Headline
CVE-2022-38856: #2395 (A heap-buffer-overflow occurred in function mov_build_index() of libmpdemux/demux_mov.c) – MPlayer
Certain The MPlayer Project products are vulnerable to Buffer Overflow via function mov_build_index() of libmpdemux/demux_mov.c. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.
#2395 closed defect (fixed)
Reported by:
Owned by:
beastd
Priority:
normal
Component:
undetermined
Version:
HEAD
Severity:
major
Keywords:
Cc:
Blocked By:
Blocking:
Reproduced by developer:
no
Analyzed by developer:
no
Version: SVN-r38374-13.0.1
Build command: …/configure --disable-ffmpeg_a && make (compiling with asan)
Summary of the bug: An heap-buffer-overflow is found in fucnction mov_build_index () which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).
How to reproduce:
1.Command: ./mplayer testcase
2.Result:
MPlayer SVN-r38374-13.0.1 © 2000-2022 MPlayer Team
Playing libavformat version 58.29.100 (external) libavformat file format detected. [mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600]Version 22 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented. [mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600]If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. ([email protected]) [mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600]error reading header LAVF_header: av_open_input_stream() failed ISO: File Type Major Brand: Original QuickTime Quicktime/MOV file format detected. [mov] Video stream found, -vid 0 Warning! pts=-285211648 length=2048 MOV: durmap and chunkmap sample count differ (1 vs 2) ================================================================= ==24664==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000014580 at pc 0x563d661312e5 bp 0x7ffecfcd0050 sp 0x7ffecfcd0048 READ of size 4 at 0x603000014580 thread T0 #0 0x563d661312e4 in mov_build_index /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:302:110 #1 0x563d661312e4 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1333:6 #2 0x563d6611c88c in mov_read_header /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1961:5
0x603000014580 is located 0 bytes to the right of 32-byte region [0x603000014560,0x603000014580) allocated by thread T0 here: #0 0x563d65d5a362 in __interceptor_calloc (/home/jlx/good_mplayer/asan_mplayer/mplayer+0x343362) #1 0x563d661263f0 in lschunks_intrak /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1820:25 #2 0x563d661263f0 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1305:8 #3 0x563d66123576 in lschunks_intrak /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c #4 0x563d66123576 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1305:8 #5 0x563d66123576 in lschunks_intrak /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c #6 0x563d66123576 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1305:8 #7 0x563d66123576 in lschunks_intrak /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c #8 0x563d66123576 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1305:8 #9 0x563d66124068 in lschunks /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1332:6 #10 0x563d6611c88c in mov_read_header /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:1961:5 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good_mplayer/mplayer/libmpdemux/demux_mov.c:302:110 in mov_build_index Shadow bytes around the buggy address: 0x0c067fffa860: 00 fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c067fffa870: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c067fffa880: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 0x0c067fffa890: fd fd fa fa fd fd fd fd fa fa 00 00 00 04 fa fa 0x0c067fffa8a0: 00 00 00 fa fa fa 00 00 00 04 fa fa 00 00 00 00 =>0x0c067fffa8b0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffa8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffa8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffa8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==24664==ABORTING
Related news
Gentoo Linux Security Advisory 202405-5 - Multiple vulnerabilities have been discovered in MPlayer, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 1.5 are affected.