You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Impact:
A heap-buffer-overflow vulnerability can lead to application crashes, data corruption, security vulnerabilities, and system instability.
Steps to Reproduce:
Build the affected software (asdcplib) after enabling AddressSanitizer.
Execute any of the affected binaries (asdcp-info, asdcp-unwrap) with provided poc that triggers the vulnerable code path.
Observe the AddressSanitizer report indicating a heap-buffer-overflow error.
Example Output (AddressSanitizer):
=================================================================
==3302077==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000008c9 at pc 0x7f438b4876ae bp 0x7fff15258e00 sp 0x7fff15258df8
READ of size 16 at 0x60e0000008c9 thread T0
#0 0x7f438b4876ad in ASDCP::TimedText::MXFReader::h__Reader::MD_to_TimedText_TDesc(ASDCP::TimedText::TimedTextDescriptor&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38b6ad)
#1 0x7f438b487ff6 in ASDCP::TimedText::MXFReader::h__Reader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38bff6)
#2 0x7f438b48934b in ASDCP::TimedText::MXFReader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38d34b)
#3 0x5607797159f7 in FileInfoWrapper<ASDCP::TimedText::MXFReader, MyTextDescriptor>::file_info(CommandOptions&, char const*, _IO_FILE*) (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x269f7)
#4 0x560779703ffa in show_file_info(CommandOptions&, Kumu::IFileReaderFactory const&) (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x14ffa)
#5 0x560779705652 in main (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x16652)
#6 0x7f438ad0fd09 in __libc_start_main ../csu/libc-start.c:308
#7 0x560779702859 in _start (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x13859)
0x60e0000008c9 is located 9 bytes to the right of 160-byte region [0x60e000000820,0x60e0000008c0)
allocated by thread T0 here:
#0 0x7f438b7c8647 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
#1 0x7f438b38ccef in ContainerConstraintsSubDescriptor_Factory(ASDCP::Dictionary const*) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x290cef)
#2 0x7f438b346f1d in ASDCP::MXF::CreateObject(ASDCP::Dictionary const*, ASDCP::UL const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x24af1d)
#3 0x7f438b33de72 in ASDCP::MXF::OP1aHeader::InitFromBuffer(unsigned char const*, unsigned int) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x241e72)
#4 0x7f438b33d389 in ASDCP::MXF::OP1aHeader::InitFromFile(Kumu::IFileReader const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x241389)
#5 0x7f438b43c97a in ASDCP::MXF::TrackFileReader<ASDCP::MXF::OP1aHeader, ASDCP::MXF::OPAtomIndexFooter>::OpenMXFRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x34097a)
#6 0x7f438b431f6e in ASDCP::h__ASDCPReader::OpenMXFRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x335f6e)
#7 0x7f438b487cf6 in ASDCP::TimedText::MXFReader::h__Reader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38bcf6)
#8 0x7f438b48934b in ASDCP::TimedText::MXFReader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38d34b)
#9 0x5607797159f7 in FileInfoWrapper<ASDCP::TimedText::MXFReader, MyTextDescriptor>::file_info(CommandOptions&, char const*, _IO_FILE*) (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x269f7)
#10 0x560779703ffa in show_file_info(CommandOptions&, Kumu::IFileReaderFactory const&) (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x14ffa)
#11 0x560779705652 in main (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x16652)
#12 0x7f438ad0fd09 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38b6ad) in ASDCP::TimedText::MXFReader::h__Reader::MD_to_TimedText_TDesc(ASDCP::TimedText::TimedTextDescriptor&)
Shadow bytes around the buggy address:
0x0c1c7fff80c0: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff80e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1c7fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c1c7fff8100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1c7fff8110: 00 00 00 00 00 00 00 00 fa[fa]fa fa fa fa fa fa
0x0c1c7fff8120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1c7fff8130: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1c7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff8150: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1c7fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3302077==ABORTING
Title: AddressSanitizer: heap-buffer-overflow on address in ASDCP::TimedText::MXFReader::h__Reader::MD_to_TimedText_TDesc
Description:
I found a heap-buffer-overflow when testing the asdcplib library, specifically in the MD_to_TimedText_TDesc function.
Affected Software:
Impact:
A heap-buffer-overflow vulnerability can lead to application crashes, data corruption, security vulnerabilities, and system instability.
Steps to Reproduce:
Example Output (AddressSanitizer):
POC:
poc.zip
Disclosure Timeline:
Acknowledgments:
This vulnerability was discovered and reported by 0xd4n.
Please let me know if you require any further information or assistance.
The text was updated successfully, but these errors were encountered: