CVE-2022-38856: #2395 (A heap-buffer-overflow occurred in function mov_build_index() of libmpdemux/demux_mov.c) – MPlayer

#2395 closed defect (fixed)

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1

Build command: …/configure --disable-ffmpeg_a && make (compiling with asan)

Summary of the bug: An heap-buffer-overflow is found in fucnction mov_build_index () which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).

How to reproduce:

1.Command: ./mplayer testcase

2.Result:

MPlayer SVN-r38374-13.0.1 © 2000-2022 MPlayer Team

Playing libavformat version 58.29.100 (external) libavformat file format detected. [mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600]Version 22 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented. [mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600]If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. ([email protected]) [mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600]error reading header LAVF_header: av_open_input_stream() failed ISO: File Type Major Brand: Original QuickTime Quicktime/MOV file format detected. [mov] Video stream found, -vid 0 Warning! pts=-285211648 length=2048 MOV: durmap and chunkmap sample count differ (1 vs 2) ================================================================= ==24664==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000014580 at pc 0x563d661312e5 bp 0x7ffecfcd0050 sp 0x7ffecfcd0048 READ of size 4 at 0x603000014580 thread T0 #0 0x563d661312e4 in mov_build_index /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:302:110 #1 0x563d661312e4 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1333:6 #2 0x563d6611c88c in mov_read_header /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1961:5

0x603000014580 is located 0 bytes to the right of 32-byte region [0x603000014560,0x603000014580) allocated by thread T0 here: #0 0x563d65d5a362 in __interceptor_calloc (/home/jlx/good_mplayer/asan_mplayer/mplayer+0x343362) #1 0x563d661263f0 in lschunks_intrak /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1820:25 #2 0x563d661263f0 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1305:8 #3 0x563d66123576 in lschunks_intrak /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c #4 0x563d66123576 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1305:8 #5 0x563d66123576 in lschunks_intrak /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c #6 0x563d66123576 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1305:8 #7 0x563d66123576 in lschunks_intrak /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c #8 0x563d66123576 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1305:8 #9 0x563d66124068 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1332:6 #10 0x563d6611c88c in mov_read_header /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1961:5 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:302:110 in mov_build_index Shadow bytes around the buggy address: 0x0c067fffa860: 00 fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c067fffa870: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c067fffa880: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 0x0c067fffa890: fd fd fa fa fd fd fd fd fa fa 00 00 00 04 fa fa 0x0c067fffa8a0: 00 00 00 fa fa fa 00 00 00 04 fa fa 00 00 00 00 =>0x0c067fffa8b0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffa8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffa8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffa8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==24664==ABORTING