Bug#993372: atomicparsley: CVE-2021-37231 - stack-buffer overflow in APar_readX in src/extract.cpp
Package: atomicparsley
Version: 0.9.6-2
Severity: important
Tags: patch security
https://github.com/wez/atomicparsley/issues/30
See also #993366
AtomicParsley, at the version in buster, bullseye, bookworm and sid causes a stack
overflow when tested with the data file from the upstream bug report for CVE-2021-37231
The upstream change can be backported to the version in Debian and the supplied data file
no longer produces the crash with the attached patch.
-- System Information:
Debian Release: 10.10
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-17-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages atomicparsley depends on:
ii libc6 2.28-10
ii libgcc1 1:8.3.0-6
ii libstdc++6 8.3.0-6
ii zlib1g 1:1.2.11.dfsg-1
atomicparsley recommends no packages.
atomicparsley suggests no packages.
-- no debconf information
--- a/src/extracts.cpp
+++ b/src/extracts.cpp
@@ -1014,8 +1014,9 @@
track_info->type_of_track = VIDEO_TRACK;
}
if ( parsedAtoms[track->track_atom].AtomicLength > 34) {
- memset(track_info->track_hdlr_name, 0, 100);
- APar_readX(track_info->track_hdlr_name, isofile, parsedAtoms[track->track_atom].AtomicStart + 32, parsedAtoms[track->track_atom].AtomicLength - 32);
+ memset(track_info->track_hdlr_name, 0, sizeof(track_info->track_hdlr_name));
+ APar_readX(track_info->track_hdlr_name, isofile, parsedAtoms[track->track_atom].AtomicStart + 32,
+ std::min(sizeof(track_info->track_hdlr_name),parsedAtoms[track->track_atom].AtomicLength - 32));
}
//codec section
--- a/src/AtomicParsley.h
+++ b/src/AtomicParsley.h
@@ -145,6 +145,7 @@
#endif
#include "util.h"
+#include <algorithm>
#define MAX_ATOMS 1024
#define MAXDATA_PAYLOAD 1256
Reply to: