a denial of service (Null pointer dereference and application crash) via a crafted mkv file.

ASAN reports:

$ ./mkvalidator ./tests_73.mkv
..AddressSanitizer:DEADLYSIGNAL
=================================================================
==12818==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x000000518f84 bp 0x7ffc70c9fe50 sp 0x7ffc70c9fc20 T0)
==12818==The signal is caused by a READ memory access.
==12818==Hint: address points to the zero page.
    #0 0x518f84 in ReadData /root/debug-fuzz-reslut/mkvalidator/foundation-source/libebml2/ebmlmaster.c:428:9
    #1 0x4c9ab6 in main /root/debug-fuzz-reslut/mkvalidator/foundation-source/mkvalidator/mkvalidator.c:1109:17
    #2 0x7f60ce2c183f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #3 0x41bf58 in _start (/root/reproduce/mkvalidator+0x41bf58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/debug-fuzz-reslut/mkvalidator/foundation-source/libebml2/ebmlmaster.c:428:9 in ReadData
==12818==ABORTING

location: foundation-source/libebml2/ebmlmaster.c:428

How can we reproduce the issue?

Compile command I use:

clang corec/tools/coremake/coremake.c -o coremake && ./coremake gcc_linux_x64

make -C mkvalidator -e CC="clang -g -O2 -fsanitize=address -fsanitize-address-use-after-scope" -e CXX="clang++ -g -O2 -fsanitize=address -fsanitize-address-use-after-scope" -e STRIP=""

reproduce the issue

unzip tests_xx.zip
mkvalidator ./tests_xx.mkv

poc:
tests_73.zip

the details about my environment.

• mkvalidator version:

$ ./mkvalidator --version
mkvalidator v0.5.2, Copyright (c) 2010-2015 Matroska Foundation
	file "--version"

• Host Operating System and version: Ubuntu 16.04.3 LTS
• Host CPU architecture: x86_64
• clang: clang version 11.0.0