Package: x264 Version: 2:0.148.2795+gitaaa9aa8-1 Severity: important Tags: security
out of bound read while running x264 with "--crf 24 -o output.264 poc" option
Running 'x264 --crf 24 -o output.264 poc' with the attached file raises out of
bound read
which may allow a remote attack to cause a denial-of-service attack or
information disclosure
with a crafted file.
I expected the program to terminate without segfault, but the program crashes
as follow
-------------------------------------------
june@yuweol:~/poc/x264/crash1$ x264 --crf 24 -o output.264 poc
Segmentation fault
-------------------------------------------
Breakpoint 1, Vgm_Emu_Impl::run_commands (this=0x5555557aafd0, end_time=2205)
at
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu_Impl.cpp:202
warning: Source file is more recent than executable.
202 pcm_pos = pcm_data + pos [3] * 0x1000000L + pos [2] * 0x10000L +
(gdb) l
197 pos += size;
198 break;
199 }
200
201 case cmd_pcm_seek:
202 pcm_pos = pcm_data + pos [3] * 0x1000000L + pos [2] * 0x10000L +
203 pos [1] * 0x100L + pos [0];
204 pos += 4;
205 break;
206
(gdb) x/s &pos[0]
0x5555557b2d75: "DEAD\235\235\235\235T\302\\", '\302' <repeats 22 times>,
"TTT}\374\270\337U\020"
* Here pcm_pos was calculated based on the value in pos buffer.
* the values in pos buffer can be manipulated(In this case pos buffer starts
with DEAD)
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bbcf73 in Vgm_Emu_Impl::run_commands (this=0x5555557aafd0,
end_time=2205)
at
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu_Impl.cpp:212
212 write_pcm( vgm_time, *pcm_pos++ );
(gdb) l
207 default:
208 int cmd = pos [-1];
209 switch ( cmd & 0xF0 )
210 {
211 case cmd_pcm_delay:
212 write_pcm( vgm_time, *pcm_pos++ );
213 vgm_time += cmd & 0x0F;
214 break;
215
216 case cmd_short_delay:
* Later this manipulated pcm_pos used at 212 line which raises segmentation
fault in this case.
(gdb) bt
#0 0x00007ffff7bbcf73 in Vgm_Emu_Impl::run_commands (this=0x5555557aafd0,
end_time=2205)
at
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu_Impl.cpp:212
#1 0x00007ffff7bbc2b8 in Vgm_Emu::run_clocks (this=0x5555557aafd0,
time_io=@0x7fffffffcc34: 178977,
msec=50) at
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu.cpp:403
#2 0x00007ffff7b7d047 in Classic_Emu::play_ (this=0x5555557aafd0, count=2048,
out=0x5555557b1d10)
at
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Classic_Emu.cpp:113
#3 0x00007ffff7bbc31f in Vgm_Emu::play_ (this=0x5555557aafd0, count=2048,
out=0x5555557b1d10)
at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu.cpp:411
#4 0x00007ffff7b8692b in Music_Emu::emu_play (this=0x5555557aafd0, count=2048,
out=0x5555557b1d10)
at
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Music_Emu.cpp:305
#5 0x00007ffff7b86a4d in Music_Emu::fill_buf (this=0x5555557aafd0)
at
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Music_Emu.cpp:327
#6 0x00007ffff7b86ecc in Music_Emu::play (this=0x5555557aafd0, out_count=256,
out=0x5555557da6c0)
at
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Music_Emu.cpp:400
#7 0x00007ffff7b82a1f in gme_play (me=0x5555557aafd0, n=256, p=0x5555557da6c0)
at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/gme.cpp:336
#8 0x00007ffff67f2e1d in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57
#9 0x00007ffff68d870a in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57
#10 0x00007ffff68d937c in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57
#11 0x00007ffff68db320 in avformat_find_stream_info () from
/usr/lib/x86_64-linux-gnu/libavformat.so.57
#12 0x00007ffff6b9a0af in ?? () from /usr/lib/x86_64-linux-gnu/libffms2.so.4
#13 0x00007ffff6b9620a in ?? () from /usr/lib/x86_64-linux-gnu/libffms2.so.4
#14 0x00007ffff6b9399c in FFMS_CreateIndexerWithDemuxer () from
/usr/lib/x86_64-linux-gnu/libffms2.so.4
#15 0x000055555556b60a in ?? ()
#16 0x000055555555c93d in ?? ()
#17 0x00007ffff426c2e1 in __libc_start_main (main=0x55555555a030, argc=6,
argv=0x7fffffffe208,
init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffe1f8)
at ../csu/libc-start.c:291
#18 0x000055555555cb3a in ?? ()
-------------------------------------------
This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500,
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages x264 depends on:
ii libavcodec57 7:3.3.4-2+b2
ii libavformat57 7:3.3.4-2+b2
ii libavutil55 7:3.3.4-2+b2
ii libc6 2.24-17
ii libffms2-4 2.23-1
ii libgpac4 0.5.2-426-gc5ad4e4+dfsg5-3+b1
ii libswscale4 7:3.3.4-2+b2
ii libx264-148 2:0.148.2795+gitaaa9aa8-1
ii zlib1g 1:1.2.8.dfsg-5
x264 recommends no packages.
x264 suggests no packages.
-- no debconf information
poc
Description: Binary data
