CVE-2022-38862: #2404 (A heap-buffer-overflow occurred in function play() of libaf/af_pan.c) – MPlayer

#2404 new defect

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1

Build command: …/configure --disable-ffmpeg_a && make (compiling with asan)

Summary of the bug: An heap-buffer-overflow is found in fucnction play() which affects mencoder. and mplayer The attached file can reproduce this issue (ASAN-recompilation is needed).

How to reproduce:
1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase
./mplayer ./testcase

2.Result:

================================================================= ==27905==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000003c8 at pc 0x5555557f69f5 bp 0x7fffffffd2a0 sp 0x7fffffffd298 READ of size 4 at 0x6140000003c8 thread T0 #0 0x5555557f69f4 in play /home/jlx/good_mplayer/mplayer/libaf/af_pan.c:176:7

0x6140000003cb is located 0 bytes to the right of 395-byte region [0x614000000240,0x6140000003cb) allocated by thread T0 here: #0 0x5555556fa43d in malloc (/home/jlx/good_mplayer/asan_mplayer/mencoder+0x1a643d) #1 0x5555557c795b in af_resize_local_buffer /home/jlx/good_mplayer/mplayer/libaf/af.c:639:21

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good_mplayer/mplayer/libaf/af_pan.c:176:7 in play Shadow bytes around the buggy address: 0x0c287fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fff8030: 00 00 00 00 00 00 00 00 00 06 fa fa fa fa fa fa 0x0c287fff8040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c287fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c287fff8070: 00 00 00 00 00 00 00 00 00[03]fa fa fa fa fa fa 0x0c287fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==27905==ABORTING