Heap-buffer-overflow in function impeghe_main_process() at libmpeghe/test/impeghe_testbench.c:2161 #17
Description
Describe
A heap-buffer-overflow was discovered in libmpeghe v[2024-06-12]. The issue is being triggered in function impeghe_main_process() at libmpeghe/test/impeghe_testbench.c:2161.Attackers may exploit this vulnerability to execute and cause a DOS attack.
Reproduce:
Tested in Ubuntu 22.04
First,Compile the program with address sanitizer:
mkdir cmake_build
cd cmake_build
AFL_USE_ASAN=1 CC=afl-clang-lto CXX=afl-clang-lto++ cmake ..
AFL_USE_ASAN=1 make -j8
Then the poc is inputed:
./MPEGHEncoder -ifile:/home/crashes/libmpeghe/crashes.2024-06-28-03:53:38/id:000001,sig:06,src:000679,time:2786852,execs:23823,op:quick,pos:77 -ofile:1.mp4
ASan Reports:
==2852430==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000000078 at pc 0x555dfe015fe1 bp 0x7ffc75e7e090 sp 0x7ffc75e7e088
WRITE of size 4 at 0x608000000078 thread T0
#0 0x555dfe015fe0 in impeghe_main_process /home/libmpeghe/test/impeghe_testbench.c:2161:37
#1 0x555dfe01b664 in main /home/libmpeghe/test/impeghe_testbench.c:2748:7
#2 0x7f0eaededd8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
#3 0x7f0eaedede3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
#4 0x555dfdf14b74 in _start (/home/libmpeghe/build/bin/MPEGHEncoder+0x36eb74) (BuildId: ad74bd9c567612d9)
0x608000000078 is located 0 bytes after 88-byte region [0x608000000020,0x608000000078)
allocated by thread T0 here:
#0 0x555dfdfae99e in malloc (/home/libmpeghe/build/bin/MPEGHEncoder+0x40899e) (BuildId: ad74bd9c567612d9)
#1 0x555dfe010dd0 in malloc_global /home/libmpeghe/test/impeghe_testbench.c:852:63
#2 0x555dfe010dd0 in impeghe_main_process /home/libmpeghe/test/impeghe_testbench.c:2040:20
#3 0x555dfe01b664 in main /home/libmpeghe/test/impeghe_testbench.c:2748:7
#4 0x7f0eaededd8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/libmpeghe/test/impeghe_testbench.c:2161:37 in impeghe_main_process
Shadow bytes around the buggy address:
0x607ffffffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x607ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x607ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x607fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x607fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x608000000000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00[fa]
0x608000000080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x608000000100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x608000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x608000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x608000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2852430==ABORTING
Poc
Poc file is here
Fuzzer:
Fuzzer is AFL.