Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-36243: Memory allocation failure in xml_on_metadata_tag_only() at dump_xml.c:271 · Issue #19 · noirotm/flvmeta

FLVMeta v1.2.1 was discovered to contain a buffer overflow via the xml_on_metadata_tag_only function at dump_xml.c.

CVE
Open in Source
#ubuntu#git#c++#buffer_overflow#ibm

Memory allocation failure in xml_on_metadata_tag_only() at dump_xml.c:271

Memory allocation failure in the flvmeta at function xml_on_metadata_tag_only in dump_xml.c:271.

Environment

Ubuntu 18.04, 64 bit
FLVMeta 1.2.1

Steps to reproduce

  1. download file

    wget https://github.com/noirotm/flvmeta/archive/refs/tags/v1.2.1.tar.gz tar -zxvf v1.2.1.tar.gz

  1. compile libming with ASAN

    cd flvmeta-1.2.1 export FORCE_UNSAFE_CONFIGURE=1 export LLVM_COMPILER=clang CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -Wno-error" cmake -DCMAKE_C_COMPILER=wllvm -DCMAKE_CXX_COMPILER=wllvm++ -B obj-bc -G"Unix Makefiles" cd obj-bc make

    cd src extract-bc flvmeta clang -fsanitize=address flvmeta.bc -o flvmeta_asan

  1. command for reproducing the error

Download poc:
flvmeta_memory-allocation-failure_dumpxml271.zip

ASAN report

root@a71b82b5d288:~/dataset/flvmeta-1.2.1/obj-bc/src# ./flvmeta_asan flvmeta_memory-allocation-failure_dumpxml271 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==30124==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x000000489d7b bp 0x7fff17e62cb0 sp 0x7fff17e62440 T0)
==30124==The signal is caused by a READ memory access.
==30124==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x489d7b in __interceptor_strcmp.part.298 /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:444
    #1 0x4fe908 in xml_on_metadata_tag_only /root/dataset/flvmeta-1.2.1/src/dump_xml.c:271:14
    #2 0x502563 in flv_parse /root/dataset/flvmeta-1.2.1/src/flv.c:506:26
    #3 0x4fd491 in dump_metadata /root/dataset/flvmeta-1.2.1/src/dump.c:160:14
    #4 0x502855 in main /root/dataset/flvmeta-1.2.1/src/flvmeta.c:385:50
    #5 0x7f8aa5304c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41b819 in _start (/root/dataset/flvmeta-1.2.1/obj-bc/src/flvmeta_asan+0x41b819)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:444 in __interceptor_strcmp.part.298
==30124==ABORTING

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE