CVE-2022-38853: #2398 (A heap-buffer-overflow occurred in function asf_init_audio_stream() of libmpdemux/asfheader.c) – MPlayer

#2398 closed defect (fixed)

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1

Build command: …/configure --disable-ffmpeg_a && make (compiling with asan)

Summary of the bug: An heap-buffer-overflow is found in fucnction asf_init_audio_stream() which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).

How to reproduce:

1.Command: ./mplayer testcase

2.Result:

MPlayer SVN-r38374-13.0.1 © 2000-2022 MPlayer Team

Playing libavformat version 58.29.100 (external) ASF file format detected. [asfheader] Audio stream found, -aid 21 ================================================================= ==6235==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000000261 at pc 0x559f0c51f2c2 bp 0x7ffcb2476300 sp 0x7ffcb24762f8 READ of size 1 at 0x615000000261 thread T0 #0 0x559f0c51f2c1 in asf_init_audio_stream /home/jlx/good_mplayer/mplayer/libmpdemux/asfheader.c:359:24

0x615000000261 is located 0 bytes to the right of 481-byte region [0x615000000080,0x615000000261) allocated by thread T0 here: #0 0x559f0c1e01cd in malloc (/home/jlx/good_mplayer/asan_mplayer/mplayer+0x3431cd) #1 0x559f0c51a6e0 in read_asf_header /home/jlx/good_mplayer/mplayer/libmpdemux/asfheader.c:406:9 #2 0x559f0c549e53 in demux_open_asf /home/jlx/good_mplayer/mplayer/libmpdemux/demux_asf.c:629:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good_mplayer/mplayer/libmpdemux/asfheader.c:359:24 in asf_init_audio_stream Shadow bytes around the buggy address: 0x0c2a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c2a7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00[01]fa fa fa 0x0c2a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6235==ABORTING