avidemux: heap buffer overwrite in gst_avi_demux_invert/swap_line
Describe the vulnerability
heap-based buffer overflow in avidemux element, specifically in the functions gst_avi_demux_invert
/swap_line
.
The root cause vulnerability is that these values come from the .avi
file:
h = stream->strf.vids->height;
w = stream->strf.vids->width;
bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
stride = GST_ROUND_UP_4 (w * (bpp / 8));
And the size of the buffer is malloc
d based on that:
tmp = g_malloc (stride);
There is a size check, however the vulnerability is that by choosing stride
and h
correctly then stride * h
will overflow and wrap around, bypassing the size check
if (map.size < (stride * h)) {
GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
gst_buffer_unmap (buf, &map);
return buf;
}
Thus causing a heap overwrite here:
for (y = 0; y < h / 2; y++) {
swap_line (map.data + stride * y, map.data + stride * (h - 1 - y), tmp,
stride);
}
Expected Behavior
Not segfault.
Observed Behavior
segfault.
Setup
- Operating System: Ubuntu 20.04.4 LTS
- Device: Computer
-
GStreamer Version: tested on 1.16.2, but vulnerability present on
main
Steps to reproduce the bug
-
Download the attached file: crash-gst.avi
-
Use gat-play-1.0 to run the file:
gst-play-1.0 ./crash-gst.avi
How reproducible is the bug?
Always
Impact
Likely code execution through heap manipulation, although I only have this crashing POC.
Additional Information
I'd like to request a CVE as part of this process.
Thank you!