bug-libextractor
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-libextractor] NULL Pointer Dereference vulneribility in libextracto


From: Leon Zhao
Subject: [bug-libextractor] NULL Pointer Dereference vulneribility in libextractor EXTRACTOR_nsf_extract_method
Date: Fri, 13 Oct 2017 12:16:43 +0800

Tested Version:
v1.4

Details:
In EXTRACTOR_nsf_extract_method function of nsf_extractor.c line 164,  
164       if (memcmp (head->magicid, "NESM\x1a", 5))
a crafted file can trigger a crash with null head when memcmp was called

Vulnerability Code:
163   /* Check "magic" id bytes */
164   if (memcmp (head->magicid, "NESM\x1a", 5))
165     return;
166   ADD ("audio/x-nsf", EXTRACTOR_METATYPE_MIMETYPE);

Crash Information:
gdb and backtrace
(gdb) run -i extract-nsf_extract_method-nsf_extractor-164.crash 
Starting program: /opt/asan/bin/extract -i extract-nsf_extract_method-nsf_extractor-164.crash
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Keywords for file extract-nsf_extract_method-nsf_extractor-164.crash:
Program received signal SIGSEGV, Segmentation fault.
__memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:878
878     ../sysdeps/x86_64/multiarch/memcmp-sse4.S: No such file or directory.
(gdb) bt
#0  __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:878
#1  0x00007ffff6ee174f in memcmp () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#2  0x00007ffff263df8e in EXTRACTOR_nsf_extract_method (ec=0x7fffffffa050) at nsf_extractor.c:164
#3  0x00007ffff6c09793 in do_extract (plugins=0x60800000b5a0, shm=0x0, ds=0x60300000ec20, proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:577
#4  0x00007ffff6c09b99 in EXTRACTOR_extract (plugins=0x60800000b5a0, filename=0x60b00000aba9 "extract-nsf_extract_method-nsf_extractor-164.crash", data="" size=0, 
    proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:655
#5  0x00000000004044ca in main (argc=3, argv=0x7fffffffe4b8) at extract.c:977
(gdb) f 2
#2  0x00007ffff263df8e in EXTRACTOR_nsf_extract_method (ec=0x7fffffffa050) at nsf_extractor.c:164
164       if (memcmp (head->magicid, "NESM\x1a", 5))
(gdb) p head
$1 = (const struct header *) 0x0

CREDIT
Zhao Liang, Huawei Weiran Labs

POC file can be downloaded from
https://bugzilla.redhat.com/show_bug.cgi?id=1501695

reply via email to

[Prev in Thread] Current Thread [Next in Thread]