[vlc-devel] stream_out: rtp: fix invalid memory access (write)

Fabian Yamaguchi fabian.yamaguchi at cs.uni-goettingen.de
Sat Dec 6 22:09:07 CET 2014


Hi Rémi,

we supplied a test-case that triggers this bug in our original report. I
have attached it to this e-mail once more, including instructions on how
to trigger the flaw and a stack trace.

Kind Regards,
Fabian

rtp_packetize_xiph_config allocates a buffer on the stack at (1) where
the size depends on the local variable 'len'. The variable 'len' is
calculated at (0) to be the length of a string contained in the Ogg
Vorbis file, and therefore, it is attacker-controlled. If the amount
of stack memory is not sufficient to hold the buffer (a 'len' value of
1052896 byte was enough in our tests on a 64bit Linux machine with 8
GB RAM), the start of the buffer will point to a location outside of
the stack. Subsequently copying data into the buffer at (2) will then
corrupt non-stack memory.

We have attached a test-case (input786432.ogg) that highlights this
problem by causing an invalid memory access at (2). The crash can be
triggered by placing the attached file in the working directory and
running the following command:

vlc input786432.ogg --sout
'#rtp{dst=localhost,sdp=rtsp://localhost:8080/foo.sdp}'

This leads to the following stack-trace:

---- snip ----

Program received signal SIGSEGV, Segmentation fault.
0x00007fffc6e87ab1 in memcpy (__len=1052896, __src=0x7fffc0595e3e,
__dest=0x7fffc74a6cc0) at /usr/include/x86_64-linux-gnu/bits/string3.h:51
51        return __builtin___memcpy_chk (__dest, __src, __len, __bos0
(__dest));
(gdb) where
#0  0x00007fffc6e87ab1 in memcpy (__len=1052896, __src=0x7fffc0595e3e,
__dest=0x7fffc74a6cc0) at /usr/include/x86_64-linux-gnu/bits/string3.h:51
#1  rtp_packetize_xiph_config (id=id at entry=0x7fffc0004140,
fmtp=<optimized out>, i_pts=4619686105) at rtpfmt.c:563
#2  0x00007fffc6e81412 in Send (p_stream=<optimized out>,
id=0x7fffc0004140, p_buffer=0x7fffdcde0650) at rtp.c:1283
#3  0x00007ffff796f8c6 in sout_InputSendBuffer (p_input=0x7fffc0000ad0,
p_buffer=p_buffer at entry=0x7fffdcde0650) at stream_output/stream_output.c:235
#4  0x00007ffff791b1ed in DecoderPlaySout (p_sout_block=0x7fffdcde0650,
p_dec=0x7fffdd0a2828) at input/decoder.c:1467
#5  DecoderProcessSout (p_block=0x0, p_dec=0x7fffdd0a2828) at
input/decoder.c:1523
#6  DecoderProcess (p_block=<optimized out>, p_dec=0x7fffdd0a2828) at
input/decoder.c:1754
#7  DecoderThread (p_data=0x7fffdd0a2828) at input/decoder.c:896
#8  0x00007ffff6d4b0a4 in start_thread (arg=0x7fffc75a8700) at
pthread_create.c:309
#9  0x00007ffff687bccd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

---- /snip ----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: input786432.ogg
Type: video/ogg
Size: 842106 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20141206/1ea3c597/attachment.ogv>


More information about the vlc-devel mailing list