Created
October 17, 2022 17:11
-
-
Save uintdev/ecc3c2bdd4f05ce718d46554ee935892 to your computer and use it in GitHub Desktop.
VLC 3.x vlc_tick_to_str() buffer out-of-bounds read
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
// VLC 3.x vlc_tick_to_str() (previously secstotimestr()) out-of-bounds read bug demo | |
// ./src/misc/mtime.c | |
// | |
// This is to illustrate an existing bug in VLC 3 builds. | |
// VLC 4 is not affected. Despite having similar code, it might have protections in place elsewhere. | |
// | |
// The large number of seconds from the selected media would be passed onto the unary minus operator. | |
// For context, int32_t is 32-bit signed integer. The given number exceeds the maximum. | |
// The unary minus operator has undefined behaviour when passing overflowing numbers, | |
// of which causes it to do.. well, nothing. | |
// As the unary minus operator would do nothing, the number remains in the negatives, | |
// always passing the 'if seconds lower than zero' check and continuously looping as it goes through memory. | |
// Eventually, this goes outside the buffer it should be reading from. This essentially results | |
// in a buffer out-of-bounds read. In VLC's case, it would eventually crash due to a memory access violation. | |
*/ | |
#include <stdio.h> | |
#include <stdlib.h> | |
int loops = 0; | |
char *vlc_tick_to_str( char *psz_buffer, int32_t i_seconds ) | |
{ | |
printf("%s\n", "-------- vlc_tick_to_str() exec --------"); | |
printf("Loops: %i\n", loops); | |
printf("Seconds while executing function: %d\n", i_seconds); | |
printf("Buffer output while executing function: %s\n", psz_buffer); | |
++loops; | |
if ( i_seconds < 0 ) | |
{ | |
printf("%s\n", "-------- i_seconds < 0 --------"); | |
printf("Pre-seconds: %d\n", i_seconds); | |
printf("Pre-buffer output: %s\n", psz_buffer); | |
vlc_tick_to_str( psz_buffer + 1, -i_seconds ); | |
*psz_buffer = '-'; | |
printf("Post-seconds: %d\n", i_seconds); | |
printf("Post-buffer output: %s\n", psz_buffer); | |
printf("%s\n", "-------------------------------"); | |
return psz_buffer; | |
} | |
printf("%s", "Passed block!\n"); | |
printf("Passed buffer output: %s\n", psz_buffer); | |
printf("%s\n", "-------------------------------"); | |
return psz_buffer; | |
} | |
int main() | |
{ | |
char ptz[22]; | |
int32_t seconds = 2147483648; | |
//printf("%i :: %i\n", seconds, -seconds); | |
vlc_tick_to_str(ptz, seconds); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment