henices/CVE-2020-26664.txt

## CVE-2020-26664.txt
[CVE ID]
CVE-2020-26664

[PRODUCT]
VLC is a free and open source cross-platform multimedia player and framework that plays most multimedia files as well as DVDs, Audio CDs, VCDs, and various streaming protocols.

[AFFECTED VERSION]
VLC media player 3.0.11 and earlier version.

[PROBLEM TYPE]
heap-buffer-overflow read

[DESCRIPTION]
A vulnerability in EbmlTypeDispatcher::send in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a crafted .mkv file.

[TECHNICAL DETAILS]
VLC media player use libmatroska and libebml to do mkv demux, VLC media player crashes while processing a crafted .mkv file, it cause heap buffer overflow OOB 8 bytes.

./vlc -I dummy --play-and-exit tests_3e73513ca249c376fae82ca19b2c62a3e500f68e

VLC media player 4.0.0-dev Otto Chriek (revision 33226d2)
[000060600007c3a0] dummy interface: using the dummy interface module...
=================================================================
==3816222==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200003e8b0 at pc 0x7f1e81a15b3f bp 0x7f1e84955170 sp 0x7f1e84955168
READ of size 8 at 0x60200003e8b0 thread T5
[000061100009b900] mkv demux error: No tracks supported
    #0 0x7f1e81a15b3e in (anonymous namespace)::EbmlTypeDispatcher::send(libebml::EbmlElement* const&, void*) const /home/henices/tests/vlc-code/modules/demux/mkv/Ebml_dispatcher.hpp:74:14
    #1 0x7f1e81998aa6 in void (anonymous namespace)::Dispatcher<(anonymous namespace)::EbmlTypeDispatcher, void (*)(libebml::EbmlElement*, void*)>::iterate<__gnu_cxx::__normal_iterator<libebml::EbmlElement**, std::vector<libebml::EbmlElement*, std::allocator<libebml::EbmlElement*> > > >(__gnu_cxx::__normal_iterator<libebml::EbmlElement**, std::vector<libebml::EbmlElement*, std::allocator<libebml::EbmlElement*> > >, __gnu_cxx::__normal_iterator<libebml::EbmlElement**, std::vector<libebml::EbmlElement*, std::allocator<libebml::EbmlElement*> > >, void* const&) const /home/henices/tests/vlc-code/modules/demux/mkv/dispatcher.hpp:44:50
    #2 0x7f1e8199853f in mkv::matroska_segment_c::ParseTracks(libmatroska::KaxTracks*) /home/henices/tests/vlc-code/modules/demux/mkv/matroska_segment_parse.cpp:1099:33
    #3 0x7f1e81956cb0 in mkv::matroska_segment_c::LoadSeekHeadItem(libebml::EbmlCallbacks const&, long) /home/henices/tests/vlc-code/modules/demux/mkv/matroska_segment.cpp:737:13
    #4 0x7f1e819942ac in mkv::matroska_segment_c::ParseSeekHead(libmatroska::KaxSeekHead*) /home/henices/tests/vlc-code/modules/demux/mkv/matroska_segment_parse.cpp:170:21
    #5 0x7f1e8194f68f in mkv::matroska_segment_c::Preload() /home/henices/tests/vlc-code/modules/demux/mkv/matroska_segment.cpp:590:17
    #6 0x7f1e81a4e53d in mkv::demux_sys_t::AnalyseAllSegmentsFound(stream_t*, mkv::matroska_stream_c*) /home/henices/tests/vlc-code/modules/demux/mkv/demux.cpp:109:25
    #7 0x7f1e81b0c04e in mkv::Open(vlc_object_t*) /home/henices/tests/vlc-code/modules/demux/mkv/mkv.cpp:136:17
    #8 0x7f1e9ff230ec in demux_Probe /home/henices/tests/vlc-code/src/input/demux.c:180:15
    #9 0x7f1e9fe8c318 in module_load /home/henices/tests/vlc-code/src/modules/modules.c:212:15
    #10 0x7f1e9fe8b01b in vlc_module_load /home/henices/tests/vlc-code/src/modules/modules.c:265:19
    #11 0x7f1e9ff224ad in demux_NewAdvanced /home/henices/tests/vlc-code/src/input/demux.c:248:20
    #12 0x7f1e9ff9be92 in InputDemuxNew /home/henices/tests/vlc-code/src/input/input.c:2519:22
    #13 0x7f1e9ff92187 in InputSourceInit /home/henices/tests/vlc-code/src/input/input.c:2653:27
    #14 0x7f1e9ff8c9ba in Init /home/henices/tests/vlc-code/src/input/input.c:1282:15
    #15 0x7f1e9ff878c7 in Preparse /home/henices/tests/vlc-code/src/input/input.c:495:10
    #16 0x7f1e9fa9e431 in start_thread (/lib64/libpthread.so.0+0x9431)
    #17 0x7f1e9f99d912 in clone (/lib64/libc.so.6+0x101912)

0x60200003e8b2 is located 0 bytes to the right of 2-byte region [0x60200003e8b0,0x60200003e8b2)
allocated by thread T5 here:
    #0 0x497b5d in malloc /tmp/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7f1e818815b7 in libebml::EbmlBinary::ReadData(libebml::IOCallback&, libebml::ScopeMode) (/lib64/libebml.so.5+0xf5b7)

Thread T5 created by T4 here:
    #0 0x481f2a in pthread_create /tmp/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7f1ea0194a6e in vlc_clone_attr /home/henices/tests/vlc-code/src/posix/thread.c:208:11
    #2 0x7f1ea01946e4 in vlc_clone /home/henices/tests/vlc-code/src/posix/thread.c:221:12
    #3 0x7f1e9ff87429 in input_Start /home/henices/tests/vlc-code/src/input/input.c:178:25
    #4 0x7f1e9feedbb9 in input_item_Parse /home/henices/tests/vlc-code/src/input/item.c:1416:27
    #5 0x7f1e9fedae6a in PreparserOpenInput /home/henices/tests/vlc-code/src/preparser/preparser.c:136:20
    #6 0x7f1ea010bdfe in Thread /home/henices/tests/vlc-code/src/misc/background_worker.c:231:13
    #7 0x7f1e9fa9e431 in start_thread (/lib64/libpthread.so.0+0x9431)

Thread T4 created by T0 here:
    #0 0x481f2a in pthread_create /tmp/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7f1ea0194a6e in vlc_clone_attr /home/henices/tests/vlc-code/src/posix/thread.c:208:11
    #2 0x7f1ea0194faa in vlc_clone_detach /home/henices/tests/vlc-code/src/posix/thread.c:262:12
    #3 0x7f1ea010a491 in SpawnThread /home/henices/tests/vlc-code/src/misc/background_worker.c:274:9
    #4 0x7f1ea0109f6a in background_worker_Push /home/henices/tests/vlc-code/src/misc/background_worker.c:302:9
    #5 0x7f1e9fedbefc in input_preparser_Push /home/henices/tests/vlc-code/src/preparser/preparser.c:293:9
    #6 0x7f1e9fe2117a in vlc_MetadataRequest /home/henices/tests/vlc-code/src/libvlc.c:464:5
    #7 0x7f1e9fec3373 in vlc_playlist_Preparse /home/henices/tests/vlc-code/src/playlist/preparse.c:123:5
    #8 0x7f1e9fec3484 in vlc_playlist_AutoPreparse /home/henices/tests/vlc-code/src/playlist/preparse.c:134:9
    #9 0x7f1e9feb2f4b in vlc_playlist_ItemsInserted /home/henices/tests/vlc-code/src/playlist/content.c:82:9
    #10 0x7f1e9feb1d6c in vlc_playlist_Insert /home/henices/tests/vlc-code/src/playlist/content.c:285:5
    #11 0x7f1e9feae7ed in vlc_playlist_InsertOne /home/henices/tests/vlc-code/src/../include/vlc_playlist.h:458:12
    #12 0x7f1e9feae65f in intf_InsertItem /home/henices/tests/vlc-code/src/interface/interface.c:218:19
    #13 0x7f1e9fe20ec4 in GetFilenames /home/henices/tests/vlc-code/src/libvlc.c:446:9
    #14 0x7f1e9fe1f6b0 in libvlc_InternalInit /home/henices/tests/vlc-code/src/libvlc.c:302:5
    #15 0x7f1ea0387532 in libvlc_new /home/henices/tests/vlc-code/lib/core.c:56:9
    #16 0x4c7fca in main /home/henices/tests/vlc-code/bin/vlc.c:229:30
    #17 0x7f1e9f8c3041 in __libc_start_main (/lib64/libc.so.6+0x27041)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/henices/tests/vlc-code/modules/demux/mkv/Ebml_dispatcher.hpp:74:14 in (anonymous namespace)::EbmlTypeDispatcher::send(libebml::EbmlElement* const&, void*) const
Shadow bytes around the buggy address:
  0x0c047ffffcc0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047ffffcd0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047ffffce0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c047ffffcf0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047ffffd00: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047ffffd10: fa fa 00 00 fa fa[02]fa fa fa fa fa fa fa fa fa
  0x0c047ffffd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047ffffd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047ffffd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047ffffd50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047ffffd60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3816222==ABORTING

[Reporter]
Zhen Zhou of NSFOCUS Security Team

[Solution]
Update VLC media player to 3.0.12 or newer version.

[References]
http://www.videolan.org/
http://git.videolan.org/?p=vlc.git
https://code.videolan.org/videolan/vlc-3.0/-/commit/ec1f55ee9ace5cc675395a1bc9700d99679e7e8c

[Disclosure Timeline]
2020-09-17 - Issue reported to vendor
2020-09-17 - Vendor responded and confirmed the issues
2020-09-18 - Vendor fix the issues
2020-12-16 - Vendor tagged the version 3.0.12
2020-12-31 - CVE Team RESERVED CVE-2020-26664 for this issue
2021-01-08 - Public Release
	[CVE ID]
	CVE-2020-26664

	[PRODUCT]
	VLC is a free and open source cross-platform multimedia player and framework that plays most multimedia files as well as DVDs, Audio CDs, VCDs, and various streaming protocols.

	[AFFECTED VERSION]
	VLC media player 3.0.11 and earlier version.

	[PROBLEM TYPE]
	heap-buffer-overflow read

	[DESCRIPTION]
	A vulnerability in EbmlTypeDispatcher::send in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a crafted .mkv file.

	[TECHNICAL DETAILS]
	VLC media player use libmatroska and libebml to do mkv demux, VLC media player crashes while processing a crafted .mkv file, it cause heap buffer overflow OOB 8 bytes.

	./vlc -I dummy --play-and-exit tests_3e73513ca249c376fae82ca19b2c62a3e500f68e

	VLC media player 4.0.0-dev Otto Chriek (revision 33226d2)
	[000060600007c3a0] dummy interface: using the dummy interface module...
	=================================================================
	==3816222==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200003e8b0 at pc 0x7f1e81a15b3f bp 0x7f1e84955170 sp 0x7f1e84955168
	READ of size 8 at 0x60200003e8b0 thread T5
	[000061100009b900] mkv demux error: No tracks supported
	#0 0x7f1e81a15b3e in (anonymous namespace)::EbmlTypeDispatcher::send(libebml::EbmlElement* const&, void*) const /home/henices/tests/vlc-code/modules/demux/mkv/Ebml_dispatcher.hpp:74:14
	#1 0x7f1e81998aa6 in void (anonymous namespace)::Dispatcher<(anonymous namespace)::EbmlTypeDispatcher, void ()(libebml::EbmlElement, void)>::iterate<__gnu_cxx::__normal_iterator<libebml::EbmlElement, std::vector<libebml::EbmlElement, std::allocator<libebml::EbmlElement> > > >(__gnu_cxx::__normal_iterator<libebml::EbmlElement, std::vector<libebml::EbmlElement, std::allocator<libebml::EbmlElement> > >, __gnu_cxx::__normal_iterator<libebml::EbmlElement, std::vector<libebml::EbmlElement, std::allocator<libebml::EbmlElement> > >, void const&) const /home/henices/tests/vlc-code/modules/demux/mkv/dispatcher.hpp:44:50
	#2 0x7f1e8199853f in mkv::matroska_segment_c::ParseTracks(libmatroska::KaxTracks*) /home/henices/tests/vlc-code/modules/demux/mkv/matroska_segment_parse.cpp:1099:33
	#3 0x7f1e81956cb0 in mkv::matroska_segment_c::LoadSeekHeadItem(libebml::EbmlCallbacks const&, long) /home/henices/tests/vlc-code/modules/demux/mkv/matroska_segment.cpp:737:13
	#4 0x7f1e819942ac in mkv::matroska_segment_c::ParseSeekHead(libmatroska::KaxSeekHead*) /home/henices/tests/vlc-code/modules/demux/mkv/matroska_segment_parse.cpp:170:21
	#5 0x7f1e8194f68f in mkv::matroska_segment_c::Preload() /home/henices/tests/vlc-code/modules/demux/mkv/matroska_segment.cpp:590:17
	#6 0x7f1e81a4e53d in mkv::demux_sys_t::AnalyseAllSegmentsFound(stream_t, mkv::matroska_stream_c) /home/henices/tests/vlc-code/modules/demux/mkv/demux.cpp:109:25
	#7 0x7f1e81b0c04e in mkv::Open(vlc_object_t*) /home/henices/tests/vlc-code/modules/demux/mkv/mkv.cpp:136:17
	#8 0x7f1e9ff230ec in demux_Probe /home/henices/tests/vlc-code/src/input/demux.c:180:15
	#9 0x7f1e9fe8c318 in module_load /home/henices/tests/vlc-code/src/modules/modules.c:212:15
	#10 0x7f1e9fe8b01b in vlc_module_load /home/henices/tests/vlc-code/src/modules/modules.c:265:19
	#11 0x7f1e9ff224ad in demux_NewAdvanced /home/henices/tests/vlc-code/src/input/demux.c:248:20
	#12 0x7f1e9ff9be92 in InputDemuxNew /home/henices/tests/vlc-code/src/input/input.c:2519:22
	#13 0x7f1e9ff92187 in InputSourceInit /home/henices/tests/vlc-code/src/input/input.c:2653:27
	#14 0x7f1e9ff8c9ba in Init /home/henices/tests/vlc-code/src/input/input.c:1282:15
	#15 0x7f1e9ff878c7 in Preparse /home/henices/tests/vlc-code/src/input/input.c:495:10
	#16 0x7f1e9fa9e431 in start_thread (/lib64/libpthread.so.0+0x9431)
	#17 0x7f1e9f99d912 in clone (/lib64/libc.so.6+0x101912)

	0x60200003e8b2 is located 0 bytes to the right of 2-byte region [0x60200003e8b0,0x60200003e8b2)
	allocated by thread T5 here:
	#0 0x497b5d in malloc /tmp/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
	#1 0x7f1e818815b7 in libebml::EbmlBinary::ReadData(libebml::IOCallback&, libebml::ScopeMode) (/lib64/libebml.so.5+0xf5b7)

	Thread T5 created by T4 here:
	#0 0x481f2a in pthread_create /tmp/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
	#1 0x7f1ea0194a6e in vlc_clone_attr /home/henices/tests/vlc-code/src/posix/thread.c:208:11
	#2 0x7f1ea01946e4 in vlc_clone /home/henices/tests/vlc-code/src/posix/thread.c:221:12
	#3 0x7f1e9ff87429 in input_Start /home/henices/tests/vlc-code/src/input/input.c:178:25
	#4 0x7f1e9feedbb9 in input_item_Parse /home/henices/tests/vlc-code/src/input/item.c:1416:27
	#5 0x7f1e9fedae6a in PreparserOpenInput /home/henices/tests/vlc-code/src/preparser/preparser.c:136:20
	#6 0x7f1ea010bdfe in Thread /home/henices/tests/vlc-code/src/misc/background_worker.c:231:13
	#7 0x7f1e9fa9e431 in start_thread (/lib64/libpthread.so.0+0x9431)

	Thread T4 created by T0 here:
	#0 0x481f2a in pthread_create /tmp/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
	#1 0x7f1ea0194a6e in vlc_clone_attr /home/henices/tests/vlc-code/src/posix/thread.c:208:11
	#2 0x7f1ea0194faa in vlc_clone_detach /home/henices/tests/vlc-code/src/posix/thread.c:262:12
	#3 0x7f1ea010a491 in SpawnThread /home/henices/tests/vlc-code/src/misc/background_worker.c:274:9
	#4 0x7f1ea0109f6a in background_worker_Push /home/henices/tests/vlc-code/src/misc/background_worker.c:302:9
	#5 0x7f1e9fedbefc in input_preparser_Push /home/henices/tests/vlc-code/src/preparser/preparser.c:293:9
	#6 0x7f1e9fe2117a in vlc_MetadataRequest /home/henices/tests/vlc-code/src/libvlc.c:464:5
	#7 0x7f1e9fec3373 in vlc_playlist_Preparse /home/henices/tests/vlc-code/src/playlist/preparse.c:123:5
	#8 0x7f1e9fec3484 in vlc_playlist_AutoPreparse /home/henices/tests/vlc-code/src/playlist/preparse.c:134:9
	#9 0x7f1e9feb2f4b in vlc_playlist_ItemsInserted /home/henices/tests/vlc-code/src/playlist/content.c:82:9
	#10 0x7f1e9feb1d6c in vlc_playlist_Insert /home/henices/tests/vlc-code/src/playlist/content.c:285:5
	#11 0x7f1e9feae7ed in vlc_playlist_InsertOne /home/henices/tests/vlc-code/src/../include/vlc_playlist.h:458:12
	#12 0x7f1e9feae65f in intf_InsertItem /home/henices/tests/vlc-code/src/interface/interface.c:218:19
	#13 0x7f1e9fe20ec4 in GetFilenames /home/henices/tests/vlc-code/src/libvlc.c:446:9
	#14 0x7f1e9fe1f6b0 in libvlc_InternalInit /home/henices/tests/vlc-code/src/libvlc.c:302:5
	#15 0x7f1ea0387532 in libvlc_new /home/henices/tests/vlc-code/lib/core.c:56:9
	#16 0x4c7fca in main /home/henices/tests/vlc-code/bin/vlc.c:229:30
	#17 0x7f1e9f8c3041 in __libc_start_main (/lib64/libc.so.6+0x27041)

	SUMMARY: AddressSanitizer: heap-buffer-overflow /home/henices/tests/vlc-code/modules/demux/mkv/Ebml_dispatcher.hpp:74:14 in (anonymous namespace)::EbmlTypeDispatcher::send(libebml::EbmlElement* const&, void*) const
	Shadow bytes around the buggy address:
	0x0c047ffffcc0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
	0x0c047ffffcd0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
	0x0c047ffffce0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
	0x0c047ffffcf0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
	0x0c047ffffd00: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
	=>0x0c047ffffd10: fa fa 00 00 fa fa[02]fa fa fa fa fa fa fa fa fa
	0x0c047ffffd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	0x0c047ffffd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	0x0c047ffffd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	0x0c047ffffd50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	0x0c047ffffd60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	Shadow byte legend (one shadow byte represents 8 application bytes):
	Addressable: 00
	Partially addressable: 01 02 03 04 05 06 07
	Heap left redzone: fa
	Freed heap region: fd
	Stack left redzone: f1
	Stack mid redzone: f2
	Stack right redzone: f3
	Stack after return: f5
	Stack use after scope: f8
	Global redzone: f9
	Global init order: f6
	Poisoned by user: f7
	Container overflow: fc
	Array cookie: ac
	Intra object redzone: bb
	ASan internal: fe
	Left alloca redzone: ca
	Right alloca redzone: cb
	Shadow gap: cc
	==3816222==ABORTING

	[Reporter]
	Zhen Zhou of NSFOCUS Security Team

	[Solution]
	Update VLC media player to 3.0.12 or newer version.

	[References]
	http://www.videolan.org/
	http://git.videolan.org/?p=vlc.git
	https://code.videolan.org/videolan/vlc-3.0/-/commit/ec1f55ee9ace5cc675395a1bc9700d99679e7e8c

	[Disclosure Timeline]
	2020-09-17 - Issue reported to vendor
	2020-09-17 - Vendor responded and confirmed the issues
	2020-09-18 - Vendor fix the issues
	2020-12-16 - Vendor tagged the version 3.0.12
	2020-12-31 - CVE Team RESERVED CVE-2020-26664 for this issue
	2021-01-08 - Public Release
No results found