Heap-buffer-overflow in function impeghe_main_process() at libmpeghe/test/impeghe_testbench.c:2161

[zhuvensi]

Describe

A heap-buffer-overflow was discovered in libmpeghe v[2024-06-12]. The issue is being triggered in function impeghe_main_process() at libmpeghe/test/impeghe_testbench.c:2161.Attackers may exploit this vulnerability to execute and cause a DOS attack.

Reproduce:

Tested in Ubuntu 22.04
First,Compile the program with address sanitizer:

mkdir cmake_build
cd cmake_build
AFL_USE_ASAN=1 CC=afl-clang-lto CXX=afl-clang-lto++ cmake ..
AFL_USE_ASAN=1  make -j8

Then the poc is inputed:

./MPEGHEncoder -ifile:/home/crashes/libmpeghe/crashes.2024-06-28-03:53:38/id:000001,sig:06,src:000679,time:2786852,execs:23823,op:quick,pos:77 -ofile:1.mp4

ASan Reports：

==2852430==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000000078 at pc 0x555dfe015fe1 bp 0x7ffc75e7e090 sp 0x7ffc75e7e088
WRITE of size 4 at 0x608000000078 thread T0
    #0 0x555dfe015fe0 in impeghe_main_process /home/libmpeghe/test/impeghe_testbench.c:2161:37
    #1 0x555dfe01b664 in main /home/libmpeghe/test/impeghe_testbench.c:2748:7
    #2 0x7f0eaededd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #3 0x7f0eaedede3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #4 0x555dfdf14b74 in _start (/home/libmpeghe/build/bin/MPEGHEncoder+0x36eb74) (BuildId: ad74bd9c567612d9)

0x608000000078 is located 0 bytes after 88-byte region [0x608000000020,0x608000000078)
allocated by thread T0 here:
    #0 0x555dfdfae99e in malloc (/home/libmpeghe/build/bin/MPEGHEncoder+0x40899e) (BuildId: ad74bd9c567612d9)
    #1 0x555dfe010dd0 in malloc_global /home/libmpeghe/test/impeghe_testbench.c:852:63
    #2 0x555dfe010dd0 in impeghe_main_process /home/libmpeghe/test/impeghe_testbench.c:2040:20
    #3 0x555dfe01b664 in main /home/libmpeghe/test/impeghe_testbench.c:2748:7
    #4 0x7f0eaededd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/libmpeghe/test/impeghe_testbench.c:2161:37 in impeghe_main_process
Shadow bytes around the buggy address:
  0x607ffffffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x607ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x607ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x607fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x607fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x608000000000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x608000000080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x608000000100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x608000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x608000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x608000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2852430==ABORTING

Poc

Poc file is here

Fuzzer：
Fuzzer is AFL.