heap-buffer-overflow in MediaInfoLib::File_Id3v2::Data_Parse() ../../../Source/MediaInfo/Tag/File_Id3v2.cpp:597

[SuyueGuo]

Summary

A heap-buffer-overflow vulnerability was found in MediaInfo, it may cause arbitrary code execution.

Version

mediainfo --version
MediaInfo Command line, 
MediaInfoLib - v24.06

Details

ASAN output:

=================================================================
==2239452==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000232 at pc 0x7f64f24e02c3 bp 0x7fff8898ac20 sp 0x7fff8898a3c8
WRITE of size 2882 at 0x602000000232 thread T0
    #0 0x7f64f24e02c2 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
    MediaArea/MediaInfo#1 0x55cf77dbe957 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
    MediaArea/MediaInfo#2 0x55cf77dbe957 in MediaInfoLib::File_Id3v2::Data_Parse() ../../../Source/MediaInfo/Tag/File_Id3v2.cpp:597
    MediaArea/MediaInfo#3 0x55cf780500bc in MediaInfoLib::File__Analyze::Data_Manage() ../../../Source/MediaInfo/File__Analyze.cpp:2810
    MediaArea/MediaInfo#4 0x55cf7805353c in MediaInfoLib::File__Analyze::Buffer_Parse() ../../../Source/MediaInfo/File__Analyze.cpp:1941
    MediaArea/MediaInfo#5 0x55cf78053c87 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() ../../../Source/MediaInfo/File__Analyze.cpp:1507
    MediaArea/MediaInfo#6 0x55cf78055767 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/File__Analyze.cpp:1101
    MediaArea/MediaInfo#7 0x55cf7805b367 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(MediaInfoLib::File__Analyze*, unsigned char const*, unsigned long, bool, double) ../../../Source/MediaInfo/File__Analyze.cpp:1448
    MediaArea/MediaInfo#8 0x55cf77d91c7b in MediaInfoLib::File__Tags_Helper::Synched_Test() ../../../Source/MediaInfo/Tag/File__Tags.cpp:367
    MediaArea/MediaInfo#9 0x55cf7777a793 in MediaInfoLib::File__Tags_Helper::FileHeader_Begin() ../../../Source/MediaInfo/Tag/File__Tags.h:73
    MediaArea/MediaInfo#10 0x55cf7777a793 in MediaInfoLib::File_Flv::FileHeader_Begin() ../../../Source/MediaInfo/Multiple/File_Flv.cpp:654
    MediaArea/MediaInfo#11 0x55cf7804ebee in MediaInfoLib::File__Analyze::FileHeader_Manage() ../../../Source/MediaInfo/File__Analyze.cpp:2524
    MediaArea/MediaInfo#12 0x55cf78054047 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() ../../../Source/MediaInfo/File__Analyze.cpp:1472
    MediaArea/MediaInfo#13 0x55cf78055767 in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/File__Analyze.cpp:1101
    MediaArea/MediaInfo#14 0x55cf76fe1d6e in MediaInfoLib::MediaInfo_Internal::Open_Buffer_Continue(unsigned char const*, unsigned long) ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1721
    MediaArea/MediaInfo#15 0x55cf77d8afde in MediaInfoLib::Reader_File::Format_Test_PerParser_Continue(MediaInfoLib::MediaInfo_Internal*) ../../../Source/MediaInfo/Reader/Reader_File.cpp:766
    MediaArea/MediaInfo#16 0x55cf77d88433 in MediaInfoLib::Reader_File::Format_Test_PerParser(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/Reader/Reader_File.cpp:313
    MediaArea/MediaInfo#17 0x55cf76f96bf6 in MediaInfoLib::MediaInfo_Internal::ListFormats(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/MediaInfo_File.cpp:882
    MediaArea/MediaInfo#18 0x55cf77d896d6 in MediaInfoLib::Reader_File::Format_Test(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >) ../../../Source/MediaInfo/Reader/Reader_File.cpp:230
    MediaArea/MediaInfo#19 0x55cf7700f15e in MediaInfoLib::MediaInfo_Internal::Entry() ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1416
    MediaArea/MediaInfo#20 0x55cf7700ad7e in MediaInfoLib::MediaInfo_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) ../../../Source/MediaInfo/MediaInfo_Internal.cpp:1172
    MediaArea/MediaInfo#21 0x55cf77030865 in MediaInfoLib::MediaInfoList_Internal::Entry() ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:212
    MediaArea/MediaInfo#22 0x55cf770393a2 in MediaInfoLib::MediaInfoList_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, MediaInfoLib::fileoptions_t) ../../../Source/MediaInfo/MediaInfoList_Internal.cpp:148
    MediaArea/MediaInfo#23 0x55cf76f0a70b in main ../../../Source/CLI/CLI_Main.cpp:155
    MediaArea/MediaInfo#24 0x7f64f1f55d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    MediaArea/MediaInfo#25 0x7f64f1f55e3f in __libc_start_main_impl ../csu/libc-start.c:392
    MediaArea/MediaInfo#26 0x55cf76f0f5b4 in _start (/data/fuzz/fuzz-data/target/elf/debug/mediainfo+0x4305b4)

0x602000000232 is located 0 bytes to the right of 2-byte region [0x602000000230,0x602000000232)
allocated by thread T0 here:
    #0 0x7f64f255c357 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:102
    MediaArea/MediaInfo#1 0x55cf77dbe890 in MediaInfoLib::File_Id3v2::Data_Parse() ../../../Source/MediaInfo/Tag/File_Id3v2.cpp:589

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
Shadow bytes around the buggy address:
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8020: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8030: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff8040: fa fa fd fd fa fa[02]fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2239452==ABORTING

Poc

heap_overflow_mediainfo.tar.gz

reproduce:

mediainfo heap_overflow_mediainfo 

[cjee21]

Issue in MediaArea/MediaInfoLib?

https://github.com/MediaArea/MediaInfoLib/blob/abdbb218b07f6cc0d4504c863ac5b42ecfab6fc6/Source/MediaInfo/Tag/File_Id3v2.cpp#L597

[SuyueGuo]

Yes, maybe I should open this issue in MediaArea/MediaInfoLib?

[cjee21]

[Fixed in PRs]

[cjee21]

[Fixed in PRs]

[cjee21]

https://github.com/MediaArea/MediaInfoLib/blob/abdbb218b07f6cc0d4504c863ac5b42ecfab6fc6/Source/MediaInfo/Tag/File_Id3v2.cpp#L589-L597

Access violation writing to 0x0000027DEE7D2000.

Pos0 = 7, Pos1 = 4256

Pos1 larger than Pos0 so size_t wraparound and becomes a very large number (18446744073709547367)

Buffer_Unsynch+Buffer_Unsynch_Begin may also exceed the size of Buffer_Unsynch since Element_Size is only 2 while Buffer_Unsynch_Begin is 4251.

I have no idea how to fix since I have zero idea of what this code actually does.