Versions of IBM Spectrum Protect Plus prior to 10.1.12 (excluding 10.1.12) include the private key information for a certificate inside the generated .crt file when uploading a TLS certificate to IBM Spectrum Protect Plus. If this generated .crt file is shared, an attacker can obtain the private key information for the uploaded certificate. IBM X-Force ID: 235718.

  

**Summary**

IBM Spectrum Protect Plus incorrectly handles TLS certificates which can result in an attacker obtaining private key information for the uploaded certificate.

**Vulnerability Details**

**CVEID:**   CVE-2022-40234  
**DESCRIPTION:**   Versions of IBM Spectrum Protect Plus prior to 10.1.12 (excluding 10.1.12) include the private key information for a certificate inside the generated .crt file when uploading a TLS certificate to IBM Spectrum Protect Plus. If this generated .crt file is shared, an attacker can obtain the private key information for the uploaded certificate.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235718 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Spectrum Protect Plus

10.1.0-10.1.11

  

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

16 September 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSNQFQ","label":"IBM Spectrum Protect Plus"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"10.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}\]

CVE-2022-40234: Insecure handling of TLS certificates by IBM Spectrum Protect Plus (CVE-2022-40234)

IBM Spectrum Protect Plus 10.1.6 through 10.1.11 Microsoft File Systems restore operation can download any file on the target machine by manipulating the URL with a directory traversal attack. This results in the restore operation gaining access to files which the operator should not have access to. IBM X-Force ID: 235873.

CVE-2022-40608: IBM Spectrum Protect Plus directory traversal CVE-2022-40608 Vulnerability Report

Certain The MPlayer Project products are vulnerable to Out-of-bounds Read via function read_meta_record() of mplayer/libmpdemux/asfheader.c. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2393 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: A out-of-bound read is found in fucnction read\_meta\_record() which affects mplayer and mencoder. The attached file can reproduce this issue And this vulnerability can cause the crash of mplayer.  

How to reproduce:  

1.Command: ./mplayer testcase  

2.Result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team                                                                                                                                                                                                                           
Playing libavformat version 58.29.100 (external)                                                                                             
ASF file format detected.                                                                                                            
\[asfheader\] Video stream found, -vid 1                                                                                                                                                                                                                                                                                                                                                                         
MPlayer interrupted by signal 11 in module: demux\_open                                                                               
- MPlayer crashed by bad usage of CPU/FPU/RAM.                                                                                         
Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and                                                                 
disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.                                                        
- MPlayer crashed. This shouldn't happen.                                                                                              
It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your                                                                
gcc version. If you think it's MPlayer's fault, please read                                                                          
DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and                                                         
won't help unless you provide this information when reporting a possible bug.

3.After debugging with gdb, I found the crash is caused by access to a piece of unmmaped memory:  

Program received signal SIGSEGV, Segmentation fault.
read\_meta\_record (buf\_len=<synthetic pointer>, buf=0x55bc7b4c52a2 <error: Cannot access memory at address 0x55bc7b4c52a2>, dest=<synthetic pointer>) at libmpdemux/asfheader.c:242
242       dest->lang\_list\_index = AV\_RL16(buf);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────\[ REGISTERS \]────────────────────────────────────────────────────────────
 RAX  0x9e000004
 RBX  0x55bbdd4c529e ◂— 0x1000000000001                                                                                                                                                                                                                                                                                                                                                RCX  0x1
 RDX  0x1a
 RDI  0x55bbdd4c5284 ◂— 0xfda811cf5b4df869                                                                                                                                                                                                                                                                                                                                             RSI  0x1a                                                                                                                                                                                                                                                                                                                                                                             R8   0x0
 R9   0x10                                                                                                                                                                                                                                                                                                                                                                             R10  0x0
 R11  0x1ce
 R12  0x55bc7b4c52a2
 R13  0x0
 R14  0x55bbdd4c51d0 ◂— 0x11cfa9478cabdca1
 R15  0x1e1
 RBP  0x62000103
 RSP  0x7fff0e88d9f0 —▸ 0x7fff0e88da00 ◂— 0x55bb000001ce
 RIP  0x55bbdb4dde47 (read\_asf\_header+2935) ◂— movzx  edx, word ptr \[r12 + 4\]
─────────────────────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────────────────────
 ► 0x55bbdb4dde47 <read\_asf\_header+2935>    movzx  edx, word ptr \[r12 + 4\]
   0x55bbdb4dde4d <read\_asf\_header+2941>    movzx  r9d, word ptr \[r12\]
   0x55bbdb4dde52 <read\_asf\_header+2946>    movzx  ecx, word ptr \[r12 + 2\]
   0x55bbdb4dde58 <read\_asf\_header+2952>    mov    eax, dword ptr \[r12 + 8\]
   0x55bbdb4dde5d <read\_asf\_header+2957>    mov    esi, edx
   0x55bbdb4dde5f <read\_asf\_header+2959>    lea    rdi, \[r12 + 0xc\]
   0x55bbdb4dde64 <read\_asf\_header+2964>    sub    ebp, edx
   0x55bbdb4dde66 <read\_asf\_header+2966>    js     read\_asf\_header+3128 <read\_asf\_header+3128>
    ↓
   0x55bbdb4ddf08 <read\_asf\_header+3128>    mov    ebx, dword ptr \[rsp + 0x44\]
   0x55bbdb4ddf0c <read\_asf\_header+3132>    mov    rax, qword ptr \[rsp + 0x18\]
   0x55bbdb4ddf11 <read\_asf\_header+3137>    mov    rdi, qword ptr \[rsp + 0x20\]
──────────────────────────────────────────────────────────\[ SOURCE (CODE) \]──────────────────────────────────────────────────────────
In file: /home/jlx/good\_mplayer/mplayer/libmpdemux/asfheader.c
   237 #define CHECKDEC(l, n) if (((l) -= (n)) < 0) return 0
   238 static char\* read\_meta\_record(ASF\_meta\_record\_t\* dest, char\* buf,
   239     int\* buf\_len)
   240 {
   241   CHECKDEC(\*buf\_len, 2 + 2 + 2 + 2 + 4);
 ► 242   dest->lang\_list\_index = AV\_RL16(buf);
   243   dest->stream\_num = AV\_RL16(&buf\[2\]);
   244   dest->name\_length = AV\_RL16(&buf\[4\]);
   245   dest->data\_type = AV\_RL16(&buf\[6\]);
   246   dest->data\_length = AV\_RL32(&buf\[8\]);
   247   buf += 2 + 2 + 2 + 2 + 4;
──────────────────────────────────────────────────────────────\[ STACK \]──────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fff0e88d9f0 —▸ 0x7fff0e88da00 ◂— 0x55bb000001ce
01:0008│      0x7fff0e88d9f8 ◂— 0xfb775cd5000001e1
02:0010│      0x7fff0e88da00 ◂— 0x55bb000001ce
03:0018│      0x7fff0e88da08 —▸ 0x55bbdd4c50f0 ◂— 0x11cf668e75b22630
04:0020│      0x7fff0e88da10 —▸ 0x55bbdd4c53c0 —▸ 0x55bbdd461400 ◂— 0x0
05:0028│      0x7fff0e88da18 —▸ 0x55bbdd4c37a0 —▸ 0x55bbdb712ce0 (demuxer\_desc\_asf) —▸ 0x55bbdb6b3e9e ◂— 'ASF demuxer'
06:0030│      0x7fff0e88da20 ◂— 0x1
07:0038│      0x7fff0e88da28 ◂— 0x55bb00000001
────────────────────────────────────────────────────────────\[ BACKTRACE \]────────────────────────────────────────────────────────────
 ► f 0     55bbdb4dde47 read\_asf\_header+2935
   f 1     55bbdb4dde47 read\_asf\_header+2935
   f 2     55bbdb4dde47 read\_asf\_header+2935
   f 3     55bbdb4e9059 demux\_open\_asf+57
   f 4     55bbdb4e58f3 demux\_open\_stream+931
   f 5     55bbdb4e63e1 demux\_open+753
   f 6     55bbdb414dcb main+4027
   f 7     7f15770a80b3 \_\_libc\_start\_main+243
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> p buf
$2 = 0x55bc7b4c52a2 <error: Cannot access memory at address 0x55bc7b4c52a2>

CVE-2022-38851: #2393 (Out-of-bound read in function read_meta_record() of mplayer/libmpdemux/asfheader.c) – MPlayer

The MPlayer Project mencoder SVN-r38374-13.0.1 is vulnerable to Divide By Zero via the function config () of llibmpcodecs/vf_scale.c.

**#2399 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

mencoder

Version:

unspecified

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An division by zero is found in fucnction config () which affects mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

2.Result:  

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x60c
libavformat version 58.29.100 (external)
libavformat file format detected.
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fcbe8798600\]overread end of atom 'colr' by 10 bytes
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fcbe8798600\]reached eof, corrupted STCO atom
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fcbe8798600\]error reading header
LAVF\_header: av\_open\_input\_stream() failed
ISO: File Type Major Brand: Original QuickTime
Quicktime/MOV file format detected.
MOV: durmap and chunkmap sample count differ (1 vs 232)
\[mov\] Video stream found, -vid 0
\[mov\] Audio stream found, -aid 1
VIDEO:  \[\]  224x2  0bpp  13.000 fps    0.0 kbps ( 0.0 kbyte/s)
\[V\] filefmt:7  fourcc:0x0  size:224x2  fps:13.000  ftime:=0.0769
libavcodec version 58.54.100 (external)
Opening video filter: \[expand osd=1\]
Expand: -1 x -1, -1 ; -1, osd: 1, aspect: 0.000000, round: 1
==========================================================================
Opening video decoder: \[raw\] RAW Uncompressed Video
RAW: depth 0 not supported
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: \[scale\]
The selected video\_out device is incompatible with this codec.
Try appending the scale filter to your filter list,
e.g. -vf spp,scale instead of -vf spp.
VDecoder init failed :(
Opening video decoder: \[raw\] RAW Uncompressed Video
RAW: depth 0 not supported
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: \[scale\]
The selected video\_out device is incompatible with this codec.
Try appending the scale filter to your filter list,
e.g. -vf spp,scale instead of -vf spp.
VDecoder init failed :(
Opening video decoder: \[raw\] RAW Uncompressed Video
RAW: depth 0 not supported
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: \[scale\]
The selected video\_out device is incompatible with this codec.
Try appending the scale filter to your filter list,
e.g. -vf spp,scale instead of -vf spp.
VDecoder init failed :(
Opening video decoder: \[raw\] RAW Uncompressed Video
RAW: depth 0 not supported
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: \[scale\]
The selected video\_out device is incompatible with this codec.
Try appending the scale filter to your filter list,
e.g. -vf spp,scale instead of -vf spp.
VDecoder init failed :(
Opening video decoder: \[raw\] RAW Uncompressed Video
RAW: depth 0 not supported
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: \[scale\]
The selected video\_out device is incompatible with this codec.
Try appending the scale filter to your filter list,
e.g. -vf spp,scale instead of -vf spp.
VDecoder init failed :(
Opening video decoder: \[raw\] RAW Uncompressed Video
RAW: depth 0 not supported
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: \[scale\]
The selected video\_out device is incompatible with this codec.
Try appending the scale filter to your filter list,
e.g. -vf spp,scale instead of -vf spp.
VDecoder init failed :(
Opening video decoder: \[raw\] RAW Uncompressed Video
RAW: depth 0 not supported
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: \[scale\]
The selected video\_out device is incompatible with this codec.
Try appending the scale filter to your filter list,
e.g. -vf spp,scale instead of -vf spp.
VDecoder init failed :(
Opening video decoder: \[raw\] RAW Uncompressed Video
RAW: depth 0 not supported
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: \[scale\]
The selected video\_out device is incompatible with this codec.
Try appending the scale filter to your filter list,
e.g. -vf spp,scale instead of -vf spp.
VDecoder init failed :(
Opening video decoder: \[raw\] RAW Uncompressed Video
RAW: depth 0 not supported
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: \[scale\]
The selected video\_out device is incompatible with this codec.
Try appending the scale filter to your filter list,
e.g. -vf spp,scale instead of -vf spp.
VDecoder init failed :(
Opening video decoder: \[raw\] RAW Uncompressed Video
RAW: depth 0 not supported
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: \[scale\]
The selected video\_out device is incompatible with this codec.
Try appending the scale filter to your filter list,
e.g. -vf spp,scale instead of -vf spp.
VDecoder init failed :(
Opening video decoder: \[raw\] RAW Uncompressed Video
RAW: depth 0 not supported
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: \[scale\]
The selected video\_out device is incompatible with this codec.
Try appending the scale filter to your filter list,
e.g. -vf spp,scale instead of -vf spp.
VDecoder init failed :(
Opening video decoder: \[ffmpeg\] FFmpeg's libavcodec codec family
\[rawvideo @ 0x7fcbe7d194c0\]Invalid pixel format.
Could not open codec.
VDecoder init failed :(
Opening video decoder: \[raw\] RAW Uncompressed Video
RAW: depth 0 not supported
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: \[scale\]
The selected video\_out device is incompatible with this codec.
Try appending the scale filter to your filter list,
e.g. -vf spp,scale instead of -vf spp.
VDecoder init failed :(
Opening video decoder: \[raw\] RAW Uncompressed Video
RAW: depth 0 not supported
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: \[scale\]
The selected video\_out device is incompatible with this codec.
Try appending the scale filter to your filter list,
e.g. -vf spp,scale instead of -vf spp.
VDecoder init failed :(
Opening video decoder: \[raw\] RAW Uncompressed Video
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: \[scale\]
Movie-Aspect is inf:1 - prescaling to correct movie aspect.
\[swscaler @ 0x7fcbe886f000\]bicubic scaler, from yuyv422 to yuv420p using MMXEXT
\[swscaler @ 0x7fcbe886f000\]using unscaled yuyv422 -> yuv420p special converter
AddressSanitizer:DEADLYSIGNAL
=================================================================
==24938==ERROR: AddressSanitizer: FPE on unknown address 0x55f9c11790cb (pc 0x55f9c11790cb bp 0x7ffe2ad52ee0 sp 0x7ffe2ad52d80 T0)
    #0 0x55f9c11790cb in config /home/jlx/good\_mplayer/mplayer/libmpcodecs/vf\_scale.c:401:49
    #1 0x55f9c10bb8a3 in vf\_config\_wrapper /home/jlx/good\_mplayer/mplayer/libmpcodecs/vf.c:663:9

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/jlx/good\_mplayer/mplayer/libmpcodecs/vf\_scale.c:401:49 in config
==24938==ABORTING

3.Debugging with gdb  

Breakpoint 1, config (vf=0x5560a56df640, width=224, height=<optimized out>, d\_width=224, d\_height=0, flags=0, outfmt=844715353) at libmpcodecs/vf\_scale.c:401
401                     d\_width = vf->priv->h \* d\_width / d\_height;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────\[ REGISTERS \]────────────────────────────────────────────────────────────────────────
 RAX  0x1c0
 RBX  0x0
 RCX  0x400
 RDX  0x0
 RDI  0x0
 RSI  0xe0
 R8   0x0
 R9   0x7ffc5a17a3b0 —▸ 0x7f202bf1b4a0 (\_IO\_file\_jumps) ◂— 0x0
 R10  0x4
 R11  0x246
 R12  0xe0
 R13  0x32315659
 R14  0x2
 R15  0x5560a56df640 —▸ 0x5560a43f7ca0 (vf\_info\_scale) —▸ 0x5560a43cee8b ◂— 'software scaling'
 RBP  0xe0
 RSP  0x7ffc5a17beb0 ◂— 0x0
 RIP  0x5560a4238612 (config+1218) ◂— cdq
─────────────────────────────────────────────────────────────────────────\[ DISASM \]─────────────────────────────────────────────────────────────────────────
 ► 0x5560a4238612 <config+1218>    cdq
   0x5560a4238613 <config+1219>    idiv   ebx
    ↓
   0x5560a4238613 <config+1219>    idiv   ebx







─────────────────────────────────────────────────────────────────────\[ SOURCE (CODE) \]──────────────────────────────────────────────────────────────────────
In file: /home/jlx/good\_mplayer/mplayer/libmpcodecs/vf\_scale.c
   396
   397     if(!opt\_screen\_size\_x && !opt\_screen\_size\_y && !(screen\_size\_xy >= 0.001)){
   398         // Compute new d\_width and d\_height, preserving aspect
   399         // while ensuring that both are >= output size in pixels.
   400         if (vf->priv->h \* d\_width > vf->priv->w \* d\_height) {
 ► 401                 d\_width = vf->priv->h \* d\_width / d\_height;
   402                 d\_height = vf->priv->h;
   403         } else {
   404                 d\_height = vf->priv->w \* d\_height / d\_width;
   405                 d\_width = vf->priv->w;
   406         }
─────────────────────────────────────────────────────────────────────────\[ STACK \]──────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7ffc5a17beb0 ◂— 0x0
01:0008│      0x7ffc5a17beb8 ◂— 0x1
02:0010│      0x7ffc5a17bec0 ◂— 0x2000000e0
03:0018│      0x7ffc5a17bec8 —▸ 0x5560a43cb59b ◂— 'Planar YV12'
04:0020│      0x7ffc5a17bed0 ◂— 0x100400000000
05:0028│      0x7ffc5a17bed8 —▸ 0x5560a56df8c0 —▸ 0x5560a56df980 —▸ 0x5560a56df9c0 ◂— 0x3ff0000000000000
06:0030│      0x7ffc5a17bee0 ◂— 0x0
07:0038│      0x7ffc5a17bee8 ◂— 0xec39eef7e8469000
───────────────────────────────────────────────────────────────────────\[ BACKTRACE \]────────────────────────────────────────────────────────────────────────
 ► f 0     5560a4238612 config+1218
   f 1     5560a4210cc7 vf\_config\_wrapper+135
   f 2     5560a420d2fb mpcodecs\_config\_vo+811
   f 3     5560a4207b5b init\_video.constprop+555
   f 4     5560a4208305 init\_best\_video\_codec+565
   f 5     5560a41c5254 main+8228
   f 6     7f202bd550b3 \_\_libc\_start\_main+243
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

CVE-2022-38850: #2399 (A Division by zero occurred in the function config () of llibmpcodecs/vf_scale.c) – MPlayer

Mplayer SVN-r38374-13.0.1 is vulnerable to Memory Leak via vf.c and vf_vo.c.

**#2390 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

vf

Version:

unspecified

Severity:

normal

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Summary of the bug: Found a .viv file for mplayer where asan reports a memory leak.  
How to reproduce:Use the attached file to reproduce this issue (ASAN-recompilation are required)  
version: SVN-r38374-13.0.1  
kernel version:ubuntu 20.04; Linux 5.15.0-46-generic  
complier version:clang 13.0.1-2ubuntu2~20.04.1  

mplayer and ASAN output:  

Player SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team  

Playing /home/ldy/sample/useful/03-KimagureOrangeRoad.viv.  
libavformat version 58.29.100 (external)  
VIVO file format detected.  
VIDEO: \[viv2\] 320x240 24bpp 10.000 fps 0.0 kbps ( 0.0 kbyte/s)  
\[gl\] using extended formats. Use -vo gl:nomanyfmts if playback fails.  
\==========================================================================  
Requested video codec family \[vivo\] (vfm=vfw) not available.  
Enable it at compilation.  
Cannot find codec matching selected -vo and video format 0x32766976.  
\==========================================================================  
Clip info:  

> title: <No Title>  
> author: NV  
> copyright: <No Copyright>  
> encoder: VivoActive VideoNow 3.0 for Windows  

Load subtitles in /home/ldy/sample/useful/  
\==========================================================================  
Requested audio codec family \[vivoaudio\] (afm=acm) not available.  
Enable it at compilation.  
Opening audio decoder: \[ffmpeg\] FFmpeg/libavcodec audio decoders  
libavcodec version 58.54.100 (external)  
Cannot find codec 'siren' in libavcodec...  
ADecoder init failed :(  
ADecoder init failed :(  
Cannot find codec for audio format 0x112.  
Audio: no sound  
Video: no video  

Exiting... (End of file)  

\=================================================================  
\==3993864==ERROR: LeakSanitizer: detected memory leaks  

Direct leak of 576 byte(s) in 1 object(s) allocated from:  

> #0 0x55ac7b1e06dd in malloc (/home/ldy/good\_mplayer/asan\_playr/mplayer+0x33e6dd)  
> #1 0x55ac7b42992e in vf\_open\_plugin /home/ldy/good\_mplayer/mplayer/libmpcodecs/vf.c:478:8  

Indirect leak of 24 byte(s) in 1 object(s) allocated from:  

> #0 0x55ac7b1e0872 in interceptor\_calloc (/home/ldy/good\_mplayer/asan\_playr/mplayer+0x33e872)  
> #1 0x55ac7b50a2cd in vf\_open /home/ldy/good\_mplayer/mplayer/libmpcodecs/vf\_vo.c:215:14  

SUMMARY: AddressSanitizer: 600 byte(s) leaked in 2 allocation(s).

CVE-2022-38600: #2390 (memory leak in vf.c and vf_vo.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via function mov_build_index() of libmpdemux/demux_mov.c. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2396 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction mov\_build\_index () which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mplayer testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing 
libavformat version 58.29.100 (external)
libavformat file format detected.
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]Version 22 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.                                                                                                                                                    \[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)                                                                                                                                                                                 \[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]error reading header
LAVF\_header: av\_open\_input\_stream() failed
ISO: File Type Major Brand: Original QuickTime
Quicktime/MOV file format detected.
\[mov\] Video stream found, -vid 0
Warning! pts=-285211648  length=2048
MOV: durmap and chunkmap sample count differ (1 vs 2)
=================================================================
==24664==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000014580 at pc 0x563d661312e5 bp 0x7ffecfcd0050 sp 0x7ffecfcd0048
READ of size 4 at 0x603000014580 thread T0
    #0 0x563d661312e4 in mov\_build\_index /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:302:110
    #1 0x563d661312e4 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1333:6
    #2 0x563d6611c88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5

0x603000014580 is located 0 bytes to the right of 32-byte region \[0x603000014560,0x603000014580)
allocated by thread T0 here:
    #0 0x563d65d5a362 in \_\_interceptor\_calloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x343362)
    #1 0x563d661263f0 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1820:25
    #2 0x563d661263f0 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #3 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #4 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #5 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #6 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #7 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #8 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #9 0x563d66124068 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1332:6
    #10 0x563d6611c88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5
                                                                                                                                                                                                                                                                                                                                                                                      SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:302:110 in mov\_build\_index                                                                                                                                                                                                                                                      Shadow bytes around the buggy address:
  0x0c067fffa860: 00 fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fffa870: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fffa880: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fffa890: fd fd fa fa fd fd fd fd fa fa 00 00 00 04 fa fa
  0x0c067fffa8a0: 00 00 00 fa fa fa 00 00 00 04 fa fa 00 00 00 00
=>0x0c067fffa8b0:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24664==ABORTING

CVE-2022-38858: #2396 (A heap-buffer-overflow occurred in function mov_build_index() of libmpdemux/demux_mov.c) – MPlayer

**#2395 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction mov\_build\_index () which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mplayer testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing 
libavformat version 58.29.100 (external)
libavformat file format detected.
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]Version 22 is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.                                                                                                                                                    \[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)                                                                                                                                                                                 \[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7f665a275600\]error reading header
LAVF\_header: av\_open\_input\_stream() failed
ISO: File Type Major Brand: Original QuickTime
Quicktime/MOV file format detected.
\[mov\] Video stream found, -vid 0
Warning! pts=-285211648  length=2048
MOV: durmap and chunkmap sample count differ (1 vs 2)
=================================================================
==24664==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000014580 at pc 0x563d661312e5 bp 0x7ffecfcd0050 sp 0x7ffecfcd0048
READ of size 4 at 0x603000014580 thread T0
    #0 0x563d661312e4 in mov\_build\_index /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:302:110
    #1 0x563d661312e4 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1333:6
    #2 0x563d6611c88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5

0x603000014580 is located 0 bytes to the right of 32-byte region \[0x603000014560,0x603000014580)
allocated by thread T0 here:
    #0 0x563d65d5a362 in \_\_interceptor\_calloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x343362)
    #1 0x563d661263f0 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1820:25
    #2 0x563d661263f0 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #3 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #4 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #5 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #6 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #7 0x563d66123576 in lschunks\_intrak /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c
    #8 0x563d66123576 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1305:8
    #9 0x563d66124068 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1332:6
    #10 0x563d6611c88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5
                                                                                                                                                                                                                                                                                                                                                                                      SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:302:110 in mov\_build\_index                                                                                                                                                                                                                                                      Shadow bytes around the buggy address:
  0x0c067fffa860: 00 fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fffa870: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fffa880: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fffa890: fd fd fa fa fd fd fd fd fa fa 00 00 00 04 fa fa
  0x0c067fffa8a0: 00 00 00 fa fa fa 00 00 00 04 fa fa 00 00 00 00
=>0x0c067fffa8b0:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24664==ABORTING

CVE-2022-38856: #2395 (A heap-buffer-overflow occurred in function mov_build_index() of libmpdemux/demux_mov.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via read_avi_header() of libmpdemux/aviheader.c . This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2403 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction read\_avi\_header () which affects mencoder and mplayer The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000059,sig^%06,src^%001757,time^%15822098,execs^%776566,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1


MPlayer interrupted by signal 11 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000059,sig^%06,src^%001757,time^%15822098,execs^%776566,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
=================================================================
==7938==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002db0 at pc 0x55c64191557c bp 0x7ffcdbc68090 sp 0x7ffcdbc68088
READ of size 4 at 0x602000002db0 thread T0
    #0 0x55c64191557b in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12
    #1 0x55c641948cbe in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #2 0x55c641948cbe in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #3 0x55c641921f37 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #4 0x55c6416232ed in main /home/jlx/good\_mplayer/mplayer/mplayer.c:3383:22
    #5 0x7fa5a6c780b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

0x602000002db0 is located 31 bytes to the right of 1-byte region \[0x602000002d90,0x602000002d91)
allocated by thread T0 here:
    #0 0x55c6415c81cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x55c64190a934 in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:358:26
    #2 0x55c641948cbe in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #3 0x55c641948cbe in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #4 0x55c641921f37 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #5 0x55c6416232ed in main /home/jlx/good\_mplayer/mplayer/mplayer.c:3383:22
    #6 0x7fa5a6c780b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12 in read\_avi\_header
Shadow bytes around the buggy address:
  0x0c047fff8560: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8570: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8580: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8590: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff85a0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa fd fd
=>0x0c047fff85b0: fa fa 01 fa fa fa\[fa\]fa fa fa fa fa fa fa fa fa
  0x0c047fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7938==ABORTING

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x2aa3
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
=================================================================
==6848==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000004370 at pc 0x55e9886b95dc bp 0x7fffc79a7df0 sp 0x7fffc79a7de8
READ of size 4 at 0x602000004370 thread T0
    #0 0x55e9886b95db in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12
    #1 0x55e9886ecd1e in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #2 0x55e9886ecd1e in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #3 0x55e9886c5f97 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #4 0x55e9884711f3 in main /home/jlx/good\_mplayer/mplayer/mencoder.c:707:11
    #5 0x7f4b98de10b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

0x602000004370 is located 31 bytes to the right of 1-byte region \[0x602000004350,0x602000004351)
allocated by thread T0 here:
    #0 0x55e98843e43d in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mencoder+0x1a643d)
    #1 0x55e9886ae994 in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:358:26
    #2 0x55e9886ecd1e in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #3 0x55e9886ecd1e in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #4 0x55e9886c5f97 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #5 0x55e9884711f3 in main /home/jlx/good\_mplayer/mplayer/mencoder.c:707:11
    #6 0x7f4b98de10b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12 in read\_avi\_header
Shadow bytes around the buggy address:
  0x0c047fff8810: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8820: fa fa 06 fa fa fa 06 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8830: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8840: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8850: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8860: fa fa 00 00 fa fa fd fd fa fa 01 fa fa fa\[fa\]fa
  0x0c047fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff88a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff88b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6848==ABORTING

CVE-2022-38866: #2403 (A heap-buffer-overflow occurred in function read_avi_header() of libmpdemux/aviheader.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via the function mp_unescape03() of libmpdemux/mpeg_hdr.c. This affects mencoder SVN-r38374-13.0.1 and mplayer SVN-r38374-13.0.1.

**#2406 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction in mp\_unescape03() which affects mencoder and mplayer. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000298,sig^%06,src^%003761,time^%206364090,execs^%10623748,op^%havoc,rep^%8.
libavformat version 58.29.100 (external)
MPEG-PS file format detected.
MPEG: No audio stream found -> no sound.
=================================================================
==22224==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002d91 at pc 0x555555d38dcd bp 0x7fffffffc4a0 sp 0x7fffffffc498                                                                                                                                                                               WRITE of size 1 at 0x602000002d91 thread T0
    #0 0x555555d38dcc in mp\_unescape03 /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:394:13
    #1 0x555555d38dcc in h264\_parse\_sps /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:406:9

0x602000002d91 is located 0 bytes to the right of 1-byte region \[0x602000002d90,0x602000002d91)                                                                                                                                                                                                                         allocated by thread T0 here:
    #0 0x5555558971cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x555555d34e40 in h264\_parse\_sps /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:404:18                                                                                                                                                                                                                     
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:394:13 in mp\_unescape03                                                                                                                                                                                            Shadow bytes around the buggy address:
  0x0c047fff8560: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8570: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8580: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8590: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff85a0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa fd fd
=>0x0c047fff85b0: fa fa\[01\]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22224==ABORTING

CVE-2022-38864: #2406 (A heap-buffer-overflow occurred in function mp_unescape03() of libmpdemux/mpeg_hdr.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via function mp_getbits() of libmpdemux/mpeg_hdr.c which affects mencoder and mplayer. This affects mecoder SVN-r38374-13.0.1 and mplayer SVN-r38374-13.0.1.

**#2405 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction mp\_getbits() which affects mencoder and mplayer. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000297,sig^%06,src^%003761,time^%206342676,execs^%10621452,op^%havoc,rep^%8.
libavformat version 58.29.100 (external)
MPEG-PS file format detected.
MPEG: No audio stream found -> no sound.
=================================================================
==1487==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002d98 at pc 0x555555d3906e bp 0x7fffffffc4a0 sp 0x7fffffffc498
READ of size 1 at 0x602000002d98 thread T0
    #0 0x555555d3906d in mp\_getbits /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:174:12
    #1 0x555555d3906d in read\_golomb /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:296:10
    #2 0x555555d3906d in read\_golomb\_s /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:314:20
    #3 0x555555d3906d in h264\_parse\_sps /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:424:22

0x602000002d98 is located 0 bytes to the right of 8-byte region \[0x602000002d90,0x602000002d98)
allocated by thread T0 here:
    #0 0x5555558971cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x555555d34e40 in h264\_parse\_sps /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:404:18

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/mpeg\_hdr.c:174:12 in mp\_getbits
Shadow bytes around the buggy address:
  0x0c047fff8560: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8570: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8580: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8590: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff85a0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa fd fd
=>0x0c047fff85b0: fa fa 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1487==ABORTING

Tag

#ibm