Headline
CVE-2023-45510: Alloc-dealloc-mismatch on tsMuxer · Issue #778 · justdan96/tsMuxer
tsMuxer version git-2539d07 was discovered to contain an alloc-dealloc-mismatch (operator new [] vs operator delete) error.
Description
We found a alloc-dealloc-mismatch (operator new [] vs operator delete) error when using tsMuxer/tsmuxer.
ASAN Log
================================================================= ==4087327==ERROR: AddressSanitizer: alloc-dealloc-mismatch (operator new [] vs operator delete) on 0x610000000040 #0 0x5d946d in operator delete(void*) (/afltest/tsMuxer/tsMuxer/tsmuxer+0x5d946d) #1 0x6e88a3 in MatroskaDemuxer::readClose() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1041:42 #2 0x6fca23 in MatroskaDemuxer::~MatroskaDemuxer() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.h:11:35 #3 0x6fcc97 in MatroskaDemuxer::~MatroskaDemuxer() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.h:11:33 #4 0x73ed9e in METADemuxer::DetectStreamReader(BufferedReaderManager const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /afltest/tsMuxer/tsMuxer/metaDemuxer.cpp:669:9 #5 0x6bb225 in detectStreamReader(char const*, MPLSParser*, bool) /afltest/tsMuxer/tsMuxer/main.cpp:114:34 #6 0x6c76ef in main /afltest/tsMuxer/tsMuxer/main.cpp:689:17 #7 0x7ffff798b082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/…/csu/libc-start.c:308:16 #8 0x530d5d in _start (/afltest/tsMuxer/tsMuxer/tsmuxer+0x530d5d)
0x610000000040 is located 0 bytes inside of 184-byte region [0x610000000040,0x6100000000f8) allocated by thread T0 here: #0 0x5d8d1d in operator new[](unsigned long) (/afltest/tsMuxer/tsMuxer/tsmuxer+0x5d8d1d) #1 0x6f3be7 in MatroskaDemuxer::matroska_add_stream() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1893:53 #2 0x6ee754 in MatroskaDemuxer::matroska_parse_tracks() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1746:19 #3 0x6e9989 in MatroskaDemuxer::matroska_read_header() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1228:19 #4 0x6e7b5a in MatroskaDemuxer::openFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1027:5 #5 0x73c0d9 in METADemuxer::DetectStreamReader(BufferedReaderManager const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /afltest/tsMuxer/tsMuxer/metaDemuxer.cpp:608:18 #6 0x6bb225 in detectStreamReader(char const*, MPLSParser*, bool) /afltest/tsMuxer/tsMuxer/main.cpp:114:34 #7 0x6c76ef in main /afltest/tsMuxer/tsMuxer/main.cpp:689:17 #8 0x7ffff798b082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/…/csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: alloc-dealloc-mismatch (/afltest/tsMuxer/tsMuxer/tsmuxer+0x5d946d) in operator delete(void*) ==4087327==HINT: if you don’t care about these errors you may set ASAN_OPTIONS=alloc_dealloc_mismatch=0 ==4087327==ABORTING
Location
0x610000000040 is located 0 bytes inside of 184-byte region [0x610000000040,0x6100000000f8)
allocated by thread T0 here:
#0 0x5d8d1d in operator new[](unsigned long) (/afltest/tsMuxer/tsMuxer/tsmuxer+0x5d8d1d)
#1 0x6f3be7 in MatroskaDemuxer::matroska_add_stream() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1893:53
#2 0x6ee754 in MatroskaDemuxer::matroska_parse_tracks() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1746:19
#3 0x6e9989 in MatroskaDemuxer::matroska_read_header() /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1228:19
#4 0x6e7b5a in MatroskaDemuxer::openFile(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /afltest/tsMuxer/tsMuxer/matroskaDemuxer.cpp:1027:5
#5 0x73c0d9 in METADemuxer::DetectStreamReader(BufferedReaderManager const&, std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, bool) /afltest/tsMuxer/tsMuxer/metaDemuxer.cpp:608:18
#6 0x6bb225 in detectStreamReader(char const*, MPLSParser*, bool) /afltest/tsMuxer/tsMuxer/main.cpp:114:34
#7 0x6c76ef in main /afltest/tsMuxer/tsMuxer/main.cpp:689:17
#8 0x7ffff798b082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/…/csu/libc-start.c:308:16
Destructor of class MatroskaDemuxer:
Version
./tsmuxer --version tsMuxeR version git-2539d07. github.com/justdan96/tsMuxer
tsMuxeR version git-2539d07 is the latest version.
Reference
https://github.com/justdan96/tsMuxer
****Actual Behavior****
Alloc-dealloc-mismatch
PoC
PocTsmuxer.mkv: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/PocTsmuxer.mkv
Reproduction
cd tsMuxer ./tsMuxer/tsmuxer PocTsmuxer.mkv
Environment
ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09
Credit
Zeng Yunxiang ([Huazhong University of Science and Technology](http://cse.hust.edu.cn/))