heap-buffer-overflow on demux_sys_t::FreeUnused
git log
commit 3426d7bcf98fee15c239ea2b3d815c613df82efe (HEAD -> master, origin/master, origin/HEAD)
Author: Marvin Scholz <epirat07@gmail.com>
Date: Wed Jun 19 13:32:58 2019 +0200
contrib: Do not pass debug/optim flags to meson
This fixes the meson underscore prefix test, which misbehaves
when -g is passed, as it would detect the debug string without
underscore first and incorrectly report that no underscore
prefix for symbols is used.
Fixes build issues with dav1d, which relies on the underscore
prefix check.
See: https://github.com/mesonbuild/meson/issues/5482
Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>
./vlc ../fuzz/heap-over-flow.mp4
VLC media player 4.0.0-dev Otto Chriek (revision 3426d7b)
[0000611000000180] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
=================================================================
==554==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000042ec0 at pc 0x7f5ac8069f19 bp 0x7f5ad9b59cf0 sp 0x7f5ad9b59ce8
READ of size 8 at 0x602000042ec0 thread T5
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7f5ac8069f18 in mkv::demux_sys_t::FreeUnused() /home/fuzz/Desktop/fuzz-vlc/vlc/modules/demux/mkv/demux.cpp:267:34
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7f5ac8118b73 in mkv::Open(vlc_object_t*) /home/fuzz/Desktop/fuzz-vlc/vlc/modules/demux/mkv/mkv.cpp:257:12
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7f5af2d3cffb in demux_Probe /home/fuzz/Desktop/fuzz-vlc/vlc/src/input/demux.c:180:15
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7f5af2cb1b96 in module_load /home/fuzz/Desktop/fuzz-vlc/vlc/src/modules/modules.c:122:15
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7f5af2cb0d89 in vlc_module_load /home/fuzz/Desktop/fuzz-vlc/vlc/src/modules/modules.c:194:23
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7f5af2d3c3c6 in demux_NewAdvanced /home/fuzz/Desktop/fuzz-vlc/vlc/src/input/demux.c:248:20
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7f5af2da9f9d in InputDemuxNew /home/fuzz/Desktop/fuzz-vlc/vlc/src/input/input.c:2403:22
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7f5af2da0c68 in InputSourceNew /home/fuzz/Desktop/fuzz-vlc/vlc/src/input/input.c:2511:23
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7f5af2d9ba03 in Init /home/fuzz/Desktop/fuzz-vlc/vlc/src/input/input.c:1276:14
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7f5af2d97fdf in Preparse /home/fuzz/Desktop/fuzz-vlc/vlc/src/input/input.c:497:10
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x4e800e in __asan::AsanThread::ThreadStart(unsigned long, __sanitizer::atomic_uintptr_t*) (/home/fuzz/Desktop/fuzz-vlc/vlc/bin/vlc-static+0x4e800e)
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x7f5af21506da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x7f5af185588e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x602000042ec0 is located 16 bytes to the left of 8-byte region [0x602000042ed0,0x602000042ed8)
allocated by thread T5 here:
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x4da3e0 in malloc (/home/fuzz/Desktop/fuzz-vlc/vlc/bin/vlc-static+0x4da3e0)
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7f5ad6432257 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93257)
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7f5ac812b68f in std::allocator_traits<std::allocator<mkv::matroska_stream_c*> >::allocate(std::allocator<mkv::matroska_stream_c*>&, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/alloc_traits.h:436:20
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7f5ac812b264 in std::_Vector_base<mkv::matroska_stream_c*, std::allocator<mkv::matroska_stream_c*> >::_M_allocate(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/stl_vector.h:172:20
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7f5ac812a5dd in void std::vector<mkv::matroska_stream_c*, std::allocator<mkv::matroska_stream_c*> >::_M_realloc_insert<mkv::matroska_stream_c* const&>(__gnu_cxx::__normal_iterator<mkv::matroska_stream_c**, std::vector<mkv::matroska_stream_c*, std::allocator<mkv::matroska_stream_c*> > >, mkv::matroska_stream_c* const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/vector.tcc:406:33
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7f5ac8128d91 in std::vector<mkv::matroska_stream_c*, std::allocator<mkv::matroska_stream_c*> >::push_back(mkv::matroska_stream_c* const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/stl_vector.h:948:4
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7f5ac8116fae in mkv::Open(vlc_object_t*) /home/fuzz/Desktop/fuzz-vlc/vlc/modules/demux/mkv/mkv.cpp:134:20
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7f5af2d3cffb in demux_Probe /home/fuzz/Desktop/fuzz-vlc/vlc/src/input/demux.c:180:15
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7f5af2cb1b96 in module_load /home/fuzz/Desktop/fuzz-vlc/vlc/src/modules/modules.c:122:15
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7f5af2cb0d89 in vlc_module_load /home/fuzz/Desktop/fuzz-vlc/vlc/src/modules/modules.c:194:23
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7f5af2d3c3c6 in demux_NewAdvanced /home/fuzz/Desktop/fuzz-vlc/vlc/src/input/demux.c:248:20
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x7f5af2da9f9d in InputDemuxNew /home/fuzz/Desktop/fuzz-vlc/vlc/src/input/input.c:2403:22
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x7f5af2da0c68 in InputSourceNew /home/fuzz/Desktop/fuzz-vlc/vlc/src/input/input.c:2511:23
[#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x7f5af2d9ba03 in Init /home/fuzz/Desktop/fuzz-vlc/vlc/src/input/input.c:1276:14
[#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x7f5af2d97fdf in Preparse /home/fuzz/Desktop/fuzz-vlc/vlc/src/input/input.c:497:10
[#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0x4e800e in __asan::AsanThread::ThreadStart(unsigned long, __sanitizer::atomic_uintptr_t*) (/home/fuzz/Desktop/fuzz-vlc/vlc/bin/vlc-static+0x4e800e)
Thread T5 created by T4 here:
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x4335b0 in __interceptor_pthread_create (/home/fuzz/Desktop/fuzz-vlc/vlc/bin/vlc-static+0x4335b0)
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7f5af2f6bacd in vlc_clone_attr /home/fuzz/Desktop/fuzz-vlc/vlc/src/posix/thread.c:421:11
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7f5af2f6b52c in vlc_clone /home/fuzz/Desktop/fuzz-vlc/vlc/src/posix/thread.c:433:12
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7f5af2d97b28 in input_Start /home/fuzz/Desktop/fuzz-vlc/vlc/src/input/input.c:176:25
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7f5af2d0cd29 in input_item_Parse /home/fuzz/Desktop/fuzz-vlc/vlc/src/input/item.c:1397:27
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7f5af2cfb62c in PreparserOpenInput /home/fuzz/Desktop/fuzz-vlc/vlc/src/preparser/preparser.c:133:20
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7f5af2ee847d in Thread /home/fuzz/Desktop/fuzz-vlc/vlc/src/misc/background_worker.c:234:13
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x4e800e in __asan::AsanThread::ThreadStart(unsigned long, __sanitizer::atomic_uintptr_t*) (/home/fuzz/Desktop/fuzz-vlc/vlc/bin/vlc-static+0x4e800e)
Thread T4 created by T0 here:
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x4335b0 in __interceptor_pthread_create (/home/fuzz/Desktop/fuzz-vlc/vlc/bin/vlc-static+0x4335b0)
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7f5af2f6bacd in vlc_clone_attr /home/fuzz/Desktop/fuzz-vlc/vlc/src/posix/thread.c:421:11
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7f5af2f6bfdf in vlc_clone_detach /home/fuzz/Desktop/fuzz-vlc/vlc/src/posix/thread.c:483:12
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7f5af2ee6c06 in SpawnThread /home/fuzz/Desktop/fuzz-vlc/vlc/src/misc/background_worker.c:277:9
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7f5af2ee674d in background_worker_Push /home/fuzz/Desktop/fuzz-vlc/vlc/src/misc/background_worker.c:305:9
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7f5af2cfc46f in input_preparser_Push /home/fuzz/Desktop/fuzz-vlc/vlc/src/preparser/preparser.c:285:9
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7f5af2c52752 in vlc_MetadataRequest /home/fuzz/Desktop/fuzz-vlc/vlc/src/libvlc.c:523:5
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7f5af2ce5a20 in vlc_playlist_Preparse /home/fuzz/Desktop/fuzz-vlc/vlc/src/playlist/preparse.c:123:5
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7f5af2ce5b14 in vlc_playlist_AutoPreparse /home/fuzz/Desktop/fuzz-vlc/vlc/src/playlist/preparse.c:132:9
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7f5af2cd71d5 in vlc_playlist_ItemsInserted /home/fuzz/Desktop/fuzz-vlc/vlc/src/playlist/content.c:82:9
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7f5af2cd60fa in vlc_playlist_Insert /home/fuzz/Desktop/fuzz-vlc/vlc/src/playlist/content.c:285:5
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x7f5af2cd2f05 in vlc_playlist_InsertOne /home/fuzz/Desktop/fuzz-vlc/vlc/src/../include/vlc_playlist.h:458:12
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x7f5af2cd2d78 in intf_InsertItem /home/fuzz/Desktop/fuzz-vlc/vlc/src/interface/interface.c:218:19
[#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x7f5af2c523dc in GetFilenames /home/fuzz/Desktop/fuzz-vlc/vlc/src/libvlc.c:499:9
[#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x7f5af2c50ed7 in libvlc_InternalInit /home/fuzz/Desktop/fuzz-vlc/vlc/src/libvlc.c:350:5
[#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0x7f5af32f4512 in libvlc_new /home/fuzz/Desktop/fuzz-vlc/vlc/lib/core.c:57:9
[#16](https://code.videolan.org/videolan/vlc/-/issues/16) 0x5130bf in main /home/fuzz/Desktop/fuzz-vlc/vlc/bin/vlc.c:229:30
[#17](https://code.videolan.org/videolan/vlc/-/issues/17) 0x7f5af1755b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/Desktop/fuzz-vlc/vlc/modules/demux/mkv/demux.cpp:267:34 in mkv::demux_sys_t::FreeUnused()
Shadow bytes around the buggy address:
0x0c0480000580: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480000590: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c04800005a0: fa fa fd fd fa fa fd fd fa fa 00 02 fa fa fd fd
0x0c04800005b0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c04800005c0: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c04800005d0: fa fa fd fd fa fa fd fd[fa]fa 00 fa fa fa fd fa
0x0c04800005e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c04800005f0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480000600: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
0x0c0480000610: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
0x0c0480000620: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==554==ABORTING