matroskademux: buffer overflow in gst_matroska_demux_add_wvpk_header
The attached file causes heap corruption in gst_matroska_demux_add_wvpk_header. This issue occurs with the patch from #858 (closed) applied, so it is likely a different issue. A stack trace is below:
==3502609==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x628000003dcc at pc 0x00000047297c bp 0x7fffeee386c0 sp 0x7fffeee37e80
WRITE of size 6444 at 0x628000003dcc thread T6 (matroskademux0:)
[Detaching after fork from child process 3502618]
#0 0x47297b in memmove (/usr/local/google/home/natashenka/Downloads/video/video+0x47297b)
#1 0x7fffee512f3d in gst_matroska_demux_add_wvpk_header /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-good/gst/matroska/matroska-demux.c:3962:7
#2 0x7fffee517005 in gst_matroska_demux_parse_blockgroup_or_simpleblock.constprop.0 /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-good/gst/matroska/matroska-demux.c:4783:15
#3 0x7fffee51edda in gst_matroska_demux_parse_id /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-good/gst/matroska/matroska-demux.c:5574:17
#4 0x7fffee5244f7 in gst_matroska_demux_loop /usr/local/google/home/natashenka/gst-build/build/../subprojects/gst-plugins-good/gst/matroska/matroska-demux.c:5763:9
#5 0x7ffff7c6edfe in gst_task_func /usr/local/google/home/natashenka/gst-build/build/../subprojects/gstreamer/gst/gsttask.c:384:5
#6 0x7ffff51ab9a3 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x7b9a3)
#7 0x7ffff51ab0bc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x7b0bc)
#8 0x7ffff508fea6 in start_thread nptl/pthread_create.c:477:8
#9 0x7ffff4dcbdee in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x628000003dcc is located 25 bytes to the right of 15539-byte region [0x628000000100,0x628000003db3)
allocated by thread T6 (matroskademux0:) here:
#0 0x4d623d in malloc (/usr/local/google/home/natashenka/Downloads/video/video+0x4d623d)
#1 0x7ffff5187d48 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57d48)
Thread T6 (matroskademux0:) created by T4 (typefind:sink) here:
#0 0x4c0e0a in pthread_create (/usr/local/google/home/natashenka/Downloads/video/video+0x4c0e0a)
#1 0x7ffff51d2ff0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xa2ff0)
Thread T4 (typefind:sink) created by T0 here:
#0 0x4c0e0a in pthread_create (/usr/local/google/home/natashenka/Downloads/video/video+0x4c0e0a)
#1 0x7ffff51d2ff0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xa2ff0)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/local/google/home/natashenka/Downloads/video/video+0x47297b) in memmove
Shadow bytes around the buggy address:
0x0c507fff8760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c507fff8770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c507fff8780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c507fff8790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c507fff87a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c507fff87b0: 00 00 00 00 00 00 03 fa fa[fa]fa fa fa fa fa fa
0x0c507fff87c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c507fff87d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c507fff87e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c507fff87f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c507fff8800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
Edited by Tim-Philipp Müller