Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in MediaInfoLib::File_Id3v2::Data_Parse() ../../../Source/MediaInfo/Tag/File_Id3v2.cpp:597 #2105

Open
SuyueGuo opened this issue Aug 9, 2024 · 5 comments

Comments

@SuyueGuo
Copy link

SuyueGuo commented Aug 9, 2024

Summary

A heap-buffer-overflow vulnerability was found in MediaInfo, it may cause arbitrary code execution.

Version

mediainfo --version
MediaInfo Command line, 
MediaInfoLib - v24.06

Details

ASAN output:

=================================================================
==2239452==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000232 at pc 0x7f64f24e02c3 bp 0x7fff8898ac20 sp 0x7fff8898a3c8
WRITE of size 2882 at 0x602000000232 thread T0
    #0 0x7f64f24e02c2 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
    MediaArea/MediaInfo#1 0x55cf77dbe957 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
    MediaArea/MediaInfo#2 0x55cf77dbe957 in MediaInfoLib::File_Id3v2::Data_Parse() ../../../Source/MediaInfo/Tag/File_Id3v2.cpp:597
    MediaArea/MediaInfo#3 0x55cf780500bc in MediaInfoLib::File__Analyze::Data_Manage() ../../../Source/MediaInfo/File__Analyze.cpp:2810
    MediaArea/MediaInfo#4 0x55cf7805353c in MediaInfoLib::File__Analyze::Buffer_Parse() ../../../Source/MediaInfo/File__Analyze.cpp:1941
    MediaArea/MediaInfo#5 0x55cf78053c87 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() ../../../Source/MediaInfo/File__Analyze.cpp:1507
    MediaArea/MediaInfo#6 0x55cf78055767 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/File__Analyze.cpp:1101
    MediaArea/MediaInfo#7 0x55cf7805b367 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(MediaInfoLib::File__Analyze*, unsigned char const*, unsigned long, bool, double) ../../../Source/MediaInfo/File__Analyze.cpp:1448
    MediaArea/MediaInfo#8 0x55cf77d91c7b in MediaInfoLib::File__Tags_Helper::Synched_Test() ../../../Source/MediaInfo/Tag/File__Tags.cpp:367
    MediaArea/MediaInfo#9 0x55cf7777a793 in MediaInfoLib::File__Tags_Helper::FileHeader_Begin() ../../../Source/MediaInfo/Tag/File__Tags.h:73
    MediaArea/MediaInfo#10 0x55cf7777a793 in MediaInfoLib::File_Flv::FileHeader_Begin() ../../../Source/MediaInfo/Multiple/File_Flv.cpp:654
    MediaArea/MediaInfo#11 0x55cf7804ebee in MediaInfoLib::File__Analyze::FileHeader_Manage() ../../../Source/MediaInfo/File__Analyze.cpp:2524
    MediaArea/MediaInfo#12 0x55cf78054047 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() ../../../Source/MediaInfo/File__Analyze.cpp:1472
    MediaArea/MediaInfo#13 0x55cf78055767 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/File__Analyze.cpp:1101
    MediaArea/MediaInfo#14 0x55cf76fe1d6e in MediaInfoLib::MediaInfo_Internal::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1721
    MediaArea/MediaInfo#15 0x55cf77d8afde in MediaInfoLib::Reader_File::Format_Test_PerParser_Continue(MediaInfoLib::MediaInfo_Internal*) ../../../Source/MediaInfo/Reader/Reader_File.cpp:766
    MediaArea/MediaInfo#16 0x55cf77d88433 in MediaInfoLib::Reader_File::Format_Test_PerParser(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/Reader/Reader_File.cpp:313
    MediaArea/MediaInfo#17 0x55cf76f96bf6 in MediaInfoLib::MediaInfo_Internal::ListFormats(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/MediaInfo_File.cpp:882
    MediaArea/MediaInfo#18 0x55cf77d896d6 in MediaInfoLib::Reader_File::Format_Test(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >) ../../../Source/MediaInfo/Reader/Reader_File.cpp:230
    MediaArea/MediaInfo#19 0x55cf7700f15e in MediaInfoLib::MediaInfo_Internal::Entry() ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1416
    MediaArea/MediaInfo#20 0x55cf7700ad7e in MediaInfoLib::MediaInfo_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1172
    MediaArea/MediaInfo#21 0x55cf77030865 in MediaInfoLib::MediaInfoList_Internal::Entry() ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:212
    MediaArea/MediaInfo#22 0x55cf770393a2 in MediaInfoLib::MediaInfoList_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, MediaInfoLib::fileoptions_t) ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:148
    MediaArea/MediaInfo#23 0x55cf76f0a70b in main ../../../Source/CLI/CLI_Main.cpp:155
    MediaArea/MediaInfo#24 0x7f64f1f55d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    MediaArea/MediaInfo#25 0x7f64f1f55e3f in __libc_start_main_impl ../csu/libc-start.c:392
    MediaArea/MediaInfo#26 0x55cf76f0f5b4 in _start (/data/fuzz/fuzz-data/target/elf/debug/mediainfo+0x4305b4)

0x602000000232 is located 0 bytes to the right of 2-byte region [0x602000000230,0x602000000232)
allocated by thread T0 here:
    #0 0x7f64f255c357 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:102
    MediaArea/MediaInfo#1 0x55cf77dbe890 in MediaInfoLib::File_Id3v2::Data_Parse() ../../../Source/MediaInfo/Tag/File_Id3v2.cpp:589

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
Shadow bytes around the buggy address:
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8020: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8030: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff8040: fa fa fd fd fa fa[02]fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2239452==ABORTING

Poc

heap_overflow_mediainfo.tar.gz

reproduce:

mediainfo heap_overflow_mediainfo 
@SuyueGuo SuyueGuo changed the title heap-buffer-overflow in ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 heap-buffer-overflow in MediaInfoLib::File_Id3v2::Data_Parse() ../../../Source/MediaInfo/Tag/File_Id3v2.cpp:597 Aug 9, 2024
@cjee21
Copy link
Contributor

cjee21 commented Aug 17, 2024

Issue in MediaArea/MediaInfoLib?

std::memcpy(Buffer_Unsynch+Buffer_Unsynch_Begin, Save_Buffer+Save_Buffer_Offset+Save_Buffer_Begin, Size);

@SuyueGuo
Copy link
Author

Yes, maybe I should open this issue in MediaArea/MediaInfoLib?

@JeromeMartinez JeromeMartinez transferred this issue from MediaArea/MediaInfo Aug 18, 2024
@cjee21
Copy link
Contributor

cjee21 commented Sep 29, 2024

[Fixed in PRs]

@cjee21
Copy link
Contributor

cjee21 commented Sep 30, 2024

[Fixed in PRs]

@cjee21
Copy link
Contributor

cjee21 commented Jan 31, 2025

Buffer_Unsynch=new int8u[(size_t)Element_Size];
for (size_t Pos=0; Pos<=Unsynch_List.size(); Pos++)
{
size_t Pos0=(Pos==Unsynch_List.size())?(size_t)(Element_Size+Unsynch_List.size()):(Unsynch_List[Pos]);
size_t Pos1=(Pos==0)?0:(Unsynch_List[Pos-1]+1);
size_t Buffer_Unsynch_Begin=Pos1-Pos;
size_t Save_Buffer_Begin =Pos1;
size_t Size= Pos0-Pos1;
std::memcpy(Buffer_Unsynch+Buffer_Unsynch_Begin, Save_Buffer+Save_Buffer_Offset+Save_Buffer_Begin, Size);

Access violation writing to 0x0000027DEE7D2000.

Pos0 = 7, Pos1 = 4256

Pos1 larger than Pos0 so size_t wraparound and becomes a very large number (18446744073709547367)

Buffer_Unsynch+Buffer_Unsynch_Begin may also exceed the size of Buffer_Unsynch since Element_Size is only 2 while Buffer_Unsynch_Begin is 4251.

I have no idea how to fix since I have zero idea of what this code actually does.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants