uintdev/vlc_tts_buffer_oob_read_demo.cpp

## vlc_tts_buffer_oob_read_demo.cpp
/*
// VLC 3.x vlc_tick_to_str() (previously secstotimestr()) out-of-bounds read bug demo
// ./src/misc/mtime.c
//
// This is to illustrate an existing bug in VLC 3 builds.
// VLC 4 is not affected. Despite having similar code, it might have protections in place elsewhere.
//
// The large number of seconds from the selected media would be passed onto the unary minus operator.
// For context, int32_t is 32-bit signed integer. The given number exceeds the maximum.
// The unary minus operator has undefined behaviour when passing overflowing numbers,
// of which causes it to do.. well, nothing.
// As the unary minus operator would do nothing, the number remains in the negatives,
// always passing the 'if seconds lower than zero' check and continuously looping as it goes through memory.
// Eventually, this goes outside the buffer it should be reading from. This essentially results
// in a buffer out-of-bounds read. In VLC's case, it would eventually crash due to a memory access violation.
*/

#include <stdio.h>
#include <stdlib.h>

int loops = 0;

char *vlc_tick_to_str( char *psz_buffer, int32_t i_seconds )
{
    printf("%s\n", "-------- vlc_tick_to_str() exec --------");
    printf("Loops: %i\n", loops);
    printf("Seconds while executing function: %d\n", i_seconds);
    printf("Buffer output while executing function: %s\n", psz_buffer);
    ++loops;

    if ( i_seconds < 0 )
    {
        printf("%s\n", "-------- i_seconds < 0 --------");
        printf("Pre-seconds: %d\n", i_seconds);
        printf("Pre-buffer output: %s\n", psz_buffer);

        vlc_tick_to_str( psz_buffer + 1, -i_seconds );
        *psz_buffer = '-';

        printf("Post-seconds: %d\n", i_seconds);
        printf("Post-buffer output: %s\n", psz_buffer);
        printf("%s\n", "-------------------------------");
        return psz_buffer;
    }

    printf("%s", "Passed block!\n");
    printf("Passed buffer output: %s\n", psz_buffer);
    printf("%s\n", "-------------------------------");

    return psz_buffer;
}

int main()
{
    char ptz[22];
    int32_t seconds = 2147483648;

    //printf("%i :: %i\n", seconds, -seconds);

    vlc_tick_to_str(ptz, seconds);

    return 0;
}
	/*
	// VLC 3.x vlc_tick_to_str() (previously secstotimestr()) out-of-bounds read bug demo
	// ./src/misc/mtime.c
	//
	// This is to illustrate an existing bug in VLC 3 builds.
	// VLC 4 is not affected. Despite having similar code, it might have protections in place elsewhere.
	//
	// The large number of seconds from the selected media would be passed onto the unary minus operator.
	// For context, int32_t is 32-bit signed integer. The given number exceeds the maximum.
	// The unary minus operator has undefined behaviour when passing overflowing numbers,
	// of which causes it to do.. well, nothing.
	// As the unary minus operator would do nothing, the number remains in the negatives,
	// always passing the 'if seconds lower than zero' check and continuously looping as it goes through memory.
	// Eventually, this goes outside the buffer it should be reading from. This essentially results
	// in a buffer out-of-bounds read. In VLC's case, it would eventually crash due to a memory access violation.
	*/

	#include <stdio.h>
	#include <stdlib.h>

	int loops = 0;

	char vlc_tick_to_str( char psz_buffer, int32_t i_seconds )
	{
	printf("%s\n", "-------- vlc_tick_to_str() exec --------");
	printf("Loops: %i\n", loops);
	printf("Seconds while executing function: %d\n", i_seconds);
	printf("Buffer output while executing function: %s\n", psz_buffer);
	++loops;

	if ( i_seconds < 0 )
	{
	printf("%s\n", "-------- i_seconds < 0 --------");
	printf("Pre-seconds: %d\n", i_seconds);
	printf("Pre-buffer output: %s\n", psz_buffer);

	vlc_tick_to_str( psz_buffer + 1, -i_seconds );
	*psz_buffer = '-';

	printf("Post-seconds: %d\n", i_seconds);
	printf("Post-buffer output: %s\n", psz_buffer);
	printf("%s\n", "-------------------------------");
	return psz_buffer;
	}

	printf("%s", "Passed block!\n");
	printf("Passed buffer output: %s\n", psz_buffer);
	printf("%s\n", "-------------------------------");

	return psz_buffer;
	}

	int main()
	{
	char ptz[22];
	int32_t seconds = 2147483648;

	//printf("%i :: %i\n", seconds, -seconds);

	vlc_tick_to_str(ptz, seconds);

	return 0;
	}