Headline
CVE-2021-45861: Assertion Failed in bitStream.h:132 BitStreamReader::skipBits · Issue #478 · justdan96/tsMuxer
There is an Assertion `num <= INT_BIT’ failed at BitStreamReader::skipBits in /bitStream.h:132 of tsMuxer git-c6a0277.
Hi, I Found an Assertion Failed error.
Some info:
Ubuntu 20.04.3 LTS
tsMuxeR version git-c6a0277
To reproduce
Compile tsMuxer
Run tsmuxer
tsmuxer ./poc tsMuxeR version git-c6a0277. github.com/justdan96/tsMuxer tsmuxer: tsMuxer/tsMuxer/bitStream.h:132: void BitStreamReader::skipBits(unsigned int): Assertion `num <= INT_BIT’ failed. [1] 883819 abort (core dumped) tsmuxer ./poc
POC
poc.zip
gdb output
gdb-peda$ r ./poc
Starting program: tsMuxer/build/tsMuxer/tsmuxer ./poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
tsMuxeR version git-c6a0277. github.com/justdan96/tsMuxer
tsmuxer: tsMuxer/tsMuxer/bitStream.h:132: void BitStreamReader::skipBits(unsigned int): Assertion `num <= INT_BIT' failed.
Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7ffff793f080 (0x00007ffff793f080)
RCX: 0x7ffff79be18b (<__GI_raise+203>: mov rax,QWORD PTR [rsp+0x108])
RDX: 0x0
RSI: 0x7fffffff6ba0 --> 0x0
RDI: 0x2
RBP: 0x7ffff7b33588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
RSP: 0x7fffffff6ba0 --> 0x0
RIP: 0x7ffff79be18b (<__GI_raise+203>: mov rax,QWORD PTR [rsp+0x108])
R8 : 0x0
R9 : 0x7fffffff6ba0 --> 0x0
R10: 0x8
R11: 0x246
R12: 0x555555832c90 ("tsMuxer/tsMuxer/bitStream.h")
R13: 0x84
R14: 0x555555832cc6 ("num <= INT_BIT")
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff79be17f <__GI_raise+191>: mov edi,0x2
0x7ffff79be184 <__GI_raise+196>: mov eax,0xe
0x7ffff79be189 <__GI_raise+201>: syscall
=> 0x7ffff79be18b <__GI_raise+203>: mov rax,QWORD PTR [rsp+0x108]
0x7ffff79be193 <__GI_raise+211>: xor rax,QWORD PTR fs:0x28
0x7ffff79be19c <__GI_raise+220>: jne 0x7ffff79be1c4 <__GI_raise+260>
0x7ffff79be19e <__GI_raise+222>: mov eax,r8d
0x7ffff79be1a1 <__GI_raise+225>: add rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff6ba0 --> 0x0
0008| 0x7fffffff6ba8 --> 0x7ffff7a15850 (<__GI___libc_free>: endbr64)
0016| 0x7fffffff6bb0 --> 0x7ffffbad8000
0024| 0x7fffffff6bb8 --> 0x5555558ffcf0 --> 0x5555558ffd90 --> 0x0
0032| 0x7fffffff6bc0 --> 0x5555558ffd55 ("signed int): Assertion `num <= INT_BIT' failed.\n")
0040| 0x7fffffff6bc8 --> 0x5555558ffcf0 --> 0x5555558ffd90 --> 0x0
0048| 0x7fffffff6bd0 --> 0x5555558ffcf0 --> 0x5555558ffd90 --> 0x0
0056| 0x7fffffff6bd8 --> 0x5555558ffd85 --> 0xa1000000
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff799d859 in __GI_abort () at abort.c:79
#2 0x00007ffff799d729 in __assert_fail_base (
fmt=0x7ffff7b33588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=0x555555832cc6 "num <= INT_BIT",
file=0x555555832c90 "tsMuxer/tsMuxer/bitStream.h", line=0x84,
function=<optimized out>) at assert.c:92
#3 0x00007ffff79aef36 in __GI___assert_fail (assertion=0x555555832cc6 "num <= INT_BIT",
file=0x555555832c90 "tsMuxer/tsMuxer/bitStream.h", line=0x84,
function=0x555555832cd8 "void BitStreamReader::skipBits(unsigned int)") at assert.c:101
#4 0x00005555556c3395 in BitStreamReader::skipBits(unsigned int) ()
#5 0x00005555557f233c in VvcUnitWithProfile::profile_tier_level(bool, int) ()
#6 0x00005555557f3c36 in VvcSpsUnit::deserialize() ()
#7 0x00005555557fa234 in VVCStreamReader::checkStream(unsigned char*, int) ()
#8 0x0000555555742753 in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) ()
#9 0x0000555555741afb in METADemuxer::DetectStreamReader(BufferedReaderManager&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) ()
#10 0x000055555571ca8a in detectStreamReader(char const*, MPLSParser*, bool) ()
#11 0x000055555571fafc in main ()
#12 0x00007ffff799f0b3 in __libc_start_main (main=0x55555571ed30 <main>, argc=0x2,
argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
#13 0x00005555556bac2e in _start ()
gdb-peda$