wangf1978 / dumpts Goto Github PK

Describe：
A Null Pointer Dereference was discovered in DumpTS. The issue is being triggered in function DumpOneStream() at src/DumpStream.cpp:3075

Reproduce:

Tested in Ubuntu 22.04
Compile the program with address sanitizer with this:
first add the command in makefile as follows:

Then:
gdb --args ./DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000000,sig:11,src:000007,time:80786,execs:34010,op:int16,pos:5,val:+64 --showinfo --removebox='unkn'
(gdb) set logging on
(gdb) set logging file out.txt
(gdb) set logging redirect on
(gdb) break main
(gdb) run
(gdb) step
(gdb) print argc
(gdb) print argv
(gdb) continue
(gdb) info signals
(gdb) backtrace

GDB Reports:

(gdb) run
Starting program: /home/DumpTS/build/linux/DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000000,sig:11,src:000007,time:80786,execs:34010,op:int16,pos:5,val:+64 --showinfo --removebox=unkn
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
invalid 'pointer_field' value.

Program received signal SIGSEGV, Segmentation fault.
0x00007f43f4230d4d in ftell () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) continue 
Continuing.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1809928==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f43f4230d4d bp 0x7ffdfcc8c170 sp 0x7ffdfcc8bc90 T0)
==1809928==The signal is caused by a READ memory access.
==1809928==Hint: address points to the zero page.
[Detaching after fork from child process 1811589]
    #0 0x7f43f4230d4d in _IO_ftell (/lib/x86_64-linux-gnu/libc.so.6+0x7fd4d) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #1 0x5583ad745508  (/home/DumpTS/build/linux/DumpTS+0xe86508) (BuildId: b640c03d1d58bdf7)
    #2 0x5583ad778276  (/home/DumpTS/build/linux/DumpTS+0xeb9276) (BuildId: b640c03d1d58bdf7)
    #3 0x7f43f41dad8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #4 0x7f43f41dae3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #5 0x5583acc3f324  (/home/DumpTS/build/linux/DumpTS+0x380324) (BuildId: b640c03d1d58bdf7)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x7fd4d) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348) in _IO_ftell
==1809928==ABORTING
[Inferior 1 (process 1809928) exited with code 01]

and this is the command at the bug address:

Poc

Poc file is here

Fuzzer
Fuzzer is AFL.

The PSI section data seems not to be enough.

DumpTS extract ES from TS, and store all ES to a file.
Do you ever create metadata to read one ES by another one from the file?

Is this possible compile on macOS?

Here:

https://github.com/wangf1978/DumpTS/blob/master/src/MMT.h#L2264

The code is called with TLV packet of length say 0x200, but in my sample MMT file ends up reading > 0xb300 bytes because it doesn't keep track of tlv packet size boundary.

You need to assemble the packets , instead of just reading payload_bytes.

Here's a sample mmt file which causes this issue - https://mega.nz/#!sQUzyK7Q!w88OVKujO5s6j_0g6M4exIav2uUg2fJ5cBSR9LyX8OA

command line which causes bug:

dumpts sample.mmts --srcfmt=mmt --output=test.hevc --outputfmt=es --pid=0xa001

This also requires my earlier PR about >12bit pid numbers.

The current version DumpTS needs to run twice, if the output for two pids (for audio&video) needed.
For example, dumpts sample.mmts --srcfmt=mmt --output=test.hevc --pid=0xa001 --CID=2
In this case, pid=0xa001 is video data only.

For audio data(0xa041), dumpts needs to run again,
dumpts sample.mmts --srcfmt=mmt --output=test.aac --pid=0xa041 --CID=2

I think it's good to process two pids at once like this,
dumpts sample.mmts --srcfmt=mmt --output=test.hevc&test.aac --pid=0xa001&0xa041 --CID=2

What do you think?

I have this MMTS sample, which when I dump the hevc stream, the code shows "Failed to find MPU time descriptor for the asset."

Although the dumped version seems normal, is it possible to look into it?

Sample: https://we.tl/t-H7uet6iyz2

P.S. using latest main branch, DumpTS will core dump on the CRC part. I used the commit at bd0b3e8.

DumpTS

Describe：

A Null Pointer Dereference was discovered in DumpTS v0.1.0-nightly. The issue is being triggered in function DumpOneStream() at src/DumpStream.cpp:2858.Attackers may exploit this vulnerability to execute and cause a DOS attack.

Reproduce:

Tested in Ubuntu 22.04
Compile the program with address sanitizer with this:
first add the command in makefile as follows:

Then:
gdb --args ./DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000008,sig:11,src:000034+000066,time:416966,execs:118645,op:splice,rep:3 --showinfo --removebox='unkn' (gdb) set logging on
(gdb) set logging file out.txt
(gdb) set logging redirect on
(gdb) break main
(gdb) run
(gdb) step
(gdb) print argc
(gdb) print argv
(gdb) continue
(gdb) info signals
(gdb) backtrace

GDB Reports:

(gdb) run
Starting program: /home/DumpTS/build/linux/DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000008,sig:11,src:000034+000066,time:416966,execs:118645,op:splice,rep:3 --showinfo --removebox=unkn
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[13818-1] current PSI section failed do check-sum.
[13818-1] current PSI section failed do check-sum.
The PSI section data seems not to be enough.

Program received signal SIGSEGV, Segmentation fault.
0x00007f132bc67d4d in ftell () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) continue 
Continuing.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==707503==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f132bc67d4d bp 0x7ffcd94f18b0 sp 0x7ffcd94f13d0 T0)
==707503==The signal is caused by a READ memory access.
==707503==Hint: address points to the zero page.
[Detaching after fork from child process 709561]
    #0 0x7f132bc67d4d in _IO_ftell (/lib/x86_64-linux-gnu/libc.so.6+0x7fd4d) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #1 0x55753fbff503  (/home/DumpTS/build/linux/DumpTS+0xe82503) (BuildId: b640c03d1d58bdf7)
    #2 0x55753fc36276  (/home/DumpTS/build/linux/DumpTS+0xeb9276) (BuildId: b640c03d1d58bdf7)
    #3 0x7f132bc11d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #4 0x7f132bc11e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #5 0x55753f0fd324  (/home/DumpTS/build/linux/DumpTS+0x380324) (BuildId: b640c03d1d58bdf7)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x7fd4d) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348) in _IO_ftell
==707503==ABORTING
[Inferior 1 (process 707503) exited with code 01]

and this is the command at the bug address:

Poc

Poc file is here

Fuzzer
Fuzzer is AFL.

MMT-TLVassociation/DumpTS@c884656
(In crc.cpp, const uint8_t* is changed to uint8_t* . )

I added code to check CRC in DumpTS.

example:
DumpTS file.mmts --CID=1 --pid=0xF300 --output=e00301.hevc

If there are any CRC error in TLV/MMT stream, CRC false message is output.
I'll pull request if your are OK.

Describe：
A heap-buffer-overflow was discovered in DumpTS v0.1.0-nightly. The issue is being triggered in function PushTSBuf() at src/PayloadBuf.cpp:706.Attackers may exploit this vulnerability to execute and cause a DOS attack.

Reproduce:

Tested in Ubuntu 22.04
Compile the program with address sanitizer with this:
first add the command in makefile as follows:

Then:
gdb --args ./DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000003,sig:06,src:000015+000006,time:134707,execs:46267,op:splice,rep:11 --showinfo --removebox='unkn'
(gdb) set logging on
(gdb) set logging file out.txt
(gdb) set logging redirect on
(gdb) break main
(gdb) run
(gdb) step
(gdb) print argc
(gdb) print argv
(gdb) continue
(gdb) info signals
(gdb) backtrace

GDB Reports:

(gdb) backtrace 
#0  0x00007f29f214a03f in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x0000557574249cdb in CPayloadBuf::PushTSBuf (this=0x557574c02520, idxTSPack=0, pBuf=0x7fffebdc3240 "", offStart=239 '\357', offEnd=192 '\300') at ../../src/PayloadBuf.cpp:706
#2  0x000055757433d8c6 in DumpOneStream () at ../../src/DumpStream.cpp:2884
#3  0x000055757435cd52 in main (argc=4, argv=0x7fffebdc4728) at ../../src/DumpTS.cpp:1312

and this is the command at the bug address:

Poc

Poc file is here

Fuzzer
Fuzzer is AFL.

I'm using DumpTS to analyze packets of TLV/MMT stream captured from TV broadcasting by Japanese 4K broadcasting satellite.
The problem I noticed is, when "DumpTS 4kmmt.mmts --showpack", DumpTS stops at 14th packet by error "[MMT/TLV] TLV header should start with 0x7F at file position: %"

4kmmt.mmts (captured MMT/TLV stream) is here, https://mega.nz/#!Rk4ijArA!xryyLP3Joo9vFJGMeHc_W323FLf_Zo0XwUL8mjPWdxg

I've checked the problem by VS2019 debug mode, then found "bs.curbits" is jumping to much far forward bit's position.
The value is 0x81b1fed0.

Can you look at this problem?

Hello, I've a problem:
When I ran the TS file, it said this error: The PSI section data seems not to be enough.
I tried other TS files but it worked normally, this file caused problem.
Do you have any solution, or can you fix it? Thanks first

Describe：

A Null Pointer Dereference was discovered in DumpTS v0.1.0-nightly. The issue is being triggered in function VerifyCommandLine () at src/DumpTS.cpp:388.Attackers may exploit this vulnerability to execute and cause a DOS attack.

Reproduce:

Tested in Ubuntu 22.04
Compile the program with address sanitizer with this:
first add the command in makefile as follows:

Then the poc is inputed as the input of DumpTS,here is the command:
gdb --args ./DumpTS /home/DumpTS/fuzz_out3/default/crashes/id\:000000\,sig\:06\,src\:000011\,time\:52513\,execs\:23035\,op\:havoc\,rep\:16 --output=test1.mp4 --pid=0x1011 --showpts --destpid=0x1011
(gdb) break main
(gdb) run
(gdb) continue
(gdb) backtrace

GDB Reports:

(gdb) break main
Breakpoint 1 at 0x38e399: file ../../src/DumpTS.cpp, line 1126.
(gdb) run
Starting program: /home/DumpTS/bin/linux/DumpTS /home/DumpTS/fuzz_out3/default/crashes/id:000000,sig:06,src:000011,time:52513,execs:23035,op:havoc,rep:16 --output=test1.mp4 --pid=0x1011 --showpts --destpid=0x1011
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, main (argc=6, argv=0x7ffd185a24c8) at ../../src/DumpTS.cpp:1126
1126            int nDumpRet = 0;
(gdb) continue 
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00007f85f9b7781e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) backtrace 
#0  0x00007f85f9b7781e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f85f9e47bce in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(char const*) const ()
   from /lib/x86_64-linux-gnu/libstdc++.so.6
#2  0x000055c2e077c235 in VerifyCommandLine () at ../../src/DumpTS.cpp:388
#3  0x000055c2e0781433 in main (argc=6, argv=0x7ffd185a24c8) at ../../src/DumpTS.cpp:1157

and this is the code at the bug address:

Poc

Poc file is here

Fuzzer
Fuzzer is AFL.