Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-45863: heap-buffer-overflow in hevc.cpp:76 HevcUnit::updateBits · Issue #509 · justdan96/tsMuxer

tsMuxer git-2678966 was discovered to contain a heap-based buffer overflow via the function HevcUnit::updateBits in hevc.cpp.

CVE
Open in Source
#ubuntu#linux#git

Hi, I found a heap-buffer-overflow error.

Some Info

Ubuntu 20.04.3 LTS
tsMuxeR version git-2678966.

To reproduce

  1. Compile tsMuxer
  2. run tsmuxer

Asan output

$ tsMuxer-asan ./poc  
tsMuxeR version git-2678966. github.com/justdan96/tsMuxer
This HEVC stream doesn't contain fps value. Muxing fps is absent too. Set muxing FPS to default 25.0 value.
HEVC manual defined fps doesn't equal to stream fps. Change HEVC fps from 3.083 to 25
=================================================================
==452652==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000bd53 at pc 0x55fca9458e01 bp 0x7ffe07198940 sp 0x7ffe07198930
READ of size 1 at 0x60d00000bd53 thread T0
    #0 0x55fca9458e00 in HevcUnit::updateBits(int, int, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevc.cpp:76
    #1 0x55fca945ae43 in HevcVpsUnit::setFPS(double) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevc.cpp:247
    #2 0x55fca946c904 in HEVCStreamReader::updateStreamFps(void*, unsigned char*, unsigned char*, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevcStreamReader.cpp:364
    #3 0x55fca958cd7e in MPEGStreamReader::updateFPS(void*, unsigned char*, unsigned char*, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/mpegStreamReader.cpp:310
    #4 0x55fca9469c00 in HEVCStreamReader::checkStream(unsigned char*, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevcStreamReader.cpp:77
    #5 0x55fca94fb1dc in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/metaDemuxer.cpp:771
    #6 0x55fca94f8ede in METADemuxer::DetectStreamReader(BufferedReaderManager&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/metaDemuxer.cpp:685
    #7 0x55fca94a21d5 in detectStreamReader(char const*, MPLSParser*, bool) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/main.cpp:120
    #8 0x55fca94a9d7b in main /path/to/tsMuxer/tsMuxer-asan/tsMuxer/main.cpp:699
    #9 0x7f2c99c360b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #10 0x55fca93b80ed in _start (/path/to/tsMuxer/tsMuxer-asan/build/tsMuxer/tsmuxer+0x28d0ed)

0x60d00000bd53 is located 14 bytes to the right of 133-byte region [0x60d00000bcc0,0x60d00000bd45)
allocated by thread T0 here:
    #0 0x7f2c9a35cb47 in operator new[](unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10fb47)
    #1 0x55fca9458931 in HevcUnit::decodeBuffer(unsigned char const*, unsigned char const*) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevc.cpp:40
    #2 0x55fca9469ac0 in HEVCStreamReader::checkStream(unsigned char*, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevcStreamReader.cpp:73
    #3 0x55fca94fb1dc in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/metaDemuxer.cpp:771
    #4 0x55fca94f8ede in METADemuxer::DetectStreamReader(BufferedReaderManager&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/metaDemuxer.cpp:685
    #5 0x55fca94a21d5 in detectStreamReader(char const*, MPLSParser*, bool) /path/to/tsMuxer/tsMuxer-asan/tsMuxer/main.cpp:120
    #6 0x55fca94a9d7b in main /path/to/tsMuxer/tsMuxer-asan/tsMuxer/main.cpp:699
    #7 0x7f2c99c360b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /path/to/tsMuxer/tsMuxer-asan/tsMuxer/hevc.cpp:76 in HevcUnit::updateBits(int, int, int)
Shadow bytes around the buggy address:
  0x0c1a7fff9750: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c1a7fff9760: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a7fff9770: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
  0x0c1a7fff9780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a7fff9790: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1a7fff97a0: 00 00 00 00 00 00 00 00 05 fa[fa]fa fa fa fa fa
  0x0c1a7fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==452652==ABORTING

POC
poc.zip

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE