Headline
CVE-2022-38866: #2403 (A heap-buffer-overflow occurred in function read_avi_header() of libmpdemux/aviheader.c) – MPlayer
Certain The MPlayer Project products are vulnerable to Buffer Overflow via read_avi_header() of libmpdemux/aviheader.c . This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.
#2403 closed defect (fixed)
Reported by:
Owned by:
beastd
Priority:
normal
Component:
undetermined
Version:
HEAD
Severity:
major
Keywords:
Cc:
Blocked By:
Blocking:
Reproduced by developer:
no
Analyzed by developer:
no
Version: SVN-r38374-13.0.1
Build command: …/configure --disable-ffmpeg_a && make (compiling with asan)
Summary of the bug: An heap-buffer-overflow is found in fucnction read_avi_header () which affects mencoder and mplayer The attached file can reproduce this issue (ASAN-recompilation is needed).
How to reproduce:
1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase
./mplayer ./testcase
2.Result:
MPlayer SVN-r38374-9 © 2000-2022 MPlayer Team
Playing /home/jlx/crashes/id^%000059,sig^%06,src^%001757,time^%15822098,execs^%776566,op^%havoc,rep^%2. libavformat version 58.29.100 (external) AVI file format detected. [aviheader] Video stream found, -vid 0 [aviheader] Audio stream found, -aid 1
MPlayer interrupted by signal 11 in module: demux_open
- MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a ‘gdb’ backtrace and disassembly. Details in DOCS/HTML/en/bugreports_what.html#bugreports_crash.
- MPlayer crashed. This shouldn’t happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it’s MPlayer’s fault, please read DOCS/HTML/en/bugreports.html and follow the instructions there. We can’t and won’t help unless you provide this information when reporting a possible bug.
MPlayer SVN-r38374-13.0.1 © 2000-2022 MPlayer Team
Playing /home/jlx/crashes/id^%000059,sig^%06,src^%001757,time^%15822098,execs^%776566,op^%havoc,rep^%2. libavformat version 58.29.100 (external) AVI file format detected. [aviheader] Video stream found, -vid 0 ================================================================= ==7938==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002db0 at pc 0x55c64191557c bp 0x7ffcdbc68090 sp 0x7ffcdbc68088 READ of size 4 at 0x602000002db0 thread T0 #0 0x55c64191557b in read_avi_header /home/jlx/good_mplayer/mplayer/libmpdemux/aviheader.c:364:12 #1 0x55c641948cbe in demux_open_avi /home/jlx/good_mplayer/mplayer/libmpdemux/demux_avi.c:464:3 #2 0x55c641948cbe in demux_open_hack_avi /home/jlx/good_mplayer/mplayer/libmpdemux/demux_avi.c:885:14 #3 0x55c641921f37 in demux_open /home/jlx/good_mplayer/mplayer/libmpdemux/demuxer.c:1294:10 #4 0x55c6416232ed in main /home/jlx/good_mplayer/mplayer/mplayer.c:3383:22 #5 0x7fa5a6c780b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/…/csu/libc-start.c:308:16
0x602000002db0 is located 31 bytes to the right of 1-byte region [0x602000002d90,0x602000002d91) allocated by thread T0 here: #0 0x55c6415c81cd in malloc (/home/jlx/good_mplayer/asan_mplayer/mplayer+0x3431cd) #1 0x55c64190a934 in read_avi_header /home/jlx/good_mplayer/mplayer/libmpdemux/aviheader.c:358:26 #2 0x55c641948cbe in demux_open_avi /home/jlx/good_mplayer/mplayer/libmpdemux/demux_avi.c:464:3 #3 0x55c641948cbe in demux_open_hack_avi /home/jlx/good_mplayer/mplayer/libmpdemux/demux_avi.c:885:14 #4 0x55c641921f37 in demux_open /home/jlx/good_mplayer/mplayer/libmpdemux/demuxer.c:1294:10 #5 0x55c6416232ed in main /home/jlx/good_mplayer/mplayer/mplayer.c:3383:22 #6 0x7fa5a6c780b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/…/csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good_mplayer/mplayer/libmpdemux/aviheader.c:364:12 in read_avi_header Shadow bytes around the buggy address: 0x0c047fff8560: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8570: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8580: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8590: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff85a0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa fd fd =>0x0c047fff85b0: fa fa 01 fa fa fa[fa]fa fa fa fa fa fa fa fa fa 0x0c047fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==7938==ABORTING
MEncoder SVN-r38374-13.0.1 © 2000-2022 MPlayer Team success: format: 0 data: 0x0 - 0x2aa3 libavformat version 58.29.100 (external) AVI file format detected. [aviheader] Video stream found, -vid 0 ================================================================= ==6848==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000004370 at pc 0x55e9886b95dc bp 0x7fffc79a7df0 sp 0x7fffc79a7de8 READ of size 4 at 0x602000004370 thread T0 #0 0x55e9886b95db in read_avi_header /home/jlx/good_mplayer/mplayer/libmpdemux/aviheader.c:364:12 #1 0x55e9886ecd1e in demux_open_avi /home/jlx/good_mplayer/mplayer/libmpdemux/demux_avi.c:464:3 #2 0x55e9886ecd1e in demux_open_hack_avi /home/jlx/good_mplayer/mplayer/libmpdemux/demux_avi.c:885:14 #3 0x55e9886c5f97 in demux_open /home/jlx/good_mplayer/mplayer/libmpdemux/demuxer.c:1294:10 #4 0x55e9884711f3 in main /home/jlx/good_mplayer/mplayer/mencoder.c:707:11 #5 0x7f4b98de10b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/…/csu/libc-start.c:308:16
0x602000004370 is located 31 bytes to the right of 1-byte region [0x602000004350,0x602000004351) allocated by thread T0 here: #0 0x55e98843e43d in malloc (/home/jlx/good_mplayer/asan_mplayer/mencoder+0x1a643d) #1 0x55e9886ae994 in read_avi_header /home/jlx/good_mplayer/mplayer/libmpdemux/aviheader.c:358:26 #2 0x55e9886ecd1e in demux_open_avi /home/jlx/good_mplayer/mplayer/libmpdemux/demux_avi.c:464:3 #3 0x55e9886ecd1e in demux_open_hack_avi /home/jlx/good_mplayer/mplayer/libmpdemux/demux_avi.c:885:14 #4 0x55e9886c5f97 in demux_open /home/jlx/good_mplayer/mplayer/libmpdemux/demuxer.c:1294:10 #5 0x55e9884711f3 in main /home/jlx/good_mplayer/mplayer/mencoder.c:707:11 #6 0x7f4b98de10b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/…/csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good_mplayer/mplayer/libmpdemux/aviheader.c:364:12 in read_avi_header Shadow bytes around the buggy address: 0x0c047fff8810: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8820: fa fa 06 fa fa fa 06 fa fa fa 04 fa fa fa 04 fa 0x0c047fff8830: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8840: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8850: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 =>0x0c047fff8860: fa fa 00 00 fa fa fd fd fa fa 01 fa fa fa[fa]fa 0x0c047fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff88a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff88b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6848==ABORTING
Related news
Gentoo Linux Security Advisory 202405-5 - Multiple vulnerabilities have been discovered in MPlayer, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 1.5 are affected.