[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] libquicktime multiple vulnerabilities

To: "qflb.wu" <qflb.wu@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [FD] libquicktime multiple vulnerabilities
From: Brandon Perry <bperry.volatile@xxxxxxxxx>
Date: Thu, 8 Jun 2017 11:13:37 -0500

> On Jun 7, 2017, at 4:43 AM, qflb.wu <qflb.wu@xxxxxxxxxxxxxxxxxxxx> wrote:
> 
> libquicktime multiple vulnerabilities
> 
> 
> ================
> Author : qflb.wu
> ===============
> 
> 
> Introduction:
> =============
> The libquicktime package contains the libquicktime library, various plugins 
> and codecs, along with graphical and command line utilities used for encoding 
> and decoding QuickTime files. This is useful for reading and writing files in 
> the QuickTime format. The goal of the project is to enhance, while providing 
> compatibility with the Quicktime 4 Linux library.
> 
> 
> Affected version:
> =====
> 1.2.4
> 
> 
> Vulnerability Description:
> ==========================
> ##################################
> 1.
> the quicktime_read_moov function in moov.c in libquicktime 1.2.4 can cause a 
> denial of service(infinite loop and CPU consumption) via a crafted mp4 file.
> 
> 
> ./lqtplay libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
> 
> 
> POC:
> libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
> CVE:
> CVE-2017-9122
> 
> 
> ###################################
> 2.
> the lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can 
> cause a denial of service(invalid memory read and application crash) via a 
> crafted mp4 file.
> 
> 
> ./lqtplay libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
> 
> 
> ASAN:SIGSEGV
> =================================================================
> ==14254==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 
> 0x7f31e6ae7185 sp 0x7ffed033a270 bp 0x0000006bdb50 T0)
> ==14254==WARNING: Trying to symbolize code, but external symbolizer is not 
> initialized!
>   #0 0x7f31e6ae7184 (/usr/local/lib/libquicktime.so.0+0x6c184)
>   #1 0x49b1c6 
> (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x49b1c6)
>   #2 0x47fbaa 
> (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fbaa)
>   #3 0x7f31e43b2ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
>   #4 0x47f3dc 
> (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
> 

When providing ASAN stack traces like this, please also set 
ASAN_SYMBOLIZER_PATH so that these hex addresses are resolved to the plain text 
function names. It makes these much easier to read and grok,

> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV ??:0 ??
> ==14254==ABORTING
> 
> 
> debug info:
> Program received signal SIGSEGV, Segmentation fault.
> ...
> Stopped reason: SIGSEGV
> 0x00007ffff7829185 in lqt_frame_duration (file=<optimized out>, 
> track=<optimized out>,
>   constant=<optimized out>) at lqt_quicktime.c:1242
> 1242  return
> 
> 
> POC:
> libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
> CVE:
> CVE-2017-9123
> 
> 
> ###################################
> 3.
> the quicktime_match_32 in util.c in libquicktime 1.2.4 can cause a denial of 
> service(NULL pointer dereference and application crash) via a crafted mp4 
> file.
> 
> 
> ./lqtplay libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
> 
> 
> ASAN:SIGSEGV
> =================================================================
> ==14359==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
> 0x7fe8af6b85d8 sp 0x7fff490cd4e0 bp 0x7fff490cd5b0 T0)
> ==14359==WARNING: Trying to symbolize code, but external symbolizer is not 
> initialized!
>   #0 0x7fe8af6b85d7 (/usr/local/lib/libquicktime.so.0+0x3605d7)
>   #1 0x7fe8af68b566 (/usr/local/lib/libquicktime.so.0+0x333566)
>   #2 0x7fe8af63c71a (/usr/local/lib/libquicktime.so.0+0x2e471a)
>   #3 0x7fe8af3d1658 (/usr/local/lib/libquicktime.so.0+0x79658)
>   #4 0x7fe8af3d84a8 (/usr/local/lib/libquicktime.so.0+0x804a8)
>   #5 0x7fe8af3a95da (/usr/local/lib/libquicktime.so.0+0x515da)
>   #6 0x47fad2 
> (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fad2)
>   #7 0x7fe8acc8fec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
>   #8 0x47f3dc 
> (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
> 
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV ??:0 ??
> ==14359==ABORTING
> 
> 
> debug info:
> Program received signal SIGSEGV, Segmentation fault.
> Stopped reason: SIGSEGV
> 0x00007ffff7b1d5d8 in quicktime_match_32 (_input=<optimized out>,
>   _output=<optimized out>) at util.c:874
> 874if(input[0] == output[0] &&
> 
> 
> POC:
> libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
> CVE:
> CVE-2017-9124
> 
> 
> ###################################
> 4.
> the lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4  can 
> cause a denial of service(heap-buffer-overflow) via a crafted mp4 file.
> 
> 
> ./lqtplay libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
> 
> 
> =================================================================
> ==40038==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x602000009cd4 at pc 0x7f28959fc45f bp 0x7ffefd561530 sp 0x7ffefd561528
> READ of size 4 at 0x602000009cd4 thread T0
>   #0 0x7f28959fc45e in lqt_frame_duration 
> /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242
>   #1 0x49b1c6 in quicktime_print_info 
> /home/a/Downloads/libquicktime-1.2.4/utils/common.c:138
>   #2 0x47fbaa in qt_init 
> /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:996
>   #3 0x47fbaa in main 
> /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
>   #4 0x7f28932c7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
>   #5 0x47f3dc in _start 
> (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
> 
> 
> 0x602000009cd4 is located 3 bytes to the right of 1-byte region 
> [0x602000009cd0,0x602000009cd1)
> allocated by thread T0 here:
>   #0 0x4692f9 in malloc 
> (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
>   #1 0x7f2895cad7d0 in quicktime_read_stts 
> /home/a/Downloads/libquicktime-1.2.4/src/stts.c:115
> 
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242 
> lqt_frame_duration
> Shadow bytes around the buggy address:
> 0x0c047fff9340: fa fa 05 fa fa fa 05 fa fa fa 04 fa fa fa 05 fa
> 0x0c047fff9350: fa fa 00 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
> 0x0c047fff9360: fa fa 05 fa fa fa 00 fa fa fa 05 fa fa fa 05 fa
> 0x0c047fff9370: fa fa 05 fa fa fa 00 fa fa fa 00 00 fa fa 00 01
> 0x0c047fff9380: fa fa 04 fa fa fa 05 fa fa fa 00 fa fa fa 05 fa
> =>0x0c047fff9390: fa fa 05 fa fa fa 00 fa fa fa[01]fa fa fa 00 04
> 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
> 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
> 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
> 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
> 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable:           00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone:     fa
> Heap right redzone:    fb
> Freed heap region:     fd
> Stack left redzone:    f1
> Stack mid redzone:     f2
> Stack right redzone:   f3
> Stack partial redzone: f4
> Stack after return:    f5
> Stack use after scope: f8
> Global redzone:        f9
> Global init order:     f6
> Poisoned by user:      f7
> ASan internal:         fe
> ==40038==ABORTING
> 
> 
> POC:
> libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
> CVE:
> CVE-2017-9125
> 
> 
> ###################################
> 5.
> the quicktime_read_dref_table function in dref.c in libquicktime 1.2.4 can 
> cause a denial of service(heap-buffer-overflow and application crash) via a 
> crafted mp4 file.
> 
> 
> ./lqtplay 
> libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
> 
> 
> =================================================================
> ==41637==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x602000009ce4 at pc 0x7f9cb9ad16e7 bp 0x7ffcf9a1e720 sp 0x7ffcf9a1e718
> WRITE of size 1 at 0x602000009ce4 thread T0
>   #0 0x7f9cb9ad16e6 in quicktime_read_dref_table 
> /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69
>   #1 0x7f9cb9ad3bdd in quicktime_read_dref 
> /home/a/Downloads/libquicktime-1.2.4/src/dref.c:147
>   #2 0x7f9cb9ad0388 in quicktime_read_dinf 
> /home/a/Downloads/libquicktime-1.2.4/src/dinf.c:56
>   #3 0x7f9cb9afdf09 in quicktime_read_minf 
> /home/a/Downloads/libquicktime-1.2.4/src/minf.c:220
>   #4 0x7f9cb9afaa9e in quicktime_read_mdia 
> /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155
>   #5 0x7f9cb9b4ff1e in quicktime_read_trak 
> /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247
>   #6 0x7f9cb9b0172a in quicktime_read_moov 
> /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221
>   #7 0x7f9cb9896658 in quicktime_read_info 
> /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791
>   #8 0x7f9cb989d4a8 in do_open 
> /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026
>   #9 0x7f9cb986e5da in quicktime_open 
> /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075
>   #10 0x47fad2 in qt_init 
> /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987
>   #11 0x47fad2 in main 
> /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
>   #12 0x7f9cb7154ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
>   #13 0x47f3dc in _start 
> (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
> 
> 
> 0x602000009ce4 is located 12 bytes to the left of 1-byte region 
> [0x602000009cf0,0x602000009cf1)
> allocated by thread T0 here:
>   #0 0x4692f9 in malloc 
> (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
>   #1 0x7f9cb9ad13ba in quicktime_read_dref_table 
> /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66
> 
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69 quicktime_read_dref_table
> Shadow bytes around the buggy address:
> 0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c047fff9390: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa 01 fa
> 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
> 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
> 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
> 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
> 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable:           00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone:     fa
> Heap right redzone:    fb
> Freed heap region:     fd
> Stack left redzone:    f1
> Stack mid redzone:     f2
> Stack right redzone:   f3
> Stack partial redzone: f4
> Stack after return:    f5
> Stack use after scope: f8
> Global redzone:        f9
> Global init order:     f6
> Poisoned by user:      f7
> ASan internal:         fe
> ==41637==ABORTING
> 
> 
> POC:
> libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
> CVE:
> CVE-2017-9126
> 
> 
> ###################################
> 6.
> the quicktime_user_atoms_read_atom function in useratoms.c in libquicktime 
> 1.2.4 can cause a denial of service(heap-buffer-overflow and application 
> crash) via a crafted mp4 file.
> 
> 
> ./lqtplay 
> libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
> 
> 
> =================================================================
> ==41642==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x602000009cb1 at pc 0x7f3aa15d47f3 bp 0x7ffc98430d00 sp 0x7ffc98430cf8
> WRITE of size 1 at 0x602000009cb1 thread T0
>   #0 0x7f3aa15d47f2 in quicktime_user_atoms_read_atom 
> /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84
>   #1 0x7f3aa1590bd8 in quicktime_read_stsd_video 
> /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:557
>   #2 0x7f3aa1594eb8 in quicktime_read_stsd_table 
> /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:694
>   #3 0x7f3aa158bd4d in quicktime_finalize_stsd 
> /home/a/Downloads/libquicktime-1.2.4/src/stsd.c:336
>   #4 0x7f3aa1566147 in quicktime_read_minf 
> /home/a/Downloads/libquicktime-1.2.4/src/minf.c:231
>   #5 0x7f3aa1562a9e in quicktime_read_mdia 
> /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155
>   #6 0x7f3aa15b7f1e in quicktime_read_trak 
> /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247
>   #7 0x7f3aa156972a in quicktime_read_moov 
> /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221
>   #8 0x7f3aa12fe658 in quicktime_read_info 
> /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791
>   #9 0x7f3aa13054a8 in do_open 
> /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026
>   #10 0x7f3aa12d65da in quicktime_open 
> /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075
>   #11 0x47fad2 in qt_init 
> /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987
>   #12 0x47fad2 in main 
> /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
>   #13 0x7f3a9ebbcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
>   #14 0x47f3dc in _start 
> (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
> 
> 
> 0x602000009cb1 is located 0 bytes to the right of 1-byte region 
> [0x602000009cb0,0x602000009cb1)
> allocated by thread T0 here:
>   #0 0x4692f9 in malloc 
> (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
>   #1 0x7f3aa15d451a in quicktime_user_atoms_read_atom 
> /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:81
> 
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84 
> quicktime_user_atoms_read_atom
> Shadow bytes around the buggy address:
> 0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c047fff9390: fa fa fa fa fa fa[01]fa fa fa 00 fa fa fa 00 04
> 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
> 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
> 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
> 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
> 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable:           00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone:     fa
> Heap right redzone:    fb
> Freed heap region:     fd
> Stack left redzone:    f1
> Stack mid redzone:     f2
> Stack right redzone:   f3
> Stack partial redzone: f4
> Stack after return:    f5
> Stack use after scope: f8
> Global redzone:        f9
> Global init order:     f6
> Poisoned by user:      f7
> ASan internal:         fe
> ==41642==ABORTING
> 
> 
> POC:
> libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
> CVE:
> CVE-2017-9127
> 
> 
> ###################################
> 7.
> the quicktime_video_width function in lqt_quicktime.c in libquicktime 1.2.4 
> can cause a denial of service(heap-buffer-overflow and application crash) via 
> a crafted mp4 file.
> 
> 
> ./lqtplay libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
> 
> 
> =================================================================
> ==10979==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x602000009d00 at pc 0x7f36a1017a37 bp 0x7ffe65a90010 sp 0x7ffe65a90008
> READ of size 4 at 0x602000009d00 thread T0
>   #0 0x7f36a1017a36 in quicktime_video_width 
> /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998
>   #1 0x7f36a1017a36 in quicktime_init_maps 
> /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1633
>   #2 0x7f36a101af13 in quicktime_read_info 
> /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1891
>   #3 0x7f36a10204a8 in do_open 
> /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026
>   #4 0x7f36a0ff15da in quicktime_open 
> /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075
>   #5 0x47fad2 in qt_init 
> /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987
>   #6 0x47fad2 in main 
> /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
>   #7 0x7f369e8d7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
>   #8 0x47f3dc in _start 
> (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
> 
> 
> 0x602000009d00 is located 4 bytes to the right of 12-byte region 
> [0x602000009cf0,0x602000009cfc)
> allocated by thread T0 here:
>   #0 0x4692f9 in malloc 
> (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
>   #1 0x7f36a12543ba in quicktime_read_dref_table 
> /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66
> 
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998 
> quicktime_video_width
> Shadow bytes around the buggy address:
> 0x0c047fff9350: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
> 0x0c047fff9360: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
> 0x0c047fff9370: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
> 0x0c047fff9380: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
> 0x0c047fff9390: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 00 04
> =>0x0c047fff93a0:[fa]fa 00 04 fa fa 00 fa fa fa 00 fa fa fa 00 00
> 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
> 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
> 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
> 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
> 0x0c047fff93f0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable:           00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone:     fa
> Heap right redzone:    fb
> Freed heap region:     fd
> Stack left redzone:    f1
> Stack mid redzone:     f2
> Stack right redzone:   f3
> Stack partial redzone: f4
> Stack after return:    f5
> Stack use after scope: f8
> Global redzone:        f9
> Global init order:     f6
> Poisoned by user:      f7
> ASan internal:         fe
> ==10979==ABORTING
> 
> 
> POC:
> libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
> CVE:
> CVE-2017-9128
> 
> 
> 
> 
> =================================
> 
> 
> qflb.wu () dbappsecurity com cn
> 
> 
> 
> 
> 
> <poc.zip>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] libquicktime multiple vulnerabilities
  - From: qflb.wu

Prev by Date: [FD] libquicktime multiple vulnerabilities
Next by Date: Re: [FD] libcroco multiple vulnerabilities
Previous by thread: [FD] libquicktime multiple vulnerabilities
Next by thread: [FD] Evolution Script CMS v5.3 - Cross Site Scripting Vulnerability
Index(es):
- Date
- Thread