Skip to content

Out-of-bounds read in tag parsing

The attached file causes an out-of-bounds read when played with gstreamer. This bug probably doesn't have serious security consequences, but filing it as a confidential issue just in case. A stack trace is below.

==3263091==ERROR: AddressSanitizer: SEGV on unknown address 0x629000080000 (pc 0x7f51cfd1918c bp 0x7f51c6e338cc sp 0x7f51c6e33860 T6)
==3263091==The signal is caused by a READ memory access.
    #0 0x7f51cfd1918c in id3v2_ununsync_data /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c:161:11
    #1 0x7f51cfd1b177 in id3v2_parse_frame /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2frames.c:137:17
    #2 0x7f51cfd19b16 in id3v2_frames_to_tag_list /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c:598:11
    #3 0x7f51cfd19b16 in gst_tag_list_from_id3v2_tag /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c:261:3
    #4 0x7f51c8a2a65a in gst_id3demux_parse_tag /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-good/gst/id3demux/gstid3demux.c:181:13
    #5 0x7f51cfd13354 in gst_tag_demux_pull_start_tag /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-base/gst-libs/gst/tag/gsttagdemux.c:1266:17
    #6 0x7f51cfd13354 in gst_tag_demux_element_find /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-base/gst-libs/gst/tag/gsttagdemux.c:1328:9
    #7 0x7f51cfd14464 in gst_tag_demux_element_loop /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-base/gst-libs/gst/tag/gsttagdemux.c:1452:13
    #8 0x7f51cfc5edfe in gst_task_func /usr/local/google/home/natashenka/gst-build/build/../subprojects/gstreamer/gst/gsttask.c:384:5
    #9 0x7f51cd19b973  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x7b973)
    #10 0x7f51cd19b08c  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x7b08c)
    #11 0x7f51cd07fea6 in start_thread nptl/pthread_create.c:477:8
    #12 0x7f51ccdbbdee in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c:161:11 in id3v2_ununsync_data
Thread T6 (id3demux0:sink) created by T4 (typefind:sink) here:
    #0 0x4c0e0a in pthread_create (/usr/local/google/home/natashenka/Downloads/video/video+0x4c0e0a)
    #1 0x7f51cd1c2fc0  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xa2fc0)

Thread T4 (typefind:sink) created by T0 here:
    #0 0x4c0e0a in pthread_create (/usr/local/google/home/natashenka/Downloads/video/video+0x4c0e0a)
    #1 0x7f51cd1c2fc0  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xa2fc0)

seg

Edited by Tim-Philipp Müller