An out-of-bounds-read in Function File__Analyze::Get_L8 in MediaInfoLib 18.12, which leads to crash.
meidainfo A.avi
/src/MediaInfoLib/Source/MediaInfo/File__Analyze_Buffer.cpp
548
549 //---------------------------------------------------------------------------
550 void File__Analyze::Get_L8(int64u &Info, const char* Name)
551 {
552 INTEGRITY_SIZE_ATLEAST_INT(8);
► 553 Info=LittleEndian2int64u(Buffer+Buffer_Offset+(size_t)Element_Offset);
554 if (Trace_Activated) Param(Name, Info);
555 Element_Offset+=8;
556 }
557
558 //---------------------------------------------------------------------------
pwndbg> p Buffer
$1 = (const ZenLib::int8u *) 0x5555557f29b0 "RIFF\020"
pwndbg> p Buffer_Offset
$2 = 24
pwndbg> p Element_Offset
$3 = 1062456
pwndbg> p Buffer+Buffer_Offset+(size_t)Element_Offset
$4 = (const ZenLib::int8u *) 0x5555558f6000 <error: Cannot access memory at address 0x5555558f6000>
backtrace
#0 0x7f89d724aa3f (/usr/lib/x86_64-linux-gnu/libzen.so.0+0x16a3f)
#1 0x7f89d7869551 in ZenLib::LittleEndian2int64u(unsigned char const*) /usr/include/ZenLib/Utils.h:96:63
#2 0x7f89d7869551 in MediaInfoLib::File__Analyze::Get_L8(unsigned long long&, char const*) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze_Buffer.cpp:553
#3 0x7f89d8d1bf47 in MediaInfoLib::File_Riff::AVI__hdlr_strl_indx_SuperIndex(unsigned int, unsigned int) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Multiple/File_Riff_Elements.cpp:1200:9
#4 0x7f89d8cda77f in MediaInfoLib::File_Riff::AVI__hdlr_strl_indx() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Multiple/File_Riff_Elements.cpp:1104:37
#5 0x7f89d8cc863b in MediaInfoLib::File_Riff::AVI__xxxx() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Multiple/File_Riff_Elements.cpp:2918:9
#6 0x7f89d8cc863b in MediaInfoLib::File_Riff::Data_Parse() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Multiple/File_Riff_Elements.cpp:537
#7 0x7f89d7827eba in MediaInfoLib::File__Analyze::Data_Manage() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:2359:9
#8 0x7f89d781beb3 in MediaInfoLib::File__Analyze::Buffer_Parse() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:1513:10
#9 0x7f89d7811830 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:1080:14
#10 0x7f89d780c5ae in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:693:16
#11 0x7f89d7c6932f in MediaInfoLib::MediaInfo_Internal::Open_Buffer_Continue(unsigned char const*, unsigned long) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfo_Internal.cpp:1337:11
#12 0x7f89d8dd9f3c in MediaInfoLib::Reader_File::Format_Test_PerParser_Continue(MediaInfoLib::MediaInfo_Internal*) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Reader/Reader_File.cpp:759:24
#13 0x7f89d8dd5389 in MediaInfoLib::Reader_File::Format_Test_PerParser(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Reader/Reader_File.cpp:292:12
#14 0x7f89d8dd15c1 in MediaInfoLib::Reader_File::Format_Test(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Reader/Reader_File.cpp:204:17
#15 0x7f89d7c349f8 in MediaInfoLib::MediaInfo_Internal::Entry() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfo_Internal.cpp:1083:29
#16 0x7f89d7c06aa4 in MediaInfoLib::MediaInfo_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfo_Internal.cpp:839:9
#17 0x7f89d7cb10cf in MediaInfoLib::MediaInfoList_Internal::Entry() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfoList_Internal.cpp:215:17
#18 0x7f89d7cacfe3 in MediaInfoLib::MediaInfoList_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, MediaInfoLib::fileoptions_t) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfoList_Internal.cpp:151:9
#19 0x51f59f in main /src/mediainfo/Project/GNU/CLI/../../../Source/CLI/CLI_Main.cpp:154:25
#20 0x7f89d5da682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#21 0x41c578 in _start (/src/aflbuild/installed/bin/mediainfo+0x41c578)
An out-of-bounds-read in Function MediaInfoLib::File__Tags_Helper::Synched_Test in MediaInfoLib 18.12, which leads to crash.
meidainfo T.avi
In file: /path/to/MediaInfoLib/Source/MediaInfo/Tag/File__Tags.cpp
186 #endif
187
188 if (!Parser)
189 {
190 //Must have enough buffer for having header
► 191 if (Base->Buffer_Offset+8>Base->Buffer_Size)
192 return Base->IsSub; //If IsSub, we consider this is a complete block
193
194 //Quick test of synchro
195 int32u ID=CC3(Base->Buffer+Base->Buffer_Offset);
196 int32u ID4=CC4(Base->Buffer+Base->Buffer_Offset);
pwndbg> p Base
$1 = (MediaInfoLib::File__Analyze *) 0x10f9
backtrace
#0 0x7f6db076b0fb in MediaInfoLib::File__Tags_Helper::Synched_Test() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Tag/File__Tags.cpp:191:45
#1 0x7f6daf672c94 in MediaInfoLib::File__Tags_Helper::FileHeader_Begin() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Tag/File__Tags.h:73:37
#2 0x7f6daf672c94 in MediaInfoLib::File_Aac::FileHeader_Begin() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Audio/File_Aac.cpp:234
#3 0x7f6daf1a83ee in MediaInfoLib::File__Analyze::FileHeader_Manage() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:2093:33
#4 0x7f6daf19f2ea in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:1054:14
#5 0x7f6daf19a5ae in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:693:16
#6 0x7f6daf1a77b6 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(MediaInfoLib::File__Analyze*, unsigned char const*, unsigned long, bool, double) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:1031:10
#7 0x7f6daf85385f in MediaInfoLib::File_SmpteSt0337::Data_Parse() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Audio/File_SmpteSt0337.cpp:1338:9
#8 0x7f6daf1b5eba in MediaInfoLib::File__Analyze::Data_Manage() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:2359:9
#9 0x7f6daf1a9eb3 in MediaInfoLib::File__Analyze::Buffer_Parse() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:1513:10
#10 0x7f6daf19f830 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:1080:14
#11 0x7f6daf19a5ae in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:693:16
#12 0x7f6daf5f732f in MediaInfoLib::MediaInfo_Internal::Open_Buffer_Continue(unsigned char const*, unsigned long) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfo_Internal.cpp:1337:11
#13 0x7f6db0767f3c in MediaInfoLib::Reader_File::Format_Test_PerParser_Continue(MediaInfoLib::MediaInfo_Internal*) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Reader/Reader_File.cpp:759:24
#14 0x7f6db0763389 in MediaInfoLib::Reader_File::Format_Test_PerParser(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Reader/Reader_File.cpp:292:12
#15 0x7f6daf50a03c in MediaInfoLib::MediaInfo_Internal::ListFormats(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfo_File.cpp:965:86
#16 0x7f6db075ff0f in MediaInfoLib::Reader_File::Format_Test(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Reader/Reader_File.cpp:209:25
#17 0x7f6daf5c29f8 in MediaInfoLib::MediaInfo_Internal::Entry() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfo_Internal.cpp:1083:29
#18 0x7f6daf594aa4 in MediaInfoLib::MediaInfo_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfo_Internal.cpp:839:9
#19 0x7f6daf63f0cf in MediaInfoLib::MediaInfoList_Internal::Entry() /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfoList_Internal.cpp:215:17
#20 0x7f6daf63afe3 in MediaInfoLib::MediaInfoList_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, MediaInfoLib::fileoptions_t) /src/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfoList_Internal.cpp:151:9
#21 0x51f59f in main /src/mediainfo/Project/GNU/CLI/../../../Source/CLI/CLI_Main.cpp:154:25
#22 0x7f6dad73482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#23 0x41c578 in _start (/src/aflbuild/installed/bin/mediainfo+0x41c578)
Thanks for the detailled report.
Fixed.
By curiosity, how did you find such issue? just bad luck with real files or fuzzing?
Thanks for your reply.
Found by running binary with a list of .wav file