[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

GStreamer gst-plugins-bad Plugin - NULL Pointer Dereference Vulnerability

Author
Hanno Boeck
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-27939
Category
dos / poc
Date add
13-06-2017
CVE
CVE-2016-9813
Platform
linux
Source: https://bugzilla.gnome.org/show_bug.cgi?id=775120
 
The attached file will cause a null pointer access and segfault in the mpegts parser. Current git code, found with afl.
 
ASAN stack trace:
=================================================================
==32545==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe957185495 bp 0x60200002cf7a sp 0x7fe956e027a0 T2)
==32545==The signal is caused by a WRITE memory access.
==32545==Hint: address points to the zero page.
    #0 0x7fe957185494 in _parse_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32
    #1 0x7fe957184058 in __common_section_checks /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:166:9
    #2 0x7fe95718522f in gst_mpegts_section_get_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:480:9
    #3 0x7fe957438b9a in mpegts_base_apply_pat /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:942:20
    #4 0x7fe957438b9a in mpegts_base_handle_psi /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1155
    #5 0x7fe957437cd1 in mpegts_base_chain /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1424:11
    #6 0x7fe9574341e7 in mpegts_base_loop /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1589:13
    #7 0x7fe9644305c3 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
    #8 0x7fe96362f867  (/usr/lib64/libglib-2.0.so.0+0x70867)
    #9 0x7fe96362eed4  (/usr/lib64/libglib-2.0.so.0+0x6fed4)
    #10 0x7fe9630ac443 in start_thread (/lib64/libpthread.so.0+0x7443)
    #11 0x7fe962bdb92c in clone (/lib64/libc.so.6+0xe792c)
 
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32 in _parse_pat
Thread T2 (tsdemux0:sink) created by T1 (typefind:sink) here:
    #0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
    #1 0x7fe96364cadf  (/usr/lib64/libglib-2.0.so.0+0x8dadf)
 
Thread T1 (typefind:sink) created by T0 here:
    #0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
    #1 0x7fe96364cadf  (/usr/lib64/libglib-2.0.so.0+0x8dadf)
 
==32545==ABORTING
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42162.zip

#  0day.today [2024-12-24]  #