From 3ea2434e59307670ff5f99bb32d443914af53d7a Mon Sep 17 00:00:00 2001 From: aler9 <46489434+aler9@users.noreply.github.com> Date: Sun, 30 Jul 2023 16:39:51 +0200 Subject: [PATCH] mpegts: fix panic with specially-crafted strings; add fuzzing --- go.mod | 2 +- go.sum | 4 +- pkg/formats/mpegts/reader_test.go | 107 +++++++++++++++++- .../testdata/fuzz/FuzzReader/5a37383f84ff4d3a | 3 + .../testdata/fuzz/FuzzReader/9136540beb330fb2 | 3 + .../testdata/fuzz/FuzzReader/916aafb26a91fa4d | 3 + .../testdata/fuzz/FuzzReader/e48c5afcad56469e | 3 + pkg/formats/mpegts/writer_test.go | 32 +++--- 8 files changed, 134 insertions(+), 23 deletions(-) create mode 100644 pkg/formats/mpegts/testdata/fuzz/FuzzReader/5a37383f84ff4d3a create mode 100644 pkg/formats/mpegts/testdata/fuzz/FuzzReader/9136540beb330fb2 create mode 100644 pkg/formats/mpegts/testdata/fuzz/FuzzReader/916aafb26a91fa4d create mode 100644 pkg/formats/mpegts/testdata/fuzz/FuzzReader/e48c5afcad56469e diff --git a/go.mod b/go.mod index 5a7d7c0..cfd1ecd 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/bluenviron/mediacommon go 1.18 require ( - github.com/asticode/go-astits v1.11.0 + github.com/asticode/go-astits v1.11.1-0.20230727094110-0df190a2dd87 github.com/stretchr/testify v1.8.4 ) diff --git a/go.sum b/go.sum index aba2db4..35242b9 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/asticode/go-astikit v0.30.0 h1:DkBkRQRIxYcknlaU7W7ksNfn4gMFsB0tqMJflxkRsZA= github.com/asticode/go-astikit v0.30.0/go.mod h1:h4ly7idim1tNhaVkdVBeXQZEE3L0xblP7fCWbgwipF0= -github.com/asticode/go-astits v1.11.0 h1:GTHUXht0ZXAJXsVbsLIcyfHr1Bchi4QQwMARw2ZWAng= -github.com/asticode/go-astits v1.11.0/go.mod h1:QSHmknZ51pf6KJdHKZHJTLlMegIrhega3LPWz3ND/iI= +github.com/asticode/go-astits v1.11.1-0.20230727094110-0df190a2dd87 h1:SCAqalLhgKGDghGz03yYVWr8TavHluP/i7IwshKU9yA= +github.com/asticode/go-astits v1.11.1-0.20230727094110-0df190a2dd87/go.mod h1:QSHmknZ51pf6KJdHKZHJTLlMegIrhega3LPWz3ND/iI= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= diff --git a/pkg/formats/mpegts/reader_test.go b/pkg/formats/mpegts/reader_test.go index a2c4ac1..e808b77 100644 --- a/pkg/formats/mpegts/reader_test.go +++ b/pkg/formats/mpegts/reader_test.go @@ -18,7 +18,7 @@ func TestReader(t *testing.T) { // PMT _, err := mux.WritePacket(&astits.Packet{ - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasPayload: true, PayloadUnitStartIndicator: true, PID: 0, @@ -33,7 +33,7 @@ func TestReader(t *testing.T) { // PAT _, err = mux.WritePacket(&astits.Packet{ - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasPayload: true, PayloadUnitStartIndicator: true, PID: 4096, @@ -54,7 +54,7 @@ func TestReader(t *testing.T) { StuffingLength: 129, RandomAccessIndicator: true, }, - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasAdaptationField: true, HasPayload: true, PayloadUnitStartIndicator: true, @@ -81,7 +81,7 @@ func TestReader(t *testing.T) { StuffingLength: 157, RandomAccessIndicator: true, }, - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasAdaptationField: true, HasPayload: true, PayloadUnitStartIndicator: true, @@ -143,3 +143,102 @@ func TestReader(t *testing.T) { } }) } + +func FuzzReader(f *testing.F) { + f.Add(true, []byte{ + 0x00, 0x00, 0x01, 0xe0, 0x00, 0x00, 0x80, 0x80, + 0x05, 0x21, 0x00, 0x0b, 0x7e, 0x41, 0x00, 0x00, + 0x00, 0x01, + 0x67, 0x42, 0xc0, 0x28, 0xd9, 0x00, 0x78, 0x02, + 0x27, 0xe5, 0x84, 0x00, 0x00, 0x03, 0x00, 0x04, + 0x00, 0x00, 0x03, 0x00, 0xf0, 0x3c, 0x60, 0xc9, + 0x20, + 0x00, 0x00, 0x00, 0x01, 0x08, + 0x00, 0x00, 0x00, 0x01, 0x05, + }) + + f.Fuzz(func(t *testing.T, pid bool, b []byte) { + var buf bytes.Buffer + mux := astits.NewMuxer(context.Background(), &buf) + + // PMT + mux.WritePacket(&astits.Packet{ + Header: astits.PacketHeader{ + HasPayload: true, + PayloadUnitStartIndicator: true, + PID: 0, + }, + Payload: append([]byte{ + 0x00, 0x00, 0xb0, 0x0d, 0x00, 0x00, 0xc1, 0x00, + 0x00, 0x00, 0x01, 0xf0, 0x00, 0x71, 0x10, 0xd8, + 0x78, + }, bytes.Repeat([]byte{0xff}, 167)...), + }) + + // PAT + mux.WritePacket(&astits.Packet{ + Header: astits.PacketHeader{ + HasPayload: true, + PayloadUnitStartIndicator: true, + PID: 4096, + }, + Payload: append([]byte{ + 0x00, 0x02, 0xb0, 0x17, 0x00, 0x01, 0xc1, 0x00, + 0x00, 0xe1, 0x00, 0xf0, 0x00, 0x1b, 0xe1, 0x00, + 0xf0, 0x00, 0x0f, 0xe1, 0x01, 0xf0, 0x00, 0x2f, + 0x44, 0xb9, 0x9b, + }, bytes.Repeat([]byte{0xff}, 157)...), + }) + + // AAC config + mux.WritePacket(&astits.Packet{ + AdaptationField: &astits.PacketAdaptationField{ + Length: 158, + StuffingLength: 157, + RandomAccessIndicator: true, + }, + Header: astits.PacketHeader{ + HasAdaptationField: true, + HasPayload: true, + PayloadUnitStartIndicator: true, + PID: 257, + }, + Payload: []byte{ + 0x00, 0x00, 0x01, 0xc0, 0x00, 0x13, 0x80, 0x80, + 0x05, 0x21, 0x00, 0x11, 0x3d, 0x61, 0xff, 0xf1, + 0x50, 0x80, 0x01, 0x7f, 0xfc, 0x01, 0x02, 0x03, + 0x04, + }, + }) + + r, err := NewReader(&buf) + if err != nil { + panic(err) + } + + // PES + mux.WritePacket(&astits.Packet{ + AdaptationField: &astits.PacketAdaptationField{ + Length: 130, + StuffingLength: 129, + RandomAccessIndicator: true, + }, + Header: astits.PacketHeader{ + HasAdaptationField: true, + HasPayload: true, + PayloadUnitStartIndicator: true, + PID: func() uint16 { + if pid { + return 256 + } + return 257 + }(), + }, + Payload: b, + }) + + r.Read() + r.Read() + r.Read() + }) +} diff --git a/pkg/formats/mpegts/testdata/fuzz/FuzzReader/5a37383f84ff4d3a b/pkg/formats/mpegts/testdata/fuzz/FuzzReader/5a37383f84ff4d3a new file mode 100644 index 0000000..b0f1cb9 --- /dev/null +++ b/pkg/formats/mpegts/testdata/fuzz/FuzzReader/5a37383f84ff4d3a @@ -0,0 +1,3 @@ +go test fuzz v1 +bool(true) +[]byte("00000000000000000000000000000000000000000000000000") diff --git a/pkg/formats/mpegts/testdata/fuzz/FuzzReader/9136540beb330fb2 b/pkg/formats/mpegts/testdata/fuzz/FuzzReader/9136540beb330fb2 new file mode 100644 index 0000000..6744cd4 --- /dev/null +++ b/pkg/formats/mpegts/testdata/fuzz/FuzzReader/9136540beb330fb2 @@ -0,0 +1,3 @@ +go test fuzz v1 +bool(true) +[]byte("\x00\x00\x010\x00 000") diff --git a/pkg/formats/mpegts/testdata/fuzz/FuzzReader/916aafb26a91fa4d b/pkg/formats/mpegts/testdata/fuzz/FuzzReader/916aafb26a91fa4d new file mode 100644 index 0000000..eaab652 --- /dev/null +++ b/pkg/formats/mpegts/testdata/fuzz/FuzzReader/916aafb26a91fa4d @@ -0,0 +1,3 @@ +go test fuzz v1 +bool(false) +[]byte("") diff --git a/pkg/formats/mpegts/testdata/fuzz/FuzzReader/e48c5afcad56469e b/pkg/formats/mpegts/testdata/fuzz/FuzzReader/e48c5afcad56469e new file mode 100644 index 0000000..ff336c2 --- /dev/null +++ b/pkg/formats/mpegts/testdata/fuzz/FuzzReader/e48c5afcad56469e @@ -0,0 +1,3 @@ +go test fuzz v1 +bool(true) +[]byte("\x00\x00\x010\x00+00 0") diff --git a/pkg/formats/mpegts/writer_test.go b/pkg/formats/mpegts/writer_test.go index 5e2fd0d..8ff672b 100644 --- a/pkg/formats/mpegts/writer_test.go +++ b/pkg/formats/mpegts/writer_test.go @@ -132,7 +132,7 @@ func TestWriter(t *testing.T) { pkt, err := dem.NextPacket() require.NoError(t, err) require.Equal(t, &astits.Packet{ - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasPayload: true, PayloadUnitStartIndicator: true, PID: 0, @@ -148,7 +148,7 @@ func TestWriter(t *testing.T) { pkt, err = dem.NextPacket() require.NoError(t, err) require.Equal(t, &astits.Packet{ - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasPayload: true, PayloadUnitStartIndicator: true, PID: 4096, @@ -170,7 +170,7 @@ func TestWriter(t *testing.T) { StuffingLength: 129, RandomAccessIndicator: true, }, - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasAdaptationField: true, HasPayload: true, PayloadUnitStartIndicator: true, @@ -197,7 +197,7 @@ func TestWriter(t *testing.T) { StuffingLength: 157, RandomAccessIndicator: true, }, - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasAdaptationField: true, HasPayload: true, PayloadUnitStartIndicator: true, @@ -237,7 +237,7 @@ func TestWriter(t *testing.T) { pkt, err := dem.NextPacket() require.NoError(t, err) require.Equal(t, &astits.Packet{ - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasPayload: true, PayloadUnitStartIndicator: true, PID: 0, @@ -253,7 +253,7 @@ func TestWriter(t *testing.T) { pkt, err = dem.NextPacket() require.NoError(t, err) require.Equal(t, &astits.Packet{ - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasPayload: true, PayloadUnitStartIndicator: true, PID: 4096, @@ -274,7 +274,7 @@ func TestWriter(t *testing.T) { StuffingLength: 129, RandomAccessIndicator: true, }, - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasAdaptationField: true, HasPayload: true, PayloadUnitStartIndicator: true, @@ -316,7 +316,7 @@ func TestWriter(t *testing.T) { pkt, err := dem.NextPacket() require.NoError(t, err) require.Equal(t, &astits.Packet{ - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasPayload: true, PayloadUnitStartIndicator: true, PID: 0, @@ -332,7 +332,7 @@ func TestWriter(t *testing.T) { pkt, err = dem.NextPacket() require.NoError(t, err) require.Equal(t, &astits.Packet{ - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasPayload: true, PayloadUnitStartIndicator: true, PID: 4096, @@ -353,7 +353,7 @@ func TestWriter(t *testing.T) { StuffingLength: 157, RandomAccessIndicator: true, }, - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasAdaptationField: true, HasPayload: true, PayloadUnitStartIndicator: true, @@ -397,7 +397,7 @@ func TestWriter(t *testing.T) { pkt, err := dem.NextPacket() require.NoError(t, err) require.Equal(t, &astits.Packet{ - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasPayload: true, PayloadUnitStartIndicator: true, PID: 0, @@ -433,7 +433,7 @@ func TestWriter(t *testing.T) { pkt, err = dem.NextPacket() require.NoError(t, err) require.Equal(t, &astits.Packet{ - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasPayload: true, PayloadUnitStartIndicator: true, PID: 4096, @@ -474,7 +474,7 @@ func TestWriter(t *testing.T) { StuffingLength: 160, RandomAccessIndicator: true, }, - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasAdaptationField: true, HasPayload: true, PayloadUnitStartIndicator: true, @@ -491,7 +491,7 @@ func TestWriter(t *testing.T) { pkt, err = dem.NextPacket() require.NoError(t, err) require.Equal(t, &astits.Packet{ - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasPayload: true, PayloadUnitStartIndicator: true, PID: 0, @@ -528,7 +528,7 @@ func TestWriter(t *testing.T) { pkt, err = dem.NextPacket() require.NoError(t, err) require.Equal(t, &astits.Packet{ - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasPayload: true, PayloadUnitStartIndicator: true, PID: 4096, @@ -570,7 +570,7 @@ func TestWriter(t *testing.T) { StuffingLength: 164, RandomAccessIndicator: true, }, - Header: &astits.PacketHeader{ + Header: astits.PacketHeader{ HasAdaptationField: true, HasPayload: true, PayloadUnitStartIndicator: true,