New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in matroska_parse_block

Project Member Reported by infe...@chromium.org, Dec 12 2012

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=150027953

Fuzzer: Inferno_flicker

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f0b0bef8140
Crash State:
  - crash stack -
  matroska_parse_block
  matroska_parse_cluster
  - free stack -
  matroska_read_seek
  av_seek_frame
  

Minimized Testcase (6917.73 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96yds7FDrXlcCyaFkNMutWWdoTvvAvgxEQSbhIj3fxZf18vgKV-TkR7QEzzwclcKmq56V3fOgdkozghIIm_S2blnorZ-YjO23q9nKXLKZHuEYBJqkRof63l1wBQWHSXLkBxr8zTH60pbyWRtW3LGRlS_GFehw
 
Cc: scherkus@chromium.org sh...@chromium.org
Owner: dalecur...@chromium.org
Status: Assigned
Yet another one Dale from the new seek fuzzer :)
When triaging, can you please check if this is a regression or a long standing bug.
+rbultje; I'm in the middle of an M25 roll, I'll see if this is fixed with it.
Cc: rbultje@chromium.org
(+rbultje for real this time)
seems like missing matroska->prev_pkt = NULL; in the seek code?
Yeah it looks like that's only cleared under certain circumstances on the seek path. I feel like we ran into an issue here before when I was upstreaming the incremental parsing patch. 
Ronald, haven't run FATE w/ it yet, but how about just having matroska_clear_queue() always set prev_pkt = NULL?

That sounds OK to me.
That fixes the issue and passes FATE, so after I run my normal test run for M25's ffmpeg roll I'll merge it to m24.
Labels: Mstone-23 SecImpacts-Stable SecImpacts-Beta
Project Member

Comment 11 by bugdroid1@chromium.org, Dec 14 2012

Labels: merge-merged-ffmpeg
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=173241

------------------------------------------------------------------------
r173241 | dalecurtis@google.com | 2012-12-14T23:39:51.621483Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/ffmpeg/1312/libavformat/matroskadec.c?r1=173241&r2=173240&pathrev=173241

Fix seek issue with M24. BUG= 165601 
------------------------------------------------------------------------
Project Member

Comment 12 by bugdroid1@chromium.org, Dec 14 2012

Labels: merge-merged-1312
The following revision refers to this bug:
    http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=31799

------------------------------------------------------------------------
r31799 | dalecurtis@google.com | 2012-12-14T23:40:59.743372Z

------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: FixUnreleased
Keeping Merge-Approved so that Chris can add this bug to the doc. 
Labels: -Mstone-23 -Merge-Approved Mstone-24 Merge-Merged Release-0
Status: Fixed
Project Member

Comment 16 by bugdroid1@chromium.org, Dec 20 2012

Labels: merge-merged-1364
The following revision refers to this bug:
    http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=31997

------------------------------------------------------------------------
r31997 | dalecurtis@google.com | 2012-12-20T20:28:18.498590Z

------------------------------------------------------------------------
Project Member

Comment 17 by bugdroid1@chromium.org, Dec 20 2012

Landed in M24, M25. Trunk to come after the holidays with the ffmpeg roll.
Labels: CVE-2012-5150
Project Member

Comment 20 by ClusterFuzz, Jan 23 2013

ClusterFuzz has detected this issue as fixed in latest custom build.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=150027953

Fuzzer: Inferno_flicker

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7f0b0bef8140
Crash State:
  - crash stack -
  matroska_parse_block
  matroska_parse_cluster
  - free stack -
  matroska_read_seek
  av_seek_frame
  

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96yds7FDrXlcCyaFkNMutWWdoTvvAvgxEQSbhIj3fxZf18vgKV-TkR7QEzzwclcKmq56V3fOgdkozghIIm_S2blnorZ-YjO23q9nKXLKZHuEYBJqkRof63l1wBQWHSXLkBxr8zTH60pbyWRtW3LGRlS_GFehw

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Project Member

Comment 21 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-Internals -Type-Security -SecSeverity-High -Stability-AddressSanitizer -Mstone-24 -SecImpacts-Stable -SecImpacts-Beta Security-Impact-Beta Cr-Internals M-24 Security-Severity-High Security-Impact-Stable Type-Bug-Security Performance-Memory-AddressSanitizer
Labels: -Restrict-View-SecurityNotify
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 25 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 26 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 27 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 28 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 29 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment