Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash when parsing malformed 264 files #33

Open
retpoline opened this issue Feb 28, 2022 · 0 comments
Open

Crash when parsing malformed 264 files #33

retpoline opened this issue Feb 28, 2022 · 0 comments

Comments

@retpoline
Copy link

Hi folks,

An interesting crash was found while fuzz testing of the minimp4_x86 binary which can be triggered via a malformed 264 file. Although this malformed file only crashes the program as-is, it could potentially be crafted further and create a security issue where these kinds of files would be able compromise the process's memory through taking advantage of affordances given by memory corruption. It's recommend to harden the code to prevent these kinds of bugs as it could greatly mitigate such this issue and even future bugs.

Repro
crash.264.txt

$ minimp4_x86 crash.264 test.mp4
Segmentation fault (core dumped)

$ gdb -q minimp4_x86
Reading symbols from minimp4_x86...
(No debugging symbols found in minimp4_x86)

(gdb) r crash.264 test.mp4
Starting program: minimp4_x86 crash.264 test.mp4

Program received signal SIGBUS, Bus error.
0x0000555555558cac in patch_pps ()

(gdb) bt
#0  0x0000555555558cac in patch_pps ()
#1  0x0000555555555dd1 in main ()

(gdb) i r
rax            0x6510              25872
rbx            0x7fffffffcf70      140737488342896
rcx            0xfffffff8          4294967288
rdx            0xc204e00           203443712
rsi            0x1                 1
rdi            0x7fffffffcfb0      140737488342960
rbp            0x7fffffffd040      0x7fffffffd040
rsp            0x7fffffffcec8      0x7fffffffcec8
r8             0x2511              9489
r9             0x555555563679      93824992294521
r10            0x1                 1
r11            0x0                 0
r12            0x7fffffffcf6c      140737488342892
r13            0x37                55
r14            0x1926              6438
r15            0x555555563670      93824992294512
rip            0x555555558cac      0x555555558cac <patch_pps+44>
eflags         0x10206             [ PF IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

(gdb) x/i $rip
=> 0x555555558cac <patch_pps+44>:	mov    0xd80(%rbp,%rax,4),%r8d

(gdb) exploitable
Description: Access violation
Short description: AccessViolation (21/22)
Hash: 7bfba3fa9abe7b60a7e8004b251c9358.7bfba3fa9abe7b60a7e8004b251c9358
Exploitability Classification: UNKNOWN
Explanation: The target crashed due to an access violation but there is not enough additional information available to determine exploitability.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@retpoline