- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 42162
- Проверка EDB
-
- Пройдено
- Автор
- HANNO BOECK
- Тип уязвимости
- DOS
- Платформа
- LINUX
- CVE
- cve-2016-9813
- Дата публикации
- 2017-06-12
GStreamer gst-plugins-bad Plugin - NULL Pointer Dereference
Код:
Source: https://bugzilla.gnome.org/show_bug.cgi?id=775120
The attached file will cause a null pointer access and segfault in the mpegts parser. Current git code, found with afl.
ASAN stack trace:
=================================================================
==32545==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe957185495 bp 0x60200002cf7a sp 0x7fe956e027a0 T2)
==32545==The signal is caused by a WRITE memory access.
==32545==Hint: address points to the zero page.
#0 0x7fe957185494 in _parse_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32
#1 0x7fe957184058 in __common_section_checks /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:166:9
#2 0x7fe95718522f in gst_mpegts_section_get_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:480:9
#3 0x7fe957438b9a in mpegts_base_apply_pat /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:942:20
#4 0x7fe957438b9a in mpegts_base_handle_psi /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1155
#5 0x7fe957437cd1 in mpegts_base_chain /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1424:11
#6 0x7fe9574341e7 in mpegts_base_loop /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1589:13
#7 0x7fe9644305c3 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
#8 0x7fe96362f867 (/usr/lib64/libglib-2.0.so.0+0x70867)
#9 0x7fe96362eed4 (/usr/lib64/libglib-2.0.so.0+0x6fed4)
#10 0x7fe9630ac443 in start_thread (/lib64/libpthread.so.0+0x7443)
#11 0x7fe962bdb92c in clone (/lib64/libc.so.6+0xe792c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32 in _parse_pat
Thread T2 (tsdemux0:sink) created by T1 (typefind:sink) here:
#0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
#1 0x7fe96364cadf (/usr/lib64/libglib-2.0.so.0+0x8dadf)
Thread T1 (typefind:sink) created by T0 here:
#0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
#1 0x7fe96364cadf (/usr/lib64/libglib-2.0.so.0+0x8dadf)
==32545==ABORTING
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42162.zip
- Источник
- www.exploit-db.com