Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mkvalidator libebml2/ebmlmain.c EBML_ReadCodedSizeValue function heap buffer overflow read #55

Open
giantbranch opened this issue Sep 22, 2020 · 0 comments
Open

mkvalidator libebml2/ebmlmain.c EBML_ReadCodedSizeValue function heap buffer overflow read #55

giantbranch opened this issue Sep 22, 2020 · 0 comments
Labels
libebml2

Comments

@giantbranch
Copy link

Credit: giantbranch of NSFOCUS Security Team

What's the problem?

A heap buffer overflow read in libebml2/ebmlmain.c EBML_ReadCodedSizeValue function in mkvalidator v0.5.2.

ASAN reports:

$ ./mkvalidator ./tests_84.mkv
WRN00C: Unknown element in TrackEntry [63][8C] at 4367 (size 38 total 41)
ERR201: Invalid 'FlagEnabled' for profile 'matroska v1' in TrackEntry at 4305
ERR201: Invalid 'CodecDecodeAll' for profile 'matroska v1' in TrackEntry at 4305
ERR201: Invalid 'FlagInterlaced' for profile 'matroska v1' in Video at 4436
ERR201: Invalid 'FlagEnabled' for profile 'matroska v1' in TrackEntry at 4459
ERR201: Invalid 'CodecDecodeAll' for profile 'matroska v1' in TrackEntry at 4459
ERR200: Missing element 'FileUID' in AttachedFile at 6198
WRN080: Unknown element [46][AE] at 45257 size 4
..=================================================================
==12845==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000001408 at pc 0x000000513121 bp 0x7fffc6d498f0 sp 0x7fffc6d498e8
READ of size 1 at 0x603000001408 thread T0
    #0 0x513120 in EBML_ReadCodedSizeValue /root/debug-fuzz-reslut/mkvalidator/foundation-source/libebml2/ebmlmain.c:139:7
    #1 0x513120 in EBML_ReadCodedSizeSignedValue /root/debug-fuzz-reslut/mkvalidator/foundation-source/libebml2/ebmlmain.c:172:21
    #2 0x4da9a2 in ReadBlockData /root/debug-fuzz-reslut/mkvalidator/foundation-source/libmatroska2/matroskamain.c:1470:27
    #3 0x5186eb in ReadData /root/debug-fuzz-reslut/mkvalidator/foundation-source/libebml2/ebmlmaster.c:331:21
    #4 0x5186eb in ReadData /root/debug-fuzz-reslut/mkvalidator/foundation-source/libebml2/ebmlmaster.c:331:21
    #5 0x4c980c in main /root/debug-fuzz-reslut/mkvalidator/foundation-source/mkvalidator/mkvalidator.c:1063:17
    #6 0x7f034c30a83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x41bf58 in _start (/root/reproduce/mkvalidator+0x41bf58)

0x603000001408 is located 0 bytes to the right of 24-byte region [0x6030000013f0,0x603000001408)
allocated by thread T0 here:
    #0 0x495dcd in malloc (/root/reproduce/mkvalidator+0x495dcd)
    #1 0x4da87a in ReadBlockData /root/debug-fuzz-reslut/mkvalidator/foundation-source/libmatroska2/matroskamain.c:1458:23
    #2 0x5186eb in ReadData /root/debug-fuzz-reslut/mkvalidator/foundation-source/libebml2/ebmlmaster.c:331:21
    #3 0x5186eb in ReadData /root/debug-fuzz-reslut/mkvalidator/foundation-source/libebml2/ebmlmaster.c:331:21
    #4 0x4c980c in main /root/debug-fuzz-reslut/mkvalidator/foundation-source/mkvalidator/mkvalidator.c:1063:17
    #5 0x7f034c30a83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/debug-fuzz-reslut/mkvalidator/foundation-source/libebml2/ebmlmain.c:139:7 in EBML_ReadCodedSizeValue
Shadow bytes around the buggy address:
  0x0c067fff8230: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8240: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8250: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8260: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8270: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
=>0x0c067fff8280: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==12845==ABORTING

location: foundation-source/libebml2/ebmlmain.c:139

How can we reproduce the issue?

Compile command I use:

clang corec/tools/coremake/coremake.c -o coremake && ./coremake gcc_linux_x64

make -C mkvalidator -e CC="clang -g -O2 -fsanitize=address -fsanitize-address-use-after-scope" -e CXX="clang++ -g -O2 -fsanitize=address -fsanitize-address-use-after-scope" -e STRIP=""

reproduce the issue

unzip tests_xx.zip
mkvalidator ./tests_xx.mkv

poc:
tests_84.zip

the details about my environment.

  • mkvalidator version:
$ ./mkvalidator --version
mkvalidator v0.5.2, Copyright (c) 2010-2015 Matroska Foundation
	file "--version"
  • Host Operating System and version: Ubuntu 16.04.3 LTS
  • Host CPU architecture: x86_64
  • clang: clang version 11.0.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
libebml2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robUx4 @giantbranch