Headline
CVE-2022-38864: #2406 (A heap-buffer-overflow occurred in function mp_unescape03() of libmpdemux/mpeg_hdr.c) – MPlayer
Certain The MPlayer Project products are vulnerable to Buffer Overflow via the function mp_unescape03() of libmpdemux/mpeg_hdr.c. This affects mencoder SVN-r38374-13.0.1 and mplayer SVN-r38374-13.0.1.
#2406 closed defect (fixed)
Reported by:
Owned by:
beastd
Priority:
normal
Component:
undetermined
Version:
HEAD
Severity:
major
Keywords:
Cc:
Blocked By:
Blocking:
Reproduced by developer:
no
Analyzed by developer:
no
Version: SVN-r38374-13.0.1
Build command: …/configure --disable-ffmpeg_a && make (compiling with asan)
Summary of the bug: An heap-buffer-overflow is found in fucnction in mp_unescape03() which affects mencoder and mplayer. The attached file can reproduce this issue (ASAN-recompilation is needed).
How to reproduce:
1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase
./mplayer ./testcase
2.Result:
MPlayer SVN-r38374-13.0.1 © 2000-2022 MPlayer Team
Playing /home/jlx/crashes/id^%000298,sig^%06,src^%003761,time^%206364090,execs^%10623748,op^%havoc,rep^%8. libavformat version 58.29.100 (external) MPEG-PS file format detected. MPEG: No audio stream found -> no sound. ================================================================= ==22224==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002d91 at pc 0x555555d38dcd bp 0x7fffffffc4a0 sp 0x7fffffffc498 WRITE of size 1 at 0x602000002d91 thread T0 #0 0x555555d38dcc in mp_unescape03 /home/jlx/good_mplayer/mplayer/libmpdemux/mpeg_hdr.c:394:13 #1 0x555555d38dcc in h264_parse_sps /home/jlx/good_mplayer/mplayer/libmpdemux/mpeg_hdr.c:406:9
0x602000002d91 is located 0 bytes to the right of 1-byte region [0x602000002d90,0x602000002d91) allocated by thread T0 here:
#0 0x5555558971cd in malloc (/home/jlx/good_mplayer/asan_mplayer/mplayer+0x3431cd)
#1 0x555555d34e40 in h264_parse_sps /home/jlx/good_mplayer/mplayer/libmpdemux/mpeg_hdr.c:404:18
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good_mplayer/mplayer/libmpdemux/mpeg_hdr.c:394:13 in mp_unescape03 Shadow bytes around the buggy address:
0x0c047fff8560: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8570: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8580: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8590: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff85a0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa fd fd
=>0x0c047fff85b0: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22224==ABORTING
Related news
Gentoo Linux Security Advisory 202405-5 - Multiple vulnerabilities have been discovered in MPlayer, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 1.5 are affected.