Certain The MPlayer Project products are vulnerable to Buffer Overflow via read_avi_header() of libmpdemux/aviheader.c . This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2403 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction read\_avi\_header () which affects mencoder and mplayer The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000059,sig^%06,src^%001757,time^%15822098,execs^%776566,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1


MPlayer interrupted by signal 11 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000059,sig^%06,src^%001757,time^%15822098,execs^%776566,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
=================================================================
==7938==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002db0 at pc 0x55c64191557c bp 0x7ffcdbc68090 sp 0x7ffcdbc68088
READ of size 4 at 0x602000002db0 thread T0
    #0 0x55c64191557b in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12
    #1 0x55c641948cbe in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #2 0x55c641948cbe in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #3 0x55c641921f37 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #4 0x55c6416232ed in main /home/jlx/good\_mplayer/mplayer/mplayer.c:3383:22
    #5 0x7fa5a6c780b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

0x602000002db0 is located 31 bytes to the right of 1-byte region \[0x602000002d90,0x602000002d91)
allocated by thread T0 here:
    #0 0x55c6415c81cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x55c64190a934 in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:358:26
    #2 0x55c641948cbe in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #3 0x55c641948cbe in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #4 0x55c641921f37 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #5 0x55c6416232ed in main /home/jlx/good\_mplayer/mplayer/mplayer.c:3383:22
    #6 0x7fa5a6c780b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12 in read\_avi\_header
Shadow bytes around the buggy address:
  0x0c047fff8560: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8570: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8580: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8590: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff85a0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa fd fd
=>0x0c047fff85b0: fa fa 01 fa fa fa\[fa\]fa fa fa fa fa fa fa fa fa
  0x0c047fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7938==ABORTING

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x2aa3
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
=================================================================
==6848==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000004370 at pc 0x55e9886b95dc bp 0x7fffc79a7df0 sp 0x7fffc79a7de8
READ of size 4 at 0x602000004370 thread T0
    #0 0x55e9886b95db in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12
    #1 0x55e9886ecd1e in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #2 0x55e9886ecd1e in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #3 0x55e9886c5f97 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #4 0x55e9884711f3 in main /home/jlx/good\_mplayer/mplayer/mencoder.c:707:11
    #5 0x7f4b98de10b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

0x602000004370 is located 31 bytes to the right of 1-byte region \[0x602000004350,0x602000004351)
allocated by thread T0 here:
    #0 0x55e98843e43d in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mencoder+0x1a643d)
    #1 0x55e9886ae994 in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:358:26
    #2 0x55e9886ecd1e in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #3 0x55e9886ecd1e in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #4 0x55e9886c5f97 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #5 0x55e9884711f3 in main /home/jlx/good\_mplayer/mplayer/mencoder.c:707:11
    #6 0x7f4b98de10b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12 in read\_avi\_header
Shadow bytes around the buggy address:
  0x0c047fff8810: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8820: fa fa 06 fa fa fa 06 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8830: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8840: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8850: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8860: fa fa 00 00 fa fa fd fd fa fa 01 fa fa fa\[fa\]fa
  0x0c047fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff88a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff88b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6848==ABORTING

CVE-2022-38866: #2403 (A heap-buffer-overflow occurred in function read_avi_header() of libmpdemux/aviheader.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via the function mp_unescape03() of libmpdemux/mpeg_hdr.c. This affects mencoder SVN-r38374-13.0.1 and mplayer SVN-r38374-13.0.1.

**#2406 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction in mp\_unescape03() which affects mencoder and mplayer. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000298,sig^%06,src^%003761,time^%206364090,execs^%10623748,op^%havoc,rep^%8.
libavformat version 58.29.100 (external)
MPEG-PS file format detected.
MPEG: No audio stream found -> no sound.
=================================================================
==22224==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002d91 at pc 0x555555d38dcd bp 0x7fffffffc4a0 sp 0x7fffffffc498                                                                                                                                                                               WRITE of size 1 at 0x602000002d91 thread T0
    #0 0x555555d38dcc in mp\_unescape03 /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:394:13
    #1 0x555555d38dcc in h264\_parse\_sps /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:406:9

0x602000002d91 is located 0 bytes to the right of 1-byte region \[0x602000002d90,0x602000002d91)                                                                                                                                                                                                                         allocated by thread T0 here:
    #0 0x5555558971cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x555555d34e40 in h264\_parse\_sps /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:404:18                                                                                                                                                                                                                     
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:394:13 in mp\_unescape03                                                                                                                                                                                            Shadow bytes around the buggy address:
  0x0c047fff8560: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8570: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8580: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8590: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff85a0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa fd fd
=>0x0c047fff85b0: fa fa\[01\]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22224==ABORTING

CVE-2022-38864: #2406 (A heap-buffer-overflow occurred in function mp_unescape03() of libmpdemux/mpeg_hdr.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via function asf_init_audio_stream() of libmpdemux/asfheader.c. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2398 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction asf\_init\_audio\_stream() which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mplayer testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing 
libavformat version 58.29.100 (external)
ASF file format detected.
\[asfheader\] Audio stream found, -aid 21
=================================================================
==6235==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000000261 at pc 0x559f0c51f2c2 bp 0x7ffcb2476300 sp 0x7ffcb24762f8
READ of size 1 at 0x615000000261 thread T0
    #0 0x559f0c51f2c1 in asf\_init\_audio\_stream /home/jlx/good\_mplayer/mplayer/libmpdemux/asfheader.c:359:24

0x615000000261 is located 0 bytes to the right of 481-byte region \[0x615000000080,0x615000000261)
allocated by thread T0 here:
    #0 0x559f0c1e01cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x559f0c51a6e0 in read\_asf\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/asfheader.c:406:9
    #2 0x559f0c549e53 in demux\_open\_asf /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_asf.c:629:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/asfheader.c:359:24 in asf\_init\_audio\_stream
Shadow bytes around the buggy address:
  0x0c2a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00\[01\]fa fa fa
  0x0c2a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6235==ABORTING

CVE-2022-38853: #2398 (A heap-buffer-overflow occurred in function asf_init_audio_stream() of libmpdemux/asfheader.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via function mp_getbits() of libmpdemux/mpeg_hdr.c which affects mencoder and mplayer. This affects mecoder SVN-r38374-13.0.1 and mplayer SVN-r38374-13.0.1.

**#2405 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction mp\_getbits() which affects mencoder and mplayer. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000297,sig^%06,src^%003761,time^%206342676,execs^%10621452,op^%havoc,rep^%8.
libavformat version 58.29.100 (external)
MPEG-PS file format detected.
MPEG: No audio stream found -> no sound.
=================================================================
==1487==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002d98 at pc 0x555555d3906e bp 0x7fffffffc4a0 sp 0x7fffffffc498
READ of size 1 at 0x602000002d98 thread T0
    #0 0x555555d3906d in mp\_getbits /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:174:12
    #1 0x555555d3906d in read\_golomb /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:296:10
    #2 0x555555d3906d in read\_golomb\_s /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:314:20
    #3 0x555555d3906d in h264\_parse\_sps /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:424:22

0x602000002d98 is located 0 bytes to the right of 8-byte region \[0x602000002d90,0x602000002d98)
allocated by thread T0 here:
    #0 0x5555558971cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x555555d34e40 in h264\_parse\_sps /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:404:18

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:174:12 in mp\_getbits
Shadow bytes around the buggy address:
  0x0c047fff8560: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8570: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8580: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8590: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff85a0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa fd fd
=>0x0c047fff85b0: fa fa 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1487==ABORTING

CVE-2022-38863: #2405 (A heap-buffer-overflow occurred in function mp_getbits() of libmpdemux/mpeg_hdr.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via function gen_sh_video () of mplayer/libmpdemux/demux_mov.c. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: A heap-buffer-overflow read is found in fucnction gen\_sh\_video() which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed) And this vulnerability can cause the crash of mplayer.  

How to reproduce:  

Command: ./mplayer testcase  

Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/testcase\_2.
libavformat version 58.29.100 (external)
libavformat file format detected.
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]STSC entry 2 is invalid (first=4 count=14 id=1)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]STSC entry 1 is invalid (first=918905090 count=15 id=1)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]STSC entry 0 is invalid (first=1 count=109 id=-894264234)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]Invalid sample size -16777051
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]error reading header
LAVF\_header: av\_open\_input\_stream() failed
Quicktime/MOV file format detected.
MOV: durmap and chunkmap sample count differ (90 vs 654)
MOV: durmap or chunkmap bigger than sample count (654 vs 90)
\[mov\] Video stream found, -vid 0
=================================================================
==12558==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000fbf3 at pc 0x557c16d634c3 bp 0x7fffa25ba210 sp 0x7fffa25ba208
READ of size 1 at 0x60d00000fbf3 thread T0
    #0 0x557c16d634c2 in gen\_sh\_video /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1103:86
    #1 0x557c16d634c2 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1344:3
    #2 0x557c16d4e88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5

Address 0x60d00000fbf3 is a wild pointer inside of access range of size 0x000000000001.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1103:86 in gen\_sh\_video
Shadow bytes around the buggy address:
  0x0c1a7fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1a7fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]fa
  0x0c1a7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12558==ABORTING

Crash result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000002,sig^%06,src^%000761,time^%3561338,execs^%127552,op^%havoc,rep^%4.
libavformat version 58.29.100 (external)
libavformat file format detected.
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]STSC entry 2 is invalid (first=4 count=14 id=1)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]STSC entry 1 is invalid (first=918905090 count=15 id=1)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]STSC entry 0 is invalid (first=1 count=109 id=-894264234)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]Invalid sample size -16777051
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]error reading header
LAVF\_header: av\_open\_input\_stream() failed
Quicktime/MOV file format detected.
MOV: durmap and chunkmap sample count differ (90 vs 654)
MOV: durmap or chunkmap bigger than sample count (654 vs 90)
\[mov\] Video stream found, -vid 0


MPlayer interrupted by signal 11 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

CVE-2022-38855: #2392 (A heap-buffer-overflow occurred in function gen_sh_video () of mplayer/libmpdemux/demux_mov.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via function mov_build_index() of libmpdemux/demux_mov.c. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2396 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction mov\_build\_index () which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mplayer testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing 
libavformat version 58.29.100 (external)
libavformat file format detected.
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]Version 22 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.                                                                                                                                                    \[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)                                                                                                                                                                                 \[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]error reading header
LAVF\_header: av\_open\_input\_stream() failed
ISO: File Type Major Brand: Original QuickTime
Quicktime/MOV file format detected.
\[mov\] Video stream found, -vid 0
Warning! pts=-285211648  length=2048
MOV: durmap and chunkmap sample count differ (1 vs 2)
=================================================================
==24664==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000014580 at pc 0x563d661312e5 bp 0x7ffecfcd0050 sp 0x7ffecfcd0048
READ of size 4 at 0x603000014580 thread T0
    #0 0x563d661312e4 in mov\_build\_index /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:302:110
    #1 0x563d661312e4 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1333:6
    #2 0x563d6611c88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5

0x603000014580 is located 0 bytes to the right of 32-byte region \[0x603000014560,0x603000014580)
allocated by thread T0 here:
    #0 0x563d65d5a362 in \_\_interceptor\_calloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x343362)
    #1 0x563d661263f0 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1820:25
    #2 0x563d661263f0 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #3 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #4 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #5 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #6 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #7 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #8 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #9 0x563d66124068 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1332:6
    #10 0x563d6611c88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5
                                                                                                                                                                                                                                                                                                                                                                                      SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:302:110 in mov\_build\_index                                                                                                                                                                                                                                                      Shadow bytes around the buggy address:
  0x0c067fffa860: 00 fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fffa870: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fffa880: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fffa890: fd fd fa fa fd fd fd fd fa fa 00 00 00 04 fa fa
  0x0c067fffa8a0: 00 00 00 fa fa fa 00 00 00 04 fa fa 00 00 00 00
=>0x0c067fffa8b0:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24664==ABORTING

CVE-2022-38858: #2396 (A heap-buffer-overflow occurred in function mov_build_index() of libmpdemux/demux_mov.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Divide By Zero via function demux_open_avi() of libmpdemux/demux_avi.c which affects mencoder. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2402 closed defect (duplicate)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An division by zero is found in fucnction demux\_open\_avi () which affects mencoder and mplayer. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000056,sig^%08,src^%001688,time^%14273883,execs^%697532,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1
AVI: No audio stream found -> no sound.


MPlayer interrupted by signal 8 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x2ab4
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1
AVI: No audio stream found -> no sound.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==19160==ERROR: AddressSanitizer: FPE on unknown address 0x55eacc77d2e7 (pc 0x55eacc77d2e7 bp 0x000000000004 sp 0x7ffce604b120 T0)
    #0 0x55eacc77d2e7 in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:571:42
    #1 0x55eacc77d2e7 in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:571:42 in demux\_open\_avi
==19160==ABORTING

Breakpoint 3, demux\_open\_avi (demuxer=<optimized out>) at libmpdemux/demux\_avi.c:571
571             asamples+=(len+priv->audio\_block\_size-1)/priv->audio\_block\_size;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────\[ REGISTERS \]────────────────────────────────────────────────────────────────────────
 RAX  0x4
 RBX  0x55904d5f8d00 —▸ 0x55904d5f9410 ◂— 0xe1e1e1e1e1e1
 RCX  0x2fb
 RDX  0x4
 RDI  0x0
 RSI  0x55904d5f9440 ◂— 0x1062773130
 R8   0x1
 R9   0x0
 R10  0x55904d5f9470 ◂— 0x0
 R11  0x0
 R12  0x55904d5f73b0 —▸ 0x55904bcf5ec0 (demuxer\_desc\_avi) —▸ 0x55904bccffcc ◂— 'AVI demuxer'
 R13  0x55904d5f8c60 ◂— 0x0
 R14  0x55904d5f8d80 —▸ 0x55904d593400 ◂— 0x2fb00000000
 R15  0x0
 RBP  0x4
 RSP  0x7fff5a391720 —▸ 0x55904d593400 ◂— 0x2fb00000000
 RIP  0x55904bb55aa7 (demux\_open\_hack\_avi+1351) ◂— lea    eax, \[rax + r9 - 1\]
─────────────────────────────────────────────────────────────────────────\[ DISASM \]─────────────────────────────────────────────────────────────────────────
 ► 0x55904bb55aa7 <demux\_open\_hack\_avi+1351>    lea    eax, \[rax + r9 - 1\]
   0x55904bb55aac <demux\_open\_hack\_avi+1356>    xor    edx, edx
   0x55904bb55aae <demux\_open\_hack\_avi+1358>    div    r9d
    ↓
   0x55904bb55aae <demux\_open\_hack\_avi+1358>    div    r9d






─────────────────────────────────────────────────────────────────────\[ SOURCE (CODE) \]──────────────────────────────────────────────────────────────────────
In file: /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c
   566         vsize+=len;
   567         ++vsamples;
   568       }
   569       else if(d\_audio->id == id) {
   570         asize+=len;
 ► 571  asamples+=(len+priv->audio\_block\_size-1)/priv->audio\_block\_size;
   572       }
   573     }
   574     mp\_msg(MSGT\_DEMUX, MSGL\_V,
   575            "AVI video size=%"PRId64" (%zu) audio size=%"PRId64" (%zu)\\n",
   576            vsize, vsamples, asize, asamples);
─────────────────────────────────────────────────────────────────────────\[ STACK \]──────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fff5a391720 —▸ 0x55904d593400 ◂— 0x2fb00000000
01:0008│      0x7fff5a391728 —▸ 0x55904d5f9430 ◂— 0x1062773130
02:0010│      0x7fff5a391730 —▸ 0x55904d5f8c60 ◂— 0x0
03:0018│      0x7fff5a391738 ◂— 0xffffffff
04:0020│      0x7fff5a391740 ◂— 0x62773130ffffffff
05:0028│      0x7fff5a391748 ◂— 0x588a634aec56d900
06:0030│      0x7fff5a391750 ◂— 0xffffffff
07:0038│      0x7fff5a391758 —▸ 0x55904bcf5ec0 (demuxer\_desc\_avi) —▸ 0x55904bccffcc ◂— 'AVI demuxer'
───────────────────────────────────────────────────────────────────────\[ BACKTRACE \]────────────────────────────────────────────────────────────────────────
 ► f 0     55904bb55aa7 demux\_open\_hack\_avi+1351
   f 1     55904bb55aa7 demux\_open\_hack\_avi+1351
   f 2     55904bb48743 demux\_open\_stream+931
   f 3     55904bb49231 demux\_open+753
   f 4     55904bac0642 main+1042
   f 5     7f7b8118c0b3 \_\_libc\_start\_main+243
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

CVE-2022-38860: #2402 (A Division by zero occurred in function demux_open_avi() of libmpdemux/demux_avi.c) – MPlayer

The MPlayer Project mplayer SVN-r38374-13.0.1 is vulnerable to memory corruption via function free_mp_image() of libmpcodecs/mp_image.c.

**#2407 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: I found a heap memory corruption crash when I tried to fuzz the mencoder.  

\[ … \]
1 duplicate frame(s)!                                                                                                                                                                                                                     Pos:   0.0s      3f (100%)  0.00fps Trem:   0min   0mb  A-V:0.000 \[0:0\]
Movie-Aspect is undefined - no prescaling applied.
Writing header...                                                                                                                                                                                                                         ODML: Aspect information not (yet?) available or unspecified, not writing vprp header.                                                                                                                                                    Writing header...
ODML: Aspect information not (yet?) available or unspecified, not writing vprp header.                                                                                                                                                    Writing header...
ODML: Aspect information not (yet?) available or unspecified, not writing vprp header.                                                                                                                                                    Writing header...                                                                                                                                                                                                                         ODML: Aspect information not (yet?) available or unspecified, not writing vprp header.                                                                                                                                                    Pos:   0.0s      4f (100%)  0.00fps Trem:   0min   0mb  A-V:0.000 \[0:0\]

Skipping frame!                                                                                                                                                                                                                           Pos:   0.0s      5f (100%)  0.00fps Trem:   0min   0mb  A-V:0.000 \[0:0\]
                                                                                                                                                                                                                                          Flushing video frames.
Writing index...                                                                                                                                                                                                                          Writing header...                                                                                                                                                                                                                         ODML: Aspect information not (yet?) available or unspecified, not writing vprp header.

Video stream: 743743.500 kbit/s  (92967937 B/s)  size: 16892 bytes  0.000 secs  5 frames                                                                                                                                                  double free or corruption (out)
Aborted         

But when I try to debug this crash to figure out the reason I find the free function’s argument is not a heap address. The pointer points to a block of memory which is full of 0x80.  

Breakpoint 1, free\_mp\_image (mpi=0x60e000000120) at libmpcodecs/mp\_image.c:271
271             av\_free(mpi->planes\[0\]);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────\[ REGISTERS \]───────────────────────────────────────────────────────────────────────────────────────
 RAX  0x2b00
 RBX  0xc1c00000024 ◂— 0x0
 RCX  0x7fffed1ff800 ◂— 0xbfbebfbebebebebe
 RDX  0x1
 RDI  0x60e000000120 —▸ 0x40000c30f ◂— 0x0
 RSI  0x7fffee7f90e0 ◂— 0x0
 R8   0xd8
 R9   0x7fffee489708 —▸ 0x555555857598 (uninit\_video+216) ◂— mov    qword ptr \[rip + 0xf57d5d\], 0
 R10  0x7fffffffcd20 —▸ 0x555555857598 (uninit\_video+216) ◂— mov    qword ptr \[rip + 0xf57d5d\], 0
 R11  0x20
 R12  0x0
 R13  0xffffffffad5 ◂— 0x0
 R14  0x555555ec7fa0 (\_\_afl\_area\_ptr) —▸ 0x7fffed1ff800 ◂— 0xbfbebfbebebebebe
 R15  0x60e000000120 —▸ 0x40000c30f ◂— 0x0
 RBP  0x7fffffffdda0 ◂— 0x0
 RSP  0x7fffffffd5e0 —▸ 0x616000000380 —▸ 0x555555e1c380 (vf\_info\_expand) —▸ 0x555555d82360 (str) ◂— 'expanding & osd'                                                                                                                                                                                                                                                                 RIP  0x55555585ec3b (free\_mp\_image+107) ◂— lea    rdi, \[r15 + 0x30\]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────\[ DISASM \]────────────────────────────────────────────────────────────────────────────────────────────────────────────────                                                                                                                                             ► 0x55555585ec3b <free\_mp\_image+107>    lea    rdi, \[r15 + 0x30\]
   0x55555585ec3f <free\_mp\_image+111>    mov    rax, rdi
   0x55555585ec42 <free\_mp\_image+114>    shr    rax, 3
   0x55555585ec46 <free\_mp\_image+118>    cmp    byte ptr \[rax + 0x7fff8000\], 0
   0x55555585ec4d <free\_mp\_image+125>    jne    free\_mp\_image+294 <free\_mp\_image+294>

   0x55555585ec53 <free\_mp\_image+131>    mov    rdi, qword ptr \[r15 + 0x30\]
   0x55555585ec57 <free\_mp\_image+135>    call   av\_free@plt <av\_free@plt>

   0x55555585ec5c <free\_mp\_image+140>    mov    al, byte ptr \[rbx + 0x7fff8000\]
   0x55555585ec62 <free\_mp\_image+146>    test   al, al
   0x55555585ec64 <free\_mp\_image+148>    jne    free\_mp\_image+269 <free\_mp\_image+269>
                                                                                                                                                                                                                                                                                                                                                                                         0x55555585ec66 <free\_mp\_image+150>    test   byte ptr \[r15 + 1\], 8                                                                                                                                                                                                                                                                                                                 ────────────────────────────────────────────────────────────────────────────────────────────────────────────\[ SOURCE (CODE) \]─────────────────────────────────────────────────────────────────────────────────────────────────────────────                                                                                                                                            In file: /home/jlx/good\_mplayer/asan\_mplayer/libmpcodecs/mp\_image.c                                                                                                                                                                                                                                                                                                                      266
   267 void free\_mp\_image(mp\_image\_t\* mpi){
   268     if(!mpi) return;
   269     if(mpi->flags&MP\_IMGFLAG\_ALLOCATED){
   270         /\* because we allocate the whole image at once \*/
 ► 271         av\_free(mpi->planes\[0\]);
   272         if (mpi->flags & MP\_IMGFLAG\_RGB\_PALETTE)
   273             av\_free(mpi->planes\[1\]);
   274     }
   275     free(mpi);
   276 }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────\[ STACK \]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────                                                                                                                                            00:0000│ rsp  0x7fffffffd5e0 —▸ 0x616000000380 —▸ 0x555555e1c380 (vf\_info\_expand) —▸ 0x555555d82360 (str) ◂— 'expanding & osd'                                                                                                                                                                                                                                                        01:0008│      0x7fffffffd5e8 —▸ 0x555555ec7fa0 (\_\_afl\_area\_ptr) —▸ 0x7fffed1ff800 ◂— 0xbfbebfbebebebebe
02:0010│      0x7fffffffd5f0 —▸ 0x616000000080 —▸ 0x555555e0b5c0 (ve\_info\_lavc) —▸ 0x555555c7b640 (str) ◂— 'libavcodec encoder'                                                                                                                                                                                                                                                       03:0018│      0x7fffffffd5f8 —▸ 0x55555587b998 (vf\_uninit\_filter\_chain+200) ◂— lea    rdi, \[rbx + 0x68\]
04:0020│      0x7fffffffd600 —▸ 0x61a000001130 —▸ 0x616000000380 —▸ 0x555555e1c380 (vf\_info\_expand) —▸ 0x555555d82360 (str) ◂— ...                                                                                                                                                                                                                                                    05:0028│      0x7fffffffd608 —▸ 0x61a000000c94 ◂— 0x1
06:0030│      0x7fffffffd610 —▸ 0xc3400000192 ◂— 0x0
07:0038│      0x7fffffffd618 —▸ 0x5555558575c6 (uninit\_video+262) ◂— call   0x555555af5820
──────────────────────────────────────────────────────────────────────────────────────────────────────────────\[ BACKTRACE \]───────────────────────────────────────────────────────────────────────────────────────────────────────────────                                                                                                                                             ► f 0     55555585ec3b free\_mp\_image+107
   f 1     55555587b998 vf\_uninit\_filter\_chain+200
   f 2     55555587b998 vf\_uninit\_filter\_chain+200
   f 3     5555558575c6 uninit\_video+262
   f 4     555555737d1b main+47819
   f 5     7ffff55070b3 \_\_libc\_start\_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────                                                                                                                                            pwndbg> p mpi->planes\[0\]
$4 = (unsigned char \*) 0x7fffeb6cb040 '\\200' <repeats 200 times>...
pwndbg> vmmap 0x7fffeb6cb040
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    0x7fffeb490000     0x7fffebf19000 rw-p   a89000 0       +0x23b040

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase

CVE-2022-38861: #2407 (A heap memory corruption occurred in function free_mp_image() of libmpcodecs/mp_image.c) – MPlayer

Solution addresses compliance challenges in complex landscapes

**Ashburn, Va. – September 15, 2022** – Telos Corporation (NASDAQ: TLS), a leading provider of cyber, cloud and enterprise security solutions for the world’s most security-conscious organizations, is pleased to announce a collaboration with IBM Security as part of IBM’s Active Governance Services (AGS) that allows enterprises to operationalize and automate activities and solve challenges in cybersecurity compliance and regulatory risks.

“The number of global, national and local compliance requirements are increasing, which means enterprises now have massive amounts of security controls to implement, test and report on,” said John B. Wood, Telos CEO and chairman. “Telos and IBM Security are excited to address this issue together by leveraging our combined and extensive expertise in IT risk management and compliance to create efficiency out of chaos and offer effective solutions to the audit fatigue issue.”

AGS helps organizations overcome the challenges and costs associated with regulatory compliance, especially audit fatigue. According to a 2020 study, organizations, on average, must comply with 13 different IT security compliance and privacy regulations, which requires a team of 22 dedicated staff members and results in 58 working days per quarter spent responding to audit evidence requests. Beyond audit fatigue, the study also found that 86% of respondents believed compliance is or will be an issue when moving systems, applications, and infrastructures to the cloud.

The AGS solution, available via IBM Security Services, addresses these challenges by combining IBM’s world-class expertise to plan, design, deploy, operationalize, and accelerate cyber compliance and governance programs, and Telos’ Xacta® IT Risk Management platform that automates the most time-consuming aspects of compliance and audit activities like control selection, validation, reporting, and monitoring.

“Every organization must meet compliance, regulatory, contractual, and privacy obligations – no one is exempt. However, individual organizations have different risk appetites, tolerance levels, missions, and goals,” said Dimple Ahluwalia, VP & global managing partner, IBM. “AGS helps take the guesswork out of managing cybersecurity risk and compliance – all with proven technology, techniques, complete visibility, and ongoing expert support. We are thrilled to be working with Telos on this important challenge that faces today’s enterprises.”

The AGS solution, available via IBM Security Services, utilizes strategic planning, responsive compliance reporting, proactive monitoring and automation, all while leveraging existing tools to create a more ordered approach to IT risk management and compliance. The solution is scalable across hybrid, multi-cloud, and on-premises architectures and systems, bringing much-needed peace of mind to those on the front lines of the cybersecurity battle. The power of automation is on full display with AGS, reducing system compliance time up to 90% faster, the time to generate regulatory documentation by up to 70%, as well as the time to research vulnerabilities by up to 90%.

To learn more about AGS, please visit https://www.telos.com/offerings/ibm-active-governance-services-xacta.

**Forward-Looking Statements**

This press release contains forward-looking statements which are made under the safe harbor provisions of the federal securities laws. These statements are based on the Company’s management’s current beliefs, expectations and assumptions about future events, conditions and results and on information currently available to them. By their nature, forward-looking statements involve risks and uncertainties because they relate to events and depend on circumstances that may or may not occur in the future. The Company believes that these risks and uncertainties include, but are not limited to, those described under the captions “Risk Factors” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations” set forth from time to time in the Company’s filings and reports with the U.S. Securities and Exchange Commission (SEC), including its Annual Report on Form 10-K for the year ended December 31, 2021, as well as future filings and reports by the Company, copies of which are available at https://investors.telos.com and on the SEC’s website at www.sec.gov.

Although the Company bases these forward-looking statements on assumptions that the Company’s management believes are reasonable when made, they caution the reader that forward-looking statements are not guarantees of future performance and that the Company’s actual results of operations, financial condition and liquidity, and industry developments, may differ materially from statements made in or suggested by the forward-looking statements contained in this release. Given these risks, uncertainties and other factors, many of which are beyond its control, the Company cautions the reader not to place undue reliance on these forward-looking statements. Any forward-looking statement speaks only as of the date of such statement and, except as required by law, the Company undertakes no obligation to update any forward-looking statement publicly, or to revise any forward-looking statement to reflect events or developments occurring after the date of the statement, even if new information becomes available in the future. Comparisons of results for current and any prior periods are not intended to express any future trends or indications of future performance, unless specifically expressed as such, and should only be viewed as historical data.

**About Telos Corporation**

Telos Corporation (NASDAQ: TLS) empowers and protects the world’s most security-conscious organizations with solutions for continuous security assurance of individuals, systems, and information. Telos’ offerings include cybersecurity solutions for IT risk management and information security; cloud security solutions to protect cloud-based assets and enable continuous compliance with industry and government security standards; and enterprise security solutions for identity and access management, secure mobility, organizational messaging, and network management and defense. The Company serves commercial enterprises, regulated industries and government customers around the world.

Telos Corporation to Help Enterprises Operationalize Cybersecurity Compliance and Regulatory Risks with IBM Security

Red Hat Security Advisory 2022-6521-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 6.0 to SDK 6.0.109 and Runtime 6.0.9.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: .NET 6.0 security and bugfix update  
Advisory ID:       RHSA-2022:6521-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6521  
Issue date:        2022-09-14  
CVE Names:         CVE-2022-38013  
====================================================================  
1. Summary:

An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, s390x, x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET  
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address a security vulnerability are now  
available. The updated versions are .NET 6.0 to SDK 6.0.109 and Runtime  
6.0.9.

Security Fix(es):

* dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow  
via ModelStateDictionary recursion. (CVE-2022-38013)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2125124 - CVE-2022-38013 dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow via ModelStateDictionary recursion.

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
dotnet6.0-6.0.109-1.el9_0.src.rpm

aarch64:  
aspnetcore-runtime-6.0-6.0.9-1.el9_0.aarch64.rpm  
aspnetcore-targeting-pack-6.0-6.0.9-1.el9_0.aarch64.rpm  
dotnet-apphost-pack-6.0-6.0.9-1.el9_0.aarch64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el9_0.aarch64.rpm  
dotnet-host-6.0.9-1.el9_0.aarch64.rpm  
dotnet-host-debuginfo-6.0.9-1.el9_0.aarch64.rpm  
dotnet-hostfxr-6.0-6.0.9-1.el9_0.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el9_0.aarch64.rpm  
dotnet-runtime-6.0-6.0.9-1.el9_0.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-6.0.109-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el9_0.aarch64.rpm  
dotnet-targeting-pack-6.0-6.0.9-1.el9_0.aarch64.rpm  
dotnet-templates-6.0-6.0.109-1.el9_0.aarch64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el9_0.aarch64.rpm  
dotnet6.0-debugsource-6.0.109-1.el9_0.aarch64.rpm  
netstandard-targeting-pack-2.1-6.0.109-1.el9_0.aarch64.rpm

s390x:  
aspnetcore-runtime-6.0-6.0.9-1.el9_0.s390x.rpm  
aspnetcore-targeting-pack-6.0-6.0.9-1.el9_0.s390x.rpm  
dotnet-apphost-pack-6.0-6.0.9-1.el9_0.s390x.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el9_0.s390x.rpm  
dotnet-host-6.0.9-1.el9_0.s390x.rpm  
dotnet-host-debuginfo-6.0.9-1.el9_0.s390x.rpm  
dotnet-hostfxr-6.0-6.0.9-1.el9_0.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el9_0.s390x.rpm  
dotnet-runtime-6.0-6.0.9-1.el9_0.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-6.0.109-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el9_0.s390x.rpm  
dotnet-targeting-pack-6.0-6.0.9-1.el9_0.s390x.rpm  
dotnet-templates-6.0-6.0.109-1.el9_0.s390x.rpm  
dotnet6.0-debuginfo-6.0.109-1.el9_0.s390x.rpm  
dotnet6.0-debugsource-6.0.109-1.el9_0.s390x.rpm  
netstandard-targeting-pack-2.1-6.0.109-1.el9_0.s390x.rpm

x86_64:  
aspnetcore-runtime-6.0-6.0.9-1.el9_0.x86_64.rpm  
aspnetcore-targeting-pack-6.0-6.0.9-1.el9_0.x86_64.rpm  
dotnet-apphost-pack-6.0-6.0.9-1.el9_0.x86_64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el9_0.x86_64.rpm  
dotnet-host-6.0.9-1.el9_0.x86_64.rpm  
dotnet-host-debuginfo-6.0.9-1.el9_0.x86_64.rpm  
dotnet-hostfxr-6.0-6.0.9-1.el9_0.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el9_0.x86_64.rpm  
dotnet-runtime-6.0-6.0.9-1.el9_0.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-6.0.109-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el9_0.x86_64.rpm  
dotnet-targeting-pack-6.0-6.0.9-1.el9_0.x86_64.rpm  
dotnet-templates-6.0-6.0.109-1.el9_0.x86_64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el9_0.x86_64.rpm  
dotnet6.0-debugsource-6.0.109-1.el9_0.x86_64.rpm  
netstandard-targeting-pack-2.1-6.0.109-1.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el9_0.aarch64.rpm  
dotnet-host-debuginfo-6.0.9-1.el9_0.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el9_0.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el9_0.aarch64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el9_0.aarch64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el9_0.aarch64.rpm  
dotnet6.0-debugsource-6.0.109-1.el9_0.aarch64.rpm

s390x:  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el9_0.s390x.rpm  
dotnet-host-debuginfo-6.0.9-1.el9_0.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el9_0.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el9_0.s390x.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el9_0.s390x.rpm  
dotnet6.0-debuginfo-6.0.109-1.el9_0.s390x.rpm  
dotnet6.0-debugsource-6.0.109-1.el9_0.s390x.rpm

x86_64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el9_0.x86_64.rpm  
dotnet-host-debuginfo-6.0.9-1.el9_0.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el9_0.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el9_0.x86_64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el9_0.x86_64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el9_0.x86_64.rpm  
dotnet6.0-debugsource-6.0.109-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-38013  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyInqtzjgjWX9erEAQgVthAAgn0FNArb7QMChMi5/Psidn0v7ScFvYIy  
zt2Wj3xO1FIc4hYjrj9IHf0SzZOgrgvbfN32SBiTwZMTm9sAUIy/retoK7YoZg0r  
sTeTthlvibMikftv9I2328vVxeCmViOkO1i89vnR4CYCmP6YTGkwFf3lWxZt84wK  
99oy4vOGPsPcKohydzPyrIcXwiXoOKeXyB8imDlUgqIHGqMWhbioZKYWRmJEFT09  
VXYsC48xwSSyHluqSv4o8AlIry1cdkoBBFOev2M9BKYhgtKKODhJWh96ziUiXn3/  
BdeUXDz/XG2h8DgcqtIYmR8hVCU9WTIAjnDkARKsFdWyUopok3gUn0S1RTMCDISE  
Pz15sTWSsmLdnhT78BvhjlYn7amT/ZcztYHu359XcQDRmq/1WShiJ4+fZoWMmmBD  
aSmtQboyHawH6LAPLJUwMhl+7OjK8K5ljl/GDMA0PX7jIOA0S7tu8Oq6pIBW49oW  
AQkKoR4hDcvH9Ax/JxyFyQfMtbBKPpVSGn23vTSr+76rU36fcWYsj0ohwI2zw2/F  
1pN5tiDda/6zSbRmQVtjS/QUvZ07oSLDzmuacTuHjyNQ2fT4fIQmYrMtSlrU5AlB  
ZI9xqVFZfNYj1jsOsb1H7o+M3Oyvvlc1+jQVMTD/rauixsufu0jEEDVUBJuksnzh  
smIfPFqvg50=8wZd  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#ibm