Open
Bug 1462191
Opened 7 years ago
Updated 3 years ago
nestegg: unsigned integer overflow in [@ ne_read_ebml_lacing]
Categories
(Core :: Audio/Video: Playback, defect, P3)
Core
Audio/Video: Playback
Tracking
()
NEW
People
(Reporter: tsmith, Assigned: kinetik)
References
Details
(Keywords: testcase)
Attachments
(1 file)
|
437 bytes,
video/webm
|
Details |
nestegg (test) was build unsing the following config command:
CFLAGS="-fsanitize=integer" CC=clang ./configure --enable-static --disable-shared
src/nestegg.c:1491:33: runtime error: unsigned integer overflow: 0 - 4 cannot be represented in type 'unsigned long'
#0 0x504a87 in ne_read_ebml_lacing nestegg/src/nestegg.c:1305:28
#1 0x504a87 in ne_read_block nestegg/src/nestegg.c:1509
#2 0x4fdf38 in nestegg_read_packet nestegg/src/nestegg.c:2802:15
#3 0x4ea703 in main nestegg/test/test.c:166:9
#4 0x7f09dfbe282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#5 0x418928 in _start (nestegg/test+0x418928)
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → kinetik
|
|
Assignee | |
Comment 1•7 years ago
|
||
In terms of security, comments 1-3 from bug 1462189 apply for this one too. I believe it's safe, so clearing s-s.
To fix this case, we can probably just check for overflow and treat the media as invalid with an error, since reading an invalid block size is likely to result in the parser losing sync and treating the media as invalid later anyway.
Group: media-core-security
|
||
Updated•7 years ago
|
Priority: -- → P3
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•