Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out-of-bounds read in quicktimevideo.cpp #2340

Closed
kevinbackhouse opened this issue Aug 26, 2022 · 3 comments · Fixed by #2341
Closed

Out-of-bounds read in quicktimevideo.cpp #2340

kevinbackhouse opened this issue Aug 26, 2022 · 3 comments · Fixed by #2341
Assignees
@kevinbackhouse @hassec
Labels
bug OSS-Fuzz Bug reported by https://google.github.io/oss-fuzz/

Comments

@kevinbackhouse
Copy link
Collaborator

kevinbackhouse commented Aug 26, 2022
edited
Loading

Reported by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50629

There's an out-of-bounds read here:

exiv2/src/quicktimevideo.cpp

Line 671 in e4adf38

xmpData_["Xmp.video.PreviewAtomType"] = Exiv2::toString(buf.data());

The problem is that the buffer hasn't been nul-terminated.

quicktimevideo.cpp is a brand new file, so this definitely doesn't affect any released versions of exiv2.

poc: https://user-images.githubusercontent.com/4358136/186881088-a2b8c10c-c2b5-4f98-bc41-7736e86cbf1b.mp4

To reproduce (with an ASAN build)

exiv2 poc.mp4
@kevinbackhouse kevinbackhouse added bug OSS-Fuzz Bug reported by https://google.github.io/oss-fuzz/ labels Aug 26, 2022
@1div0
Copy link
Collaborator

1div0 commented Aug 26, 2022

I told you so. Video is way too complicated.

hassec added a commit that referenced this issue Aug 26, 2022
@hassec
fix(quicktimevideo) avoid out of bounds read, closes #2340
c8a200c
@kevinbackhouse
Copy link
Collaborator Author

@1div0: I'm not worried about it (from a security perspective). quicktimevideo.cpp looks fairly simple to me, so we should be able to iron these bugs out quite quickly. OSS-Fuzz found this one day after the pull request was merged, so I think we have good test coverage.

@1div0
Copy link
Collaborator

1div0 commented Aug 26, 2022

@kevinbackhouse thank you so much for all your efforts to make Exiv2 secure.

MPEG-4 Systems is simply put can of worms.

hassec added a commit that referenced this issue Aug 26, 2022
@hassec
test(quicktimevideo) add poc for #2340
83ca845
@kevinbackhouse kevinbackhouse linked a pull request Aug 28, 2022 that will close this issue
fix(quicktimevideo) avoid out of bounds read, closes #2340 #2341
Merged
@hassec hassec closed this as completed in 337fe18 Aug 31, 2022
hassec added a commit that referenced this issue Aug 31, 2022
@hassec
test(quicktimevideo) add poc for #2340
6cc44ae
@nehaljwani nehaljwani mentioned this issue May 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kevinbackhouse kevinbackhouse

@hassec hassec

Labels
bug OSS-Fuzz Bug reported by https://google.github.io/oss-fuzz/
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(quicktimevideo) avoid out of bounds read, closes #2340 Exiv2/exiv2
3 participants
@1div0 @kevinbackhouse @hassec