Headline
CVE-2020-21723: Ogg Video Tools / Bugs
A Segmentation Fault issue discovered StreamSerializer::extractStreams function in streamSerializer.cpp in oggvideotools 0.9.1 allows remote attackers to cause a denial of service (crash) via opening of crafted ogg file.
Tested in Ubuntu 16.04, 64bit
The tesecase is put in the attachment and the oggvideotools vision is 0.9.1
I use the following command:
./oggLength oggLength_SEGV
and get:
I use valgrind to analysis the bug and get the below information:
==7902== Memcheck, a memory error detector ==7902== Copyright © 2002-2015, and GNU GPL’d, by Julian Seward et al. ==7902== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==7902== Command: /home/wws/Music/Fuzz/target_progs/target_oggvideotools/install/bin/oggLength /home/wws/Music/Fuzz/cmp/fuzz_out_oggvideotools_oggLength/crashes/id:000025,sig:11,src:000146,op:flip1,pos:5 ==7902== ==7902== Invalid read of size 8 ==7902== at 0x41F650: StreamSerializer::extractStreams() (streamSerializer.cpp:163) ==7902== by 0x4261A2: StreamSerializer::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) (streamSerializer.cpp:75) ==7902== by 0x40F6A3: oggLengthCmd(int, char**) (oggLength.cpp:86) ==7902== by 0x40E412: main (oggLength.cpp:136) ==7902== Address 0x0 is not stack’d, malloc’d or (recently) free’d ==7902== ==7902== ==7902== Process terminating with default action of signal 11 (SIGSEGV) ==7902== Access not within mapped region at address 0x0 ==7902== at 0x41F650: StreamSerializer::extractStreams() (streamSerializer.cpp:163) ==7902== by 0x4261A2: StreamSerializer::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) (streamSerializer.cpp:75) ==7902== by 0x40F6A3: oggLengthCmd(int, char**) (oggLength.cpp:86) ==7902== by 0x40E412: main (oggLength.cpp:136) ==7902== If you believe this happened as a result of a stack ==7902== overflow in your program’s main thread (unlikely but ==7902== possible), you can try to increase the size of the ==7902== main thread stack using the --main-stacksize= flag. ==7902== The main thread stack size used in this run was 8388608. ==7902== ==7902== HEAP SUMMARY: ==7902== in use at exit: 157,974 bytes in 18 blocks ==7902== total heap usage: 22 allocs, 4 frees, 162,629 bytes allocated ==7902== ==7902== LEAK SUMMARY: ==7902== definitely lost: 0 bytes in 0 blocks ==7902== indirectly lost: 0 bytes in 0 blocks ==7902== possibly lost: 0 bytes in 0 blocks ==7902== still reachable: 157,974 bytes in 18 blocks ==7902== suppressed: 0 bytes in 0 blocks ==7902== Rerun with --leak-check=full to see details of leaked memory ==7902== ==7902== For counts of detected and suppressed errors, rerun with: -v ==7902== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault (core dumped)
I use AddressSanitizer to build oggvideotools, this file can cause SEGV signal in function StreamSerializer::extractStreams() with the following command:
./oggLength oggLength_SEGV
This is the ASAN information:
ASAN:SIGSEGV ================================================================= ==7905==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000043e4b9 bp 0x7ffe756519d0 sp 0x7ffe75651720 T0) #0 0x43e4b8 in StreamSerializer::extractStreams() oggvideotools-0.9.1/src/main/streamSerializer.cpp:163 #1 0x43da8f in StreamSerializer::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) oggvideotools-0.9.1/src/main/streamSerializer.cpp:75 #2 0x43b044 in oggLengthCmd(int, char**) oggvideotools-0.9.1/src/binaries/oggLength.cpp:86 #3 0x43b4e5 in main oggvideotools-0.9.1/src/binaries/oggLength.cpp:136 #4 0x7f6e840b082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x43aa78 in _start (target_oggvideotools/install/bin/oggLength+0x43aa78)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV oggvideotools-0.9.1/src/main/streamSerializer.cpp:163 StreamSerializer::extractStreams() ==7905==ABORTING