Heap Buffer Overflow (READ) in 3.0.0-git Vetinari (revision 63c91494)
There is a Heap Buffer Overflow (READ) vulnerability in demux/libavi_plugin when parsing a crafted AVI file. ASAN reports a READ of size 4.
ASAN output:
==12277== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60360003f968 at pc 0x7fffe37725b7 bp 0x7fffe558c290 sp 0x7fffe558c288
READ of size 4 at 0x60360003f968 thread T3
[New Thread 0x7fffe3261700 (LWP 12285)]
[New Thread 0x7fffe2e5a700 (LWP 12286)]
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7fffe37725b6 (/tmp/vlc/modules/.libs/libavi_plugin.so+0x75b6)
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7fffe377760e (/tmp/vlc/modules/.libs/libavi_plugin.so+0xc60e)
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7ffff3ea4242 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x179242)
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7ffff3ea3620 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x178620)
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7ffff3ea3ce3==12277== AddressSanitizer: while reporting a bug found another one.Ignoring.
(/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x178ce3)
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7ffff3ea439d (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x17939d)
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7ffff3dd61df (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0xab1df)
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7ffff3e0ea8f (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0xe3a8f)
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7ffff3e054dc (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0xda4dc)
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7ffff3dfda89 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0xd2a89)
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7ffff3da4da6 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x79da6)
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x7ffff3da540a (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x7a40a)
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x7ffff4e63b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x18b97)
[#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x7ffff49ee181 (/lib/x86_64-linux-gnu/libpthread-2.19.so+0x8181)
[#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x7ffff4516fbc (/lib/x86_64-linux-gnu/libc-2.19.so+0xfafbc)
0x60360003f968 is located 0 bytes to the right of 552-byte region [0x60360003f740,0x60360003f968)
allocated by thread T3 here:
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7ffff4e6041a (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1541a)
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7fffe378a2ba (/tmp/vlc/modules/.libs/libavi_plugin.so+0x1f2ba)
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7fffe378db6c (/tmp/vlc/modules/.libs/libavi_plugin.so+0x22b6c)
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7fffe3791e81 (/tmp/vlc/modules/.libs/libavi_plugin.so+0x26e81)
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7fffe378b241 (/tmp/vlc/modules/.libs/libavi_plugin.so+0x20241)
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7fffe3791e81 (/tmp/vlc/modules/.libs/libavi_plugin.so+0x26e81)
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7fffe378b241 (/tmp/vlc/modules/.libs/libavi_plugin.so+0x20241)
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7fffe3791e81 (/tmp/vlc/modules/.libs/libavi_plugin.so+0x26e81)
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7fffe378b241 (/tmp/vlc/modules/.libs/libavi_plugin.so+0x20241)
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7fffe3791e81 (/tmp/vlc/modules/.libs/libavi_plugin.so+0x26e81)
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7fffe3792b0f (/tmp/vlc/modules/.libs/libavi_plugin.so+0x27b0f)
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x7fffe37750c3 (/tmp/vlc/modules/.libs/libavi_plugin.so+0xa0c3)
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x7ffff3ea4242 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x179242)
[#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x7ffff3ea3620 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x178620)
[#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x7ffff3ea3ce3 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x178ce3)
[#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0x7ffff3ea439d (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x17939d)
[#16](https://code.videolan.org/videolan/vlc/-/issues/16) 0x7ffff3dd61df (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0xab1df)
[#17](https://code.videolan.org/videolan/vlc/-/issues/17) 0x7ffff3e0ea8f (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0xe3a8f)
[#18](https://code.videolan.org/videolan/vlc/-/issues/18) 0x7ffff3e054dc (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0xda4dc)
[#19](https://code.videolan.org/videolan/vlc/-/issues/19) 0x7ffff3dfda89 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0xd2a89)
[#20](https://code.videolan.org/videolan/vlc/-/issues/20) 0x7ffff3da4da6 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x79da6)
[#21](https://code.videolan.org/videolan/vlc/-/issues/21) 0x7ffff3da540a (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x7a40a)
[#22](https://code.videolan.org/videolan/vlc/-/issues/22) 0x7ffff4e63b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x18b97)
Thread T3 created by T0 here:
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7ffff4e55b5b (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xab5b)
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7ffff3eed13c (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x1c213c)
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7ffff3eed390 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x1c2390)
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7ffff3da4732 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x79732)
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7ffff3dac286 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x81286)
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7ffff3daa226 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x7f226)
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7ffff3daa01c (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x7f01c)
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7ffff3d95e8e (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x6ae8e)
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7ffff3d7ba61 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x50a61)
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7ffff3d7b4a6 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x504a6)
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7ffff4c1234a (/tmp/vlc/lib/.libs/libvlc.so.5.5.0+0xe34a)
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x401d03 (/tmp/vlc/bin/vlc-static+0x401d03)
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x7ffff443dec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
Shadow bytes around the buggy address:
0x0c073ffffed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c073ffffee0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c073ffffef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c073fffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c073fffff10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c073fffff20: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa
0x0c073fffff30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c073fffff40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c073fffff50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c073fffff60: fd fd fd fd fd fd fd fd fd fd fd[Thread 0x7fffe2e5a700 (LWP 12286) exited]
fd fd fd fd fd
0x0c073fffff70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==12277== ABORTING
Program received signal SIGABRT, Aborted.
In:
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x00007fffe37725b7 in U32_AT (p=0x60360003f968) at ../include/vlc_common.h:684
684 memcpy (&x, p, sizeof (x));
GDB bt full:
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x00007fffe37725b7 in U32_AT (p=0x60360003f968) at ../include/vlc_common.h:684
x = 16777215
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x00007fffe377760f in Open (p_this=0x60280000f858) at demux/avi/avi.c:548
i = 128
entry = 4294967040
p_bi = 0x60360003f740
p_vprp = 0x0
p_info = 0x7fffe558d700
p_strl = 0x601c000191e0
p_strh = 0x601c00019100
p_strn = 0x0
p_auds = 0x601c00019020
fmt = {i_cat = 1, i_codec = 1346520914, i_original_fourcc = 0, i_id = -1, i_group = 0, i_priority = 0, psz_language = 0x0, psz_description = 0x0, i_extra_languages = 0,
p_extra_languages = 0x0, audio = {i_format = 0, i_rate = 0, i_physical_channels = 0, i_original_channels = 0, i_bytes_per_frame = 0, i_frame_length = 0,
i_bitspersample = 0, i_blockalign = 0, i_channels = 0 '\000'}, audio_replay_gain = {pb_peak = {false, false}, pf_peak = {0, 0}, pb_gain = {false, false}, pf_gain = {0,
0}}, video = {i_chroma = 0, i_width = 0, i_height = 0, i_x_offset = 0, i_y_offset = 0, i_visible_width = 0, i_visible_height = 0, i_bits_per_pixel = 0, i_sar_num = 0,
i_sar_den = 0, i_frame_rate = 0, i_frame_rate_base = 0, i_rmask = 0, i_gmask = 0, i_bmask = 0, i_rrshift = 0, i_lrshift = 0, i_rgshift = 0, i_lgshift = 0, i_rbshift = 0,
i_lbshift = 0, p_palette = 0x60440004f180, orientation = ORIENT_TOP_LEFT}, subs = {psz_encoding = 0x0, i_x_origin = 0, i_y_origin = 0, spu = {palette = {
0 <repeats 17 times>}, i_original_frame_width = 0, i_original_frame_height = 0}, dvb = {i_id = 0}, teletext = {i_magazine = 0, i_page = 0}, p_style = 0x0},
i_bitrate = 0, i_profile = -1, i_level = -1, b_packetized = true, i_extra = 0, p_extra = 0x0}
tk = 0x60100000ffa0
p_vids = 0x601c00019020
p_demux = 0x60280000f858
p_sys = 0x60240000fe00
b_index = false
b_aborted = false
i_do_index = 32767
p_riff = 0x601c00019480
p_hdrl = 0x601c000193a0
p_movi = 0x601c00018e60
p_avih = 0x601c000192c0
i_track = 1
i = 0
i_peeker = 0
p_peek = 0x7fffe4274800 "RIFF`%\002"
i_idx_totalframes = 4092509162
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x00007ffff3ea4243 in generic_start (func=0x7fffe3774b06 <Open>, ap=0x7fffe558c730) at modules/modules.c:351
obj = 0x60280000f858
activate = 0x7fffe3774b06 <Open>
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x00007ffff3ea3621 in module_load (obj=0x60280000f858, m=0x601a00016420, init=0x7ffff3ea4130 <generic_start>, args=0x7fffe558c880) at modules/modules.c:185
ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffe558c9f0, reg_save_area = 0x7fffe558c920}}
ret = 0
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x00007ffff3ea3ce4 in vlc_module_load (obj=0x60280000f858, capability=0x7ffff3f51be0 "demux", name=0x6004000554b3 "", strict=true, probe=0x7ffff3ea4130 <generic_start>)
at modules/modules.c:277
cand = 0x601a00016420
ret = -1
i = 1
buf = "any\000\000\000\000\000\300\374\002\000&`\000\000\020\375\002\000&`\000\000\000\000\000\000\000\000\000"
slen = 3
shortcut = 0x7fffe558c8c0 "any"
var = 0x0
mods = 0x60360003fcc0
total = 66
module = 0x0
b_force_backup = false
args = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffe558c9f0, reg_save_area = 0x7fffe558c920}}
__PRETTY_FUNCTION__ = "vlc_module_load"
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x00007ffff3ea439e in module_need (obj=0x60280000f858, cap=0x7ffff3f51be0 "demux", name=0x6004000554b0 "any", strict=true) at modules/modules.c:366
No locals.
...