Soumettre #807650: tsMuxer git-7f8667d Heap-based Buffer Overflowinformation

TitretsMuxer git-7f8667d Heap-based Buffer Overflow
Descriptionheap-buffer-overflow in tsMuxer/bitStream.h:232:37 ## version ``` commit 7f8667d1e6100a5b6407340d91ad80d57d976e58 (HEAD -> master, tag: nightly-2024-06-06-02-00-53, origin/master, origin/HEAD) Author: iwashiira <[email protected]> Date: Thu Jun 6 03:13:25 2024 +0900 added check for negative track_id values (#882) ``` ## reproduce ```shell cd tsMuxer mkdir build && cd build cmake ../ -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" make ``` ``` ./tsmuxer poc ``` Information : ``` tsMuxeR version git-7f8667d. github.com/justdan96/tsMuxer Bad SEI detected. SEI too short Bad SEI detected. SEI too short Bad SEI detected. SEI too short HEVC muxing fps is not set. Get fps from stream. Value: 1 HEVC manual defined fps doesn't equal to stream fps. Change HEVC fps from 0.984379 to 1 ================================================================= ==409112==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000001f4e at pc 0x56355e589b66 bp 0x7ffc9abdac70 sp 0x7ffc9abdac68 READ of size 4 at 0x603000001f4e thread T0 #0 0x56355e589b65 in BitStreamWriter::flushBits() /AFLplusplus/tsMuxer_prev/tsMuxer/bitStream.h:232:37 #1 0x56355e627fd1 in HevcUnit::updateBits(int, int, unsigned int) const /AFLplusplus/tsMuxer_prev/tsMuxer/hevc.cpp:89:15 #2 0x56355e62a190 in HevcVpsUnit::setFPS(double) /AFLplusplus/tsMuxer_prev/tsMuxer/hevc.cpp:236:5 #3 0x56355e63ad34 in HEVCStreamReader::updateStreamFps(void*, unsigned char*, unsigned char*, int) /AFLplusplus/tsMuxer_prev/tsMuxer/hevcStreamReader.cpp:373:10 #4 0x56355e7928d6 in MPEGStreamReader::updateFPS(void*, unsigned char*, unsigned char*, int) /AFLplusplus/tsMuxer_prev/tsMuxer/mpegStreamReader.cpp:307:9 #5 0x56355e6363ff in HEVCStreamReader::checkStream(unsigned char*, int) /AFLplusplus/tsMuxer_prev/tsMuxer/hevcStreamReader.cpp:69:17 #6 0x56355e6e0104 in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) /AFLplusplus/tsMuxer_prev/tsMuxer/metaDemuxer.cpp:785:22 #7 0x56355e6dd4dd in METADemuxer::DetectStreamReader(BufferedReaderManager const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, bool) /AFLplusplus/tsMuxer_prev/tsMuxer/metaDemuxer.cpp:685:35 #8 0x56355e673473 in detectStreamReader(char const*, MPLSParser*, bool) /AFLplusplus/tsMuxer_prev/tsMuxer/main.cpp:114:34 #9 0x56355e67b33e in main /AFLplusplus/tsMuxer_prev/tsMuxer/main.cpp:689:17 #10 0x7fcc3c059d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #11 0x7fcc3c059e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #12 0x56355e4af594 in _start (/AFLplusplus/tsMuxer_prev/install/bin/tsmuxer+0x23b594) (BuildId: e84fab34fa61c261f080dbcd6a5e78289b568c7f) 0x603000001f4f is located 0 bytes after 31-byte region [0x603000001f30,0x603000001f4f) allocated by thread T0 here: #0 0x56355e583e0d in operator new[](unsigned long) (/AFLplusplus/tsMuxer_prev/install/bin/tsmuxer+0x30fe0d) (BuildId: e84fab34fa61c261f080dbcd6a5e78289b568c7f) #1 0x56355e62779b in HevcUnit::decodeBuffer(unsigned char const*, unsigned char const*) /AFLplusplus/tsMuxer_prev/tsMuxer/hevc.cpp:41:19 #2 0x56355e636240 in HEVCStreamReader::checkStream(unsigned char*, int) /AFLplusplus/tsMuxer_prev/tsMuxer/hevcStreamReader.cpp:64:20 #3 0x56355e6e0104 in METADemuxer::detectTrackReader(unsigned char*, int, AbstractStreamReader::ContainerType, int, int) /AFLplusplus/tsMuxer_prev/tsMuxer/metaDemuxer.cpp:785:22 #4 0x56355e6dd4dd in METADemuxer::DetectStreamReader(BufferedReaderManager const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, bool) /AFLplusplus/tsMuxer_prev/tsMuxer/metaDemuxer.cpp:685:35 #5 0x56355e673473 in detectStreamReader(char const*, MPLSParser*, bool) /AFLplusplus/tsMuxer_prev/tsMuxer/main.cpp:114:34 #6 0x56355e67b33e in main /AFLplusplus/tsMuxer_prev/tsMuxer/main.cpp:689:17 #7 0x7fcc3c059d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /AFLplusplus/tsMuxer_prev/tsMuxer/bitStream.h:232:37 in BitStreamWriter::flushBits() Shadow bytes around the buggy address: 0x603000001c80: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 0x603000001d00: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa 0x603000001d80: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa 0x603000001e00: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd 0x603000001e80: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa =>0x603000001f00: fd fd fd fa fa fa 00 00 00[07]fa fa fa fa fa fa 0x603000001f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x603000002000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x603000002080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x603000002100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x603000002180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==409112==ABORTING ```
La source⚠️ https://github.com/justdan96/tsMuxer/issues/898
Utilisateur
 Fantasy (UID 69897)
Soumission18/04/2026 14:38 (il y a 2 mois)
Modérer03/05/2026 19:13 (15 days later)
StatutDupliqué
Entrée VulDB212561 [tsMuxer 2.6.16 /tsMuxer/bitStream.h flushBits buffer overflow]
Points0

PrécédentAperçuSuivant

Interested in the pricing of exploits?

See the underground prices here!