Bug#881133: x264: out of bound read while running x264

Joonun Jang joonun.jang at gmail.com
Wed Nov 8 05:42:58 UTC 2017 

Package: x264
Version: 2:0.148.2795+gitaaa9aa8-1
Severity: important
Tags: security

out of bound read while running x264 with "--crf 24 -o output.264 poc" option

Running 'x264 --crf 24 -o output.264 poc' with the attached file raises out of bound read
which may allow a remote attack to cause a denial-of-service attack or information disclosure
with a crafted file.
I expected the program to terminate without segfault, but the program crashes as follow

-------------------------------------------

june at yuweol:~/poc/x264/crash1$ x264 --crf 24 -o output.264 poc
Segmentation fault

-------------------------------------------

Breakpoint 1, Vgm_Emu_Impl::run_commands (this=0x5555557aafd0, end_time=2205)
    at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu_Impl.cpp:202
warning: Source file is more recent than executable.
202       pcm_pos = pcm_data + pos [3] * 0x1000000L + pos [2] * 0x10000L +
(gdb) l
197       pos += size;
198       break;
199     }
200
201     case cmd_pcm_seek:
202       pcm_pos = pcm_data + pos [3] * 0x1000000L + pos [2] * 0x10000L +
203           pos [1] * 0x100L + pos [0];
204       pos += 4;
205       break;
206
(gdb) x/s &pos[0]
0x5555557b2d75: "DEAD\235\235\235\235T\302\\", '\302' <repeats 22 times>, "TTT}\374\270\337U\020"

* Here pcm_pos was calculated based on the value in pos buffer.
* the values in pos buffer can be manipulated(In this case pos buffer starts with DEAD)

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bbcf73 in Vgm_Emu_Impl::run_commands (this=0x5555557aafd0, end_time=2205)
    at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu_Impl.cpp:212
212           write_pcm( vgm_time, *pcm_pos++ );
(gdb) l
207     default:
208       int cmd = pos [-1];
209       switch ( cmd & 0xF0 )
210       {
211         case cmd_pcm_delay:
212           write_pcm( vgm_time, *pcm_pos++ );
213           vgm_time += cmd & 0x0F;
214           break;
215
216         case cmd_short_delay:

* Later this manipulated pcm_pos used at 212 line which raises segmentation fault in this case.

(gdb) bt
#0  0x00007ffff7bbcf73 in Vgm_Emu_Impl::run_commands (this=0x5555557aafd0, end_time=2205)
    at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu_Impl.cpp:212
#1  0x00007ffff7bbc2b8 in Vgm_Emu::run_clocks (this=0x5555557aafd0, time_io=@0x7fffffffcc34: 178977,
    msec=50) at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu.cpp:403
#2  0x00007ffff7b7d047 in Classic_Emu::play_ (this=0x5555557aafd0, count=2048, out=0x5555557b1d10)
    at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Classic_Emu.cpp:113
#3  0x00007ffff7bbc31f in Vgm_Emu::play_ (this=0x5555557aafd0, count=2048, out=0x5555557b1d10)
    at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu.cpp:411
#4  0x00007ffff7b8692b in Music_Emu::emu_play (this=0x5555557aafd0, count=2048, out=0x5555557b1d10)
    at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Music_Emu.cpp:305
#5  0x00007ffff7b86a4d in Music_Emu::fill_buf (this=0x5555557aafd0)
    at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Music_Emu.cpp:327
#6  0x00007ffff7b86ecc in Music_Emu::play (this=0x5555557aafd0, out_count=256, out=0x5555557da6c0)
    at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Music_Emu.cpp:400
#7  0x00007ffff7b82a1f in gme_play (me=0x5555557aafd0, n=256, p=0x5555557da6c0)
    at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/gme.cpp:336
#8  0x00007ffff67f2e1d in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57
#9  0x00007ffff68d870a in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57
#10 0x00007ffff68d937c in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57
#11 0x00007ffff68db320 in avformat_find_stream_info () from /usr/lib/x86_64-linux-gnu/libavformat.so.57
#12 0x00007ffff6b9a0af in ?? () from /usr/lib/x86_64-linux-gnu/libffms2.so.4
#13 0x00007ffff6b9620a in ?? () from /usr/lib/x86_64-linux-gnu/libffms2.so.4
#14 0x00007ffff6b9399c in FFMS_CreateIndexerWithDemuxer () from /usr/lib/x86_64-linux-gnu/libffms2.so.4
#15 0x000055555556b60a in ?? ()
#16 0x000055555555c93d in ?? ()
#17 0x00007ffff426c2e1 in __libc_start_main (main=0x55555555a030, argc=6, argv=0x7fffffffe208,
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1f8)
    at ../csu/libc-start.c:291
#18 0x000055555555cb3a in ?? ()

-------------------------------------------

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.



-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages x264 depends on:
ii  libavcodec57   7:3.3.4-2+b2
ii  libavformat57  7:3.3.4-2+b2
ii  libavutil55    7:3.3.4-2+b2
ii  libc6          2.24-17
ii  libffms2-4     2.23-1
ii  libgpac4       0.5.2-426-gc5ad4e4+dfsg5-3+b1
ii  libswscale4    7:3.3.4-2+b2
ii  libx264-148    2:0.148.2795+gitaaa9aa8-1
ii  zlib1g         1:1.2.8.dfsg-5

x264 recommends no packages.

x264 suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc
Type: application/octet-stream
Size: 134 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20171108/528a349d/attachment.obj>

More information about the pkg-multimedia-maintainers mailing list