Libquicktime:allocation failed in quicktime_read_ftyp

Description

Libquicktime is a library for reading and writing quicktime/avi/mp4 files. It provides convenient access to quicktime files with a variety of supported codecs.

An allocation failed was found in function quicktime_read_ftyp in ftyp.c, which allows attackers to cause a denial of service via a crafted file.

#qtinfo $POC
==2703==ERROR: failed to allocate 0x1e0003000 (8053075968)
bytes of LargeMmapAllocator (error code: 12)
==2703==Process memory map follows:
    0x000000400000-0x0000008b5000
/home/test/Downloads/libquicktime-afl-build/bin/qtinfo
    0x000000ab5000-0x000000ab6000
/home/test/Downloads/libquicktime-afl-build/bin/qtinfo
    0x000000ab6000-0x000000ad2000
/home/test/Downloads/libquicktime-afl-build/bin/qtinfo
    0x000000ad2000-0x000001739000
    0x00007fff7000-0x00008fff7000
    0x00008fff7000-0x02008fff7000
    0x02008fff7000-0x10007fff8000
    0x600000000000-0x604000000000
    0x604000000000-0x604000010000
    0x604000010000-0x604e00000000
    0x604e00000000-0x604e00010000
    0x604e00010000-0x606000000000
    0x606000000000-0x606000010000
    0x606000010000-0x606e00000000
    0x606e00000000-0x606e00010000
    0x606e00010000-0x608000000000
    0x608000000000-0x608000010000
    0x608000010000-0x608e00000000
    0x608e00000000-0x608e00010000
    0x608e00010000-0x616000000000
    0x616000000000-0x616000010000
    0x616000010000-0x616e00000000
    0x616e00000000-0x616e00010000
    0x616e00010000-0x624000000000
    0x624000000000-0x624000010000
    0x624000010000-0x624e00000000
    0x624e00000000-0x624e00010000
    0x624e00010000-0x626000000000
    0x626000000000-0x626000010000
    0x626000010000-0x626e00000000
    0x626e00000000-0x626e00010000
    0x626e00010000-0x640000000000
    0x640000000000-0x640000003000
    0x7efc08900000-0x7efc08a00000
    0x7efc08b00000-0x7efc08c00000
    0x7efc08d00000-0x7efc08e00000
    0x7efc08f00000-0x7efc09000000
    0x7efc090de000-0x7efc0b430000
    0x7efc0b430000-0x7efc0b5e6000    /usr/lib64/libc-2.17.so
    0x7efc0b5e6000-0x7efc0b7e6000    /usr/lib64/libc-2.17.so
    0x7efc0b7e6000-0x7efc0b7ea000    /usr/lib64/libc-2.17.so
    0x7efc0b7ea000-0x7efc0b7ec000    /usr/lib64/libc-2.17.so
    0x7efc0b7ec000-0x7efc0b7f1000
    0x7efc0b7f1000-0x7efc0b806000    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    0x7efc0b806000-0x7efc0ba05000    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    0x7efc0ba05000-0x7efc0ba06000    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    0x7efc0ba06000-0x7efc0ba07000    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    0x7efc0ba07000-0x7efc0ba0e000    /usr/lib64/librt-2.17.so
    0x7efc0ba0e000-0x7efc0bc0d000    /usr/lib64/librt-2.17.so
    0x7efc0bc0d000-0x7efc0bc0e000    /usr/lib64/librt-2.17.so
    0x7efc0bc0e000-0x7efc0bc0f000    /usr/lib64/librt-2.17.so
    0x7efc0bc0f000-0x7efc0bc26000    /usr/lib64/libpthread-2.17.so
    0x7efc0bc26000-0x7efc0be25000    /usr/lib64/libpthread-2.17.so
    0x7efc0be25000-0x7efc0be26000    /usr/lib64/libpthread-2.17.so
    0x7efc0be26000-0x7efc0be27000    /usr/lib64/libpthread-2.17.so
    0x7efc0be27000-0x7efc0be2b000
    0x7efc0be2b000-0x7efc0be2d000    /usr/lib64/libdl-2.17.so
    0x7efc0be2d000-0x7efc0c02d000    /usr/lib64/libdl-2.17.so
    0x7efc0c02d000-0x7efc0c02e000    /usr/lib64/libdl-2.17.so
    0x7efc0c02e000-0x7efc0c02f000    /usr/lib64/libdl-2.17.so
    0x7efc0c02f000-0x7efc0c044000    /usr/lib64/libz.so.1.2.7
    0x7efc0c044000-0x7efc0c243000    /usr/lib64/libz.so.1.2.7
    0x7efc0c243000-0x7efc0c244000    /usr/lib64/libz.so.1.2.7
    0x7efc0c244000-0x7efc0c245000    /usr/lib64/libz.so.1.2.7
    0x7efc0c245000-0x7efc0c345000    /usr/lib64/libm-2.17.so
    0x7efc0c345000-0x7efc0c545000    /usr/lib64/libm-2.17.so
    0x7efc0c545000-0x7efc0c546000    /usr/lib64/libm-2.17.so
    0x7efc0c546000-0x7efc0c547000    /usr/lib64/libm-2.17.so
    0x7efc0c547000-0x7efc0c567000    /usr/lib64/ld-2.17.so
    0x7efc0c5dc000-0x7efc0c74b000
    0x7efc0c74b000-0x7efc0c766000
    0x7efc0c766000-0x7efc0c767000    /usr/lib64/ld-2.17.so
    0x7efc0c767000-0x7efc0c768000    /usr/lib64/ld-2.17.so
    0x7efc0c768000-0x7efc0c769000
    0x7ffce97d5000-0x7ffce97f6000    [stack]
    0x7ffce97f8000-0x7ffce97fa000    [vdso]
    0xffffffffff600000-0xffffffffff601000    [vsyscall]
==2703==End of process memory map.
==2703==AddressSanitizer CHECK failed:
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120
"((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4ea5bf in __asan::AsanCheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long)
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:69
    #1 0x501ee5 in __sanitizer::CheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long)
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79
    #2 0x4f2b80 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char
const*, char const*, int, bool)
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120
    #3 0x4fb35e in __sanitizer::MmapOrDie(unsigned long, char const*, bool)
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:132
    #4 0x42660f in
__sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*,
unsigned long, unsigned long)
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_secondary.h:41
    #5 0x42660f in
__sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::AP64>,
__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64>
>, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>
>::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64>
>*, unsigned long, unsigned long, bool, bool)
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_combined.h:70
    #6 0x42660f in __asan::Allocator::Allocate(unsigned long, unsigned
long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool)
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_allocator.cc:407
    #7 0x4dff89 in malloc
/home/test/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67
    #8 0x574538 in quicktime_read_ftyp
/home/test/Downloads/libquicktime-1.2.4/src/ftyp.c:148:29
    #9 0x5410c5 in quicktime_read_info
/home/test/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1774:15
    #10 0x5441ca in do_open
/home/test/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026:10
    #11 0x515a55 in file_info
/home/test/Downloads/libquicktime-1.2.4/utils/qtinfo.c:45:12
    #12 0x515a55 in main
/home/test/Downloads/libquicktime-1.2.4/utils/qtinfo.c:69
    #13 0x7efc0b451b34 in __libc_start_main
/usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
    #14 0x41affb in _start
(/home/test/Downloads/libquicktime-afl-build/bin/qtinfo+0x41affb)

Affected version: 1.2.4
Fixed version:N/A
Commit fix:N/A
Credit: ADLab of Venustech.
CVE:N/A
Reproducer:
https://sourceforge.net/p/libquicktime/mailman/message/35888849/
(in the attachment)
Timeline:
2017-06-11:bug discovered and reported to the Libquicktime`s mailling lists of sourceforge
2017-07-30:blog post about the issue
Permalink:
https://somevulnsofadlab.blogspot.com/2017/07/libquicktimeallocation-failed-in_30.html

评论

此博客中的热门博文

qpdf:An infinite loop in libqpdf

qpdf:An infinite loop in libqpdf

qpdf:An infinite loop in libqpdf