=================================================================
==62461==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe95b8a37d at pc 0x5597f2b9b16c bp 0x7ffe95b8a050 sp 0x7ffe95b8a048
READ of size 1 at 0x7ffe95b8a37d thread T0
#0 0x5597f2b9b16b in pmt_read source/mpeg-pmt.c:148
#1 0x5597f2b9ff0c in ts_demuxer_input source/mpeg-ts-dec.c:229
#2 0x5597f2b8db37 in mpeg_ts_file /home/fuzz/media-server/libmpeg/fuzz/ts-harness.cpp:79
#3 0x5597f2b8db37 in mpeg_ts_test(char const*) /home/fuzz/media-server/libmpeg/fuzz/ts-harness.cpp:97
#4 0x5597f2b8d338 in main /home/fuzz/media-server/libmpeg/fuzz/ts-harness.cpp:108
#5 0x7fe66e33c2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#6 0x5597f2b8d7b9 in _start (/data00/home/fuzz/media-server/libmpeg/fuzz/ts-harness+0x27b9)
Address 0x7ffe95b8a37d is located in stack of thread T0 at offset 301 in frame
#0 0x5597f2b8d9ff in mpeg_ts_test(char const*) /home/fuzz/media-server/libmpeg/fuzz/ts-harness.cpp:88
=================================================================
==71887==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff452fc9be at pc 0x56457a296ad9 bp 0x7fff452fc710 sp 0x7fff452fc708
READ of size 1 at 0x7fff452fc9be thread T0
#0 0x56457a296ad8 in adaptation_filed_read source/mpeg-ts-dec.c:85
#1 0x56457a296ad8 in ts_demuxer_input source/mpeg-ts-dec.c:188
#2 0x56457a283b37 in mpeg_ts_file /home/fuzz/media-server/libmpeg/fuzz/ts-harness.cpp:79
#3 0x56457a283b37 in mpeg_ts_test(char const*) /home/fuzz/media-server/libmpeg/fuzz/ts-harness.cpp:97
#4 0x56457a283338 in main /home/fuzz/media-server/libmpeg/fuzz/ts-harness.cpp:108
#5 0x7faadc3ac2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#6 0x56457a2837b9 in _start (/data00/home/fuzz/media-server/libmpeg/fuzz/ts-harness+0x27b9)
Address 0x7fff452fc9be is located in stack of thread T0 at offset 302 in frame
#0 0x56457a2839ff in mpeg_ts_test(char const*) /home/fuzz/media-server/libmpeg/fuzz/ts-harness.cpp:88
Impact
Patches
fix GHSA-p7jj-x4pf-33fv mpeg pmt/pat/sdt/AF memory access overrun
Workarounds
检查PAT/PMT/SDT头部长度
References
@Cossack9989
For more information
If you have any questions or comments about this advisory:
Open an issue in ireader/media-server