Null Pointer Dereference in ASDCP::KLVFilePacket::InitFromFile Function

[0xd4n10]

Description:

A null pointer dereference vulnerability has been identified in the ASDCP::KLVFilePacket::InitFromFile function of the asdcplib library. 
The vulnerability arises from a lack of proper validation of the mxf input file, which allows a null pointer to be dereferenced. 
This results in a segmentation fault, causing a potential denial of service (DoS).

Affected Software:

Software: asdcplib
Version: 2.13.1
Operating System: Debian 11
Kernel: Linux debian 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64 GNU/Linux

Steps to Reproduce:

Build the affected software (asdcplib) after enabling AddressSanitizer.
Execute any of the affected binaries (asdcp-info, asdcp-unwrap) with provided poc that triggers the vulnerable code path.
Observe the AddressSanitizer report indicating a null pointer dereference error.

Valgrind output:

==413847== Memcheck, a memory error detector
==413847== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==413847== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==413847== Command: ./asdcp-info ../../../ASDCP-WRITE.mxf
==413847== 
==413847== Invalid write of size 8
==413847==    at 0x4919BE8: ASDCP::KLVFilePacket::InitFromFile(Kumu::IFileReader const&) (src/KLV.cpp:245)
==413847==    by 0x4919970: ASDCP::KLVFilePacket::InitFromFile(Kumu::IFileReader const&, ASDCP::UL const&) (src/KLV.cpp:193)
==413847==    by 0x49227A1: ASDCP::MXF::RIP::InitFromFile(Kumu::IFileReader const&) (src/MXF.cpp:124)
==413847==    by 0x4981DFC: ASDCP::MXF::TrackFileReader<ASDCP::MXF::OP1aHeader, ASDCP::MXF::OPAtomIndexFooter>::OpenMXFRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (src/AS_DCP_internal.h:253)
==413847==    by 0x4981722: ASDCP::h__ASDCPReader::OpenMXFRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (src/h__Reader.cpp:75)
==413847==    by 0x49972F0: ASDCP::PCM::MXFReader::h__Reader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (src/AS_DCP_PCM.cpp:269)
==413847==    by 0x49981A8: ASDCP::PCM::MXFReader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const (src/AS_DCP_PCM.cpp:435)
==413847==    by 0x432AF2: FileInfoWrapper<ASDCP::PCM::MXFReader, MyAudioDescriptor>::file_info(CommandOptions&, char const*, _IO_FILE*) (src/asdcp-info.cpp:323)
==413847==    by 0x4306B9: show_file_info(CommandOptions&, Kumu::IFileReaderFactory const&) (src/asdcp-info.cpp:554)
==413847==    by 0x4365DF: main (src/asdcp-info.cpp:703)
==413847==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==413847== 
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==413847==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000004919be8 bp 0x000000000015 sp 0x001ffefff220 T413847)
==413847==The signal is caused by a WRITE memory access.
==413847==Hint: address points to the zero page.
==414057== Warning: invalid file descriptor 1024 in syscall close()
    #0 0x4919be8 in ASDCP::KLVFilePacket::InitFromFile(Kumu::IFileReader const&) /mnt/data/DCP/asdcplib/src/KLV.cpp:245:11
    #1 0x4919970 in ASDCP::KLVFilePacket::InitFromFile(Kumu::IFileReader const&, ASDCP::UL const&) /mnt/data/DCP/asdcplib/src/KLV.cpp:193:36
    #2 0x49227a1 in ASDCP::MXF::RIP::InitFromFile(Kumu::IFileReader const&) /mnt/data/DCP/asdcplib/src/MXF.cpp:124:36
    #3 0x4981dfc in ASDCP::MXF::TrackFileReader<ASDCP::MXF::OP1aHeader, ASDCP::MXF::OPAtomIndexFooter>::OpenMXFRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /mnt/data/DCP/asdcplib/src/AS_DCP_internal.h:253:26
    #4 0x4981722 in ASDCP::h__ASDCPReader::OpenMXFRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /mnt/data/DCP/asdcplib/src/h__Reader.cpp:75:81
    #5 0x49972f0 in ASDCP::PCM::MXFReader::h__Reader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /mnt/data/DCP/asdcplib/src/AS_DCP_PCM.cpp:269:21
    #6 0x49981a8 in ASDCP::PCM::MXFReader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const /mnt/data/DCP/asdcplib/src/AS_DCP_PCM.cpp:435:20
    #7 0x432af2 in FileInfoWrapper<ASDCP::PCM::MXFReader, MyAudioDescriptor>::file_info(CommandOptions&, char const*, _IO_FILE*) /mnt/data/DCP/asdcplib/src/asdcp-info.cpp:323:23
    #8 0x4306b9 in show_file_info(CommandOptions&, Kumu::IFileReaderFactory const&) /mnt/data/DCP/asdcplib/src/asdcp-info.cpp:554:24
    #9 0x4365df in main /mnt/data/DCP/asdcplib/src/asdcp-info.cpp:703:16
    #10 0x5145d09 in __libc_start_main csu/../csu/libc-start.c:308:16
    #11 0x40e659 in _start (/mnt/fast/DCP/asdcplib/build/src/asdcp-info+0x40e659)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /mnt/data/DCP/asdcplib/src/KLV.cpp:245:11 in ASDCP::KLVFilePacket::InitFromFile(Kumu::IFileReader const&)
==413847==ABORTING
==413847== 
==413847== HEAP SUMMARY:
==413847==     in use at exit: 378,926 bytes in 5,927 blocks
==413847==   total heap usage: 8,877 allocs, 2,950 frees, 581,139 bytes allocated
==413847== 
==413847== LEAK SUMMARY:
==413847==    definitely lost: 0 bytes in 0 blocks
==413847==    indirectly lost: 0 bytes in 0 blocks
==413847==      possibly lost: 0 bytes in 0 blocks
==413847==    still reachable: 378,926 bytes in 5,927 blocks
==413847==         suppressed: 0 bytes in 0 blocks
==413847== Rerun with --leak-check=full to see details of leaked memory
==413847== 
==413847== For lists of detected and suppressed errors, rerun with: -s
==413847== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)

POC:
poc.zip

Disclosure Timeline:

Date of Discovery: 31/05/2024
Date Reported to Vendor: 31/05/2024

Acknowledgments:
This vulnerability was discovered and reported by 0xd4n10.

Please let me know if you require any further information or assistance.