thor icon indicating copy to clipboard operation
thor copied to clipboard

Published 20 hours ago verified publisher icon cisco

A SIGSEGV signal appear when running program Thordec

Open fCorleone opened this issue 6 years ago • 11 comments

An issue has been discovered when use Thordec:

ASAN:SIGSEGV
=================================================================
==22231==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fec86fb7425 bp 0x7fffe85bc968 sp 0x7fffe85aceb8 T0)
    #0 0x7fec86fb7424 in strrchr (/lib/x86_64-linux-gnu/libc.so.6+0x8d424)
    #1 0x4022a9 in main dec/maindec.c:116
    #2 0x7fec86f4a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #3 0x406ce8 in _start (/home/mfc_fuzz/thor/build/Thordec+0x406ce8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 strrchr
==22231==ABORTING

The input file is displayed at: https://github.com/fCorleone/fuzz_programs/blob/master/thor/test.bit The command line is ./Thordec test.bit out.yuv

fCorleone avatar Jul 05 '18 11:07 fCorleone

Thanks for the report. Can you specify the commit id you're using to decode?

stemidts avatar Jul 17 '18 17:07 stemidts

I have checked the commit id, it's commit e42047d.It's strange that I cloned the code from the https://github.com/cisco/thor.git 12 days ago. Does it mean that I would get the latest version of the code? But when I check the commit id using command line:

git reflog

I got this :

e42047d HEAD@{0}: clone: from https://github.com/cisco/thor.git

fCorleone avatar Jul 18 '18 00:07 fCorleone

Thanks. It looks to me that the bitstream contains illegal elements, which indicates that there is an encoder bug as well. Are you able to share how you produced the stream? (config file, options & input video)

Does the following patch for you work? (it should fix the crash, but the file will not be decodable): patch.txt

stemidts avatar Jul 18 '18 02:07 stemidts

My command line to produce the stream is like:

./Thordec test.bit out.yuv

with no options and config file , I just try to input a file and the issue happened. The input file has been placed at:https://github.com/fCorleone/fuzz_programs/blob/master/thor/test.bit I will try the patch later. By the way, I'm wondering that could I get a CVE ID for this issue? Thank you for your reply to this issue anyway.

fCorleone avatar Jul 18 '18 06:07 fCorleone

I meant the Thorenc command used to produce test.bit (and test2.bit in #37)

stemidts avatar Jul 18 '18 11:07 stemidts

Oh, the test bit was not produced by Thorenc using a certain video. The test bit was created in fuzzing process. I put a seed into the fuzzing process and afl mutated the seed and got the test bit which would make a crash to the program.

fCorleone avatar Jul 19 '18 01:07 fCorleone

@stemidts Could I get CVE-IDs for this two issues please?

fCorleone avatar Jul 20 '18 07:07 fCorleone

We haven't issued CVE's yet. In order for me to understand this problem correctly, it would be helpful if you could give feedback whether the patch helps.

stemidts avatar Jul 20 '18 12:07 stemidts

Yes , the patch fix the problem for me.

fCorleone avatar Jul 23 '18 02:07 fCorleone

@stemidts will I get CVE-ids for these two issues?

fCorleone avatar Jul 26 '18 02:07 fCorleone

The issues seem to have the same root cause and the CVD ID is CVE-2018-0429.

A patch has been committed into the repository.

stemidts avatar Aug 13 '18 07:08 stemidts