Libquicktime:allocation failed in quicktime_read_info

Description

Libquicktime is a library for reading and writing quicktime/avi/mp4 files. It provides convenient access to quicktime files with a variety of supported codecs.

An allocation failed was found in function quicktime_read_info in lqt_quicktime.c, which allows attackers to cause a denial of service via a crafted file.

#qtinfo $POC
==2892==ERROR: failed to allocate 0x6c6d769000
(465692954624) bytes of LargeMmapAllocator (error code: 12)
==2892==Process memory map follows:
    0x000000400000-0x0000008b5000
/home/test/Downloads/libquicktime-afl-build/bin/qtinfo
    0x000000ab5000-0x000000ab6000
/home/test/Downloads/libquicktime-afl-build/bin/qtinfo
    0x000000ab6000-0x000000ad2000
/home/test/Downloads/libquicktime-afl-build/bin/qtinfo
    0x000000ad2000-0x000001739000
    0x00007fff7000-0x00008fff7000
    0x00008fff7000-0x02008fff7000
    0x02008fff7000-0x10007fff8000
    0x600000000000-0x602000000000
    0x602000000000-0x602000010000
    0x602000010000-0x602e00000000
    0x602e00000000-0x602e00010000
    0x602e00010000-0x604000000000
    0x604000000000-0x604000010000
    0x604000010000-0x604e00000000
    0x604e00000000-0x604e00010000
    0x604e00010000-0x606000000000
    0x606000000000-0x606000010000
    0x606000010000-0x606e00000000
    0x606e00000000-0x606e00010000
    0x606e00010000-0x608000000000
    0x608000000000-0x608000010000
    0x608000010000-0x608e00000000
    0x608e00000000-0x608e00010000
    0x608e00010000-0x616000000000
    0x616000000000-0x616000010000
    0x616000010000-0x616e00000000
    0x616e00000000-0x616e00010000
    0x616e00010000-0x624000000000
    0x624000000000-0x624000010000
    0x624000010000-0x624e00000000
    0x624e00000000-0x624e00010000
    0x624e00010000-0x626000000000
    0x626000000000-0x626000010000
    0x626000010000-0x626e00000000
    0x626e00000000-0x626e00010000
    0x626e00010000-0x640000000000
    0x640000000000-0x640000003000
    0x7f9b80b00000-0x7f9b80c00000
    0x7f9b80d00000-0x7f9b80e00000
    0x7f9b80f00000-0x7f9b81000000
    0x7f9b81100000-0x7f9b81200000
    0x7f9b8125e000-0x7f9b835b0000
    0x7f9b835b0000-0x7f9b83766000    /usr/lib64/libc-2.17.so
    0x7f9b83766000-0x7f9b83966000    /usr/lib64/libc-2.17.so
    0x7f9b83966000-0x7f9b8396a000    /usr/lib64/libc-2.17.so
    0x7f9b8396a000-0x7f9b8396c000    /usr/lib64/libc-2.17.so
    0x7f9b8396c000-0x7f9b83971000
    0x7f9b83971000-0x7f9b83986000    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    0x7f9b83986000-0x7f9b83b85000    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    0x7f9b83b85000-0x7f9b83b86000    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    0x7f9b83b86000-0x7f9b83b87000    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    0x7f9b83b87000-0x7f9b83b8e000    /usr/lib64/librt-2.17.so
    0x7f9b83b8e000-0x7f9b83d8d000    /usr/lib64/librt-2.17.so
    0x7f9b83d8d000-0x7f9b83d8e000    /usr/lib64/librt-2.17.so
    0x7f9b83d8e000-0x7f9b83d8f000    /usr/lib64/librt-2.17.so
    0x7f9b83d8f000-0x7f9b83da6000    /usr/lib64/libpthread-2.17.so
    0x7f9b83da6000-0x7f9b83fa5000    /usr/lib64/libpthread-2.17.so
    0x7f9b83fa5000-0x7f9b83fa6000    /usr/lib64/libpthread-2.17.so
    0x7f9b83fa6000-0x7f9b83fa7000    /usr/lib64/libpthread-2.17.so
    0x7f9b83fa7000-0x7f9b83fab000
    0x7f9b83fab000-0x7f9b83fad000    /usr/lib64/libdl-2.17.so
    0x7f9b83fad000-0x7f9b841ad000    /usr/lib64/libdl-2.17.so
    0x7f9b841ad000-0x7f9b841ae000    /usr/lib64/libdl-2.17.so
    0x7f9b841ae000-0x7f9b841af000    /usr/lib64/libdl-2.17.so
    0x7f9b841af000-0x7f9b841c4000    /usr/lib64/libz.so.1.2.7
    0x7f9b841c4000-0x7f9b843c3000    /usr/lib64/libz.so.1.2.7
    0x7f9b843c3000-0x7f9b843c4000    /usr/lib64/libz.so.1.2.7
    0x7f9b843c4000-0x7f9b843c5000    /usr/lib64/libz.so.1.2.7
    0x7f9b843c5000-0x7f9b844c5000    /usr/lib64/libm-2.17.so
    0x7f9b844c5000-0x7f9b846c5000    /usr/lib64/libm-2.17.so
    0x7f9b846c5000-0x7f9b846c6000    /usr/lib64/libm-2.17.so
    0x7f9b846c6000-0x7f9b846c7000    /usr/lib64/libm-2.17.so
    0x7f9b846c7000-0x7f9b846e7000    /usr/lib64/ld-2.17.so
    0x7f9b8475c000-0x7f9b848cb000
    0x7f9b848cb000-0x7f9b848e6000
    0x7f9b848e6000-0x7f9b848e7000    /usr/lib64/ld-2.17.so
    0x7f9b848e7000-0x7f9b848e8000    /usr/lib64/ld-2.17.so
    0x7f9b848e8000-0x7f9b848e9000
    0x7ffd55c95000-0x7ffd55cb6000    [stack]
    0x7ffd55cfb000-0x7ffd55cfd000    [vdso]
    0xffffffffff600000-0xffffffffff601000    [vsyscall]
==2892==End of process memory map.
==2892==AddressSanitizer CHECK failed:
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120
"((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4ea5bf in __asan::AsanCheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long)
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:69
    #1 0x501ee5 in __sanitizer::CheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long)
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79
    #2 0x4f2b80 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char
const*, char const*, int, bool)
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120
    #3 0x4fb35e in __sanitizer::MmapOrDie(unsigned long, char const*, bool)
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:132
    #4 0x42660f in
__sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*,
unsigned long, unsigned long)
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_secondary.h:41
    #5 0x42660f in
__sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::AP64>,
__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64>
>, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>
>::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64>
>*, unsigned long, unsigned long, bool, bool)
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_combined.h:70
    #6 0x42660f in __asan::Allocator::Allocate(unsigned long, unsigned
long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool)
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_allocator.cc:407
    #7 0x4dff89 in malloc
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67
    #8 0x5411c9 in quicktime_read_info
/home/test/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1784:39
    #9 0x5441ca in do_open
/home/test/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026:10
    #10 0x515a55 in file_info
/home/test/Downloads/libquicktime-1.2.4/utils/qtinfo.c:45:12
    #11 0x515a55 in main
/home/test/Downloads/libquicktime-1.2.4/utils/qtinfo.c:69
    #12 0x7f9b835d1b34 in __libc_start_main
/usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
    #13 0x41affb in _start
(/home/test/Downloads/libquicktime-afl-build/bin/qtinfo+0x41affb)

Affected version: 1.2.4
Fixed version:N/A
Commit fix:N/A
Credit: ADLab of Venustech.
CVE:N/A
Reproducer:
https://sourceforge.net/p/libquicktime/mailman/message/35888850/
(in the attachment)
Timeline:
2017-06-11:bug discovered and reported to the Libquicktime`s mailling lists of sourceforge
2017-07-30:blog post about the issue
Permalink:
https://somevulnsofadlab.blogspot.com/2017/07/libquicktimeallocation-failed-in.html

评论

此博客中的热门博文

Poppler:stack buffer overflow in GfxImageColorMap::getGray

LibTIFF:memory leak in _TIFFmalloc

lrzip:stack buffer overflow in get_fileinfo