AddressSanitizer: heap-buffer-overflow on address in ASDCP::TimedText::MXFReader::h__Reader::MD_to_TimedText_TDesc

Title: AddressSanitizer: heap-buffer-overflow on address in ASDCP::TimedText::MXFReader::h__Reader::MD_to_TimedText_TDesc

Description:
I found a heap-buffer-overflow when testing the asdcplib library, specifically in the MD_to_TimedText_TDesc function.

Affected Software:

    Software: asdcplib
    Version: 2.13.1
    Operating System: Debian 11
    Kernel: Linux debian 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64 GNU/Linux

Impact:
A heap-buffer-overflow vulnerability can lead to application crashes, data corruption, security vulnerabilities, and system instability.

Steps to Reproduce:

    Build the affected software (asdcplib) after enabling AddressSanitizer.
    Execute any of the affected binaries (asdcp-info, asdcp-unwrap) with provided poc that triggers the vulnerable code path.
    Observe the AddressSanitizer report indicating a heap-buffer-overflow error.

Example Output (AddressSanitizer):

```
=================================================================
==3302077==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000008c9 at pc 0x7f438b4876ae bp 0x7fff15258e00 sp 0x7fff15258df8
READ of size 16 at 0x60e0000008c9 thread T0
    #0 0x7f438b4876ad in ASDCP::TimedText::MXFReader::h__Reader::MD_to_TimedText_TDesc(ASDCP::TimedText::TimedTextDescriptor&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38b6ad)
    #1 0x7f438b487ff6 in ASDCP::TimedText::MXFReader::h__Reader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38bff6)
    #2 0x7f438b48934b in ASDCP::TimedText::MXFReader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38d34b)
    #3 0x5607797159f7 in FileInfoWrapper<ASDCP::TimedText::MXFReader, MyTextDescriptor>::file_info(CommandOptions&, char const*, _IO_FILE*) (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x269f7)
    #4 0x560779703ffa in show_file_info(CommandOptions&, Kumu::IFileReaderFactory const&) (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x14ffa)
    #5 0x560779705652 in main (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x16652)
    #6 0x7f438ad0fd09 in __libc_start_main ../csu/libc-start.c:308
    #7 0x560779702859 in _start (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x13859)

0x60e0000008c9 is located 9 bytes to the right of 160-byte region [0x60e000000820,0x60e0000008c0)
allocated by thread T0 here:
    #0 0x7f438b7c8647 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
    #1 0x7f438b38ccef in ContainerConstraintsSubDescriptor_Factory(ASDCP::Dictionary const*) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x290cef)
    #2 0x7f438b346f1d in ASDCP::MXF::CreateObject(ASDCP::Dictionary const*, ASDCP::UL const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x24af1d)
    #3 0x7f438b33de72 in ASDCP::MXF::OP1aHeader::InitFromBuffer(unsigned char const*, unsigned int) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x241e72)
    #4 0x7f438b33d389 in ASDCP::MXF::OP1aHeader::InitFromFile(Kumu::IFileReader const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x241389)
    #5 0x7f438b43c97a in ASDCP::MXF::TrackFileReader<ASDCP::MXF::OP1aHeader, ASDCP::MXF::OPAtomIndexFooter>::OpenMXFRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x34097a)
    #6 0x7f438b431f6e in ASDCP::h__ASDCPReader::OpenMXFRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x335f6e)
    #7 0x7f438b487cf6 in ASDCP::TimedText::MXFReader::h__Reader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38bcf6)
    #8 0x7f438b48934b in ASDCP::TimedText::MXFReader::OpenRead(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38d34b)
    #9 0x5607797159f7 in FileInfoWrapper<ASDCP::TimedText::MXFReader, MyTextDescriptor>::file_info(CommandOptions&, char const*, _IO_FILE*) (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x269f7)
    #10 0x560779703ffa in show_file_info(CommandOptions&, Kumu::IFileReaderFactory const&) (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x14ffa)
    #11 0x560779705652 in main (/mnt/fast/DCP/asdcplib/build-asan/src/asdcp-info+0x16652)
    #12 0x7f438ad0fd09 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/fast/DCP/asdcplib/build-asan/src/libasdcp.so.2+0x38b6ad) in ASDCP::TimedText::MXFReader::h__Reader::MD_to_TimedText_TDesc(ASDCP::TimedText::TimedTextDescriptor&)
Shadow bytes around the buggy address:
  0x0c1c7fff80c0: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff80e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1c7fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c1c7fff8100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1c7fff8110: 00 00 00 00 00 00 00 00 fa[fa]fa fa fa fa fa fa
  0x0c1c7fff8120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c7fff8130: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1c7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff8150: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1c7fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3302077==ABORTING
```

POC:
[poc.zip](https://github.com/cinecert/asdcplib/files/15448338/poc.zip)

Disclosure Timeline:

    Date of Discovery: 26/05/2024
    Date Reported to Vendor: 26/05/2024

Acknowledgments:
This vulnerability was discovered and reported by 0xd4n.

Please let me know if you require any further information or assistance.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

AddressSanitizer: heap-buffer-overflow on address in ASDCP::TimedText::MXFReader::h__Reader::MD_to_TimedText_TDesc #138

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

AddressSanitizer: heap-buffer-overflow on address in ASDCP::TimedText::MXFReader::h__Reader::MD_to_TimedText_TDesc #138

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions