tagdemux: Malformed or maliciously crafted files lead to a null pointer dereference
Clone of #900 (moved) with 1.20 milestone, needs co-ordinated release with 1.18.6
Hi folks,
There's a race condition in gsttagdemux.c between typefinding and the end-of-stream event. If TYPE_FIND_MAX_SIZE is exceeded, demux->priv->collect is set to NULL and an error is returned. However, the end-of-stream event causes one last attempt at typefinding to occur.
This leads to gst_tag_demux_trim_buffer() being called with the NULL demux->priv->collect buffer which it attempts to dereference, resulting in a segfault.
The malicious MP3 can be created by:
printf "\x49\x44\x33\x04\x00\x00\x00\x00\x00\x00%s", "$(dd if=/dev/urandom bs=1K count=200)" > malicious.mp3
This creates a valid ID3 header which gets us as far as typefinding. The crash can then be reproduced with the following pipeline:
gst-launch-1.0 -e filesrc location=malicious.mp3 ! queue ! decodebin ! audioconvert ! vorbisenc ! oggmux ! filesink location=malicious.ogg
I've attached a patch which fixes the crash; however I'm not terribly familiar with gstreamer this fix may not be complete or even the right approach. I'm happy to fix it up as necessary if that's helpful.
I've marked this as confidential because this can be used in a denial of service attack.
0001-tagdemux-Fix-crash-when-presented-with-malformed-fil.patch
Here's an example MP3 that results in a segfault: malicious