Skip to content

matroskademux: use-after-free in matroska demuxing

he attached file causes a use-after-free when it is played with gstreamer's matroska demuxer, due to a track that has already been freed being reused. To reproduce this issue, play this file with any video player that uses gstreamer, for example:

totem oob_1.mkv

A sample crash dump is as follows:

==3228308==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200020bc30 at pc 0x00000046f6d5 bp 0x7fffeee38a80 sp 0x7fffeee38228
READ of size 1 at 0x60200020bc30 thread T6 (matroskademux0:)
[Detaching after fork from child process 3228332]
    #0 0x46f6d4 in strcmp (/usr/local/google/home/natashenka/Downloads/video/video+0x46f6d4)
    #1 0x7fffee51f123 in gst_matroska_demux_update_tracks /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-good/gst/matroska/matroska-demux.c:3466:13
    #2 0x7fffee51f123 in gst_matroska_demux_parse_id /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-good/gst/matroska/matroska-demux.c:5432:19
    #3 0x7fffee5244e7 in gst_matroska_demux_loop /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-good/gst/matroska/matroska-demux.c:5761:9
    #4 0x7ffff7c6edfe in gst_task_func /usr/local/google/home/natashenka/gst-build/build/../subprojects/gstreamer/gst/gsttask.c:384:5
    #5 0x7ffff51ab973  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x7b973)
    #6 0x7ffff51ab08c  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x7b08c)
    #7 0x7ffff508fea6 in start_thread nptl/pthread_create.c:477:8
    #8 0x7ffff4dcbdee in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x60200020bc30 is located 0 bytes inside of 9-byte region [0x60200020bc30,0x60200020bc39)
freed by thread T6 (matroskademux0:) here:
    #0 0x4d5fbd in free (/usr/local/google/home/natashenka/Downloads/video/video+0x4d5fbd)
    #1 0x7fffee52da2f in gst_matroska_track_free /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-good/gst/matroska/matroska-ids.c:336:3

previously allocated by thread T6 (matroskademux0:) here:
    #0 0x4d623d in malloc (/usr/local/google/home/natashenka/Downloads/video/video+0x4d623d)
    #1 0x7ffff5187d18 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57d18)

Thread T6 (matroskademux0:) created by T4 (typefind:sink) here:
    #0 0x4c0e0a in pthread_create (/usr/local/google/home/natashenka/Downloads/video/video+0x4c0e0a)
    #1 0x7ffff51d2fc0  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xa2fc0)

Thread T4 (typefind:sink) created by T0 here:
    #0 0x4c0e0a in pthread_create (/usr/local/google/home/natashenka/Downloads/video/video+0x4c0e0a)
    #1 0x7ffff51d2fc0  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xa2fc0)

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/local/google/home/natashenka/Downloads/video/video+0x46f6d4) in strcmp
Shadow bytes around the buggy address:
  0x0c0480039730: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c0480039740: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c0480039750: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c0480039760: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480039770: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
=>0x0c0480039780: fa fa fd fd fa fa[fd]fd fa fa fd fa fa fa 00 00
  0x0c0480039790: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800397a0: fa fa fd fa fa fa 00 fa fa fa fd fd fa fa fd fd
  0x0c04800397b0: fa fa 00 01 fa fa 00 01 fa fa 03 fa fa fa fd fa
  0x0c04800397c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800397d0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3228308==ABORTING

This bug is subject to a 90 day disclosure deadline. After 90 days elapse, the bug report will become visible to the public. The scheduled disclosure date is 2021-May-31. Disclosure at an earlier date is possible if agreed upon by all parties.oob_1.mkv

Edited by Tim-Philipp Müller