[CVE ID] CVE-2020-26664 [PRODUCT] VLC is a free and open source cross-platform multimedia player and framework that plays most multimedia files as well as DVDs, Audio CDs, VCDs, and various streaming protocols. [AFFECTED VERSION] VLC media player 3.0.11 and earlier version. [PROBLEM TYPE] heap-buffer-overflow read [DESCRIPTION] A vulnerability in EbmlTypeDispatcher::send in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a crafted .mkv file. [TECHNICAL DETAILS] VLC media player use libmatroska and libebml to do mkv demux, VLC media player crashes while processing a crafted .mkv file, it cause heap buffer overflow OOB 8 bytes. ./vlc -I dummy --play-and-exit tests_3e73513ca249c376fae82ca19b2c62a3e500f68e VLC media player 4.0.0-dev Otto Chriek (revision 33226d2) [000060600007c3a0] dummy interface: using the dummy interface module... ================================================================= ==3816222==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200003e8b0 at pc 0x7f1e81a15b3f bp 0x7f1e84955170 sp 0x7f1e84955168 READ of size 8 at 0x60200003e8b0 thread T5 [000061100009b900] mkv demux error: No tracks supported #0 0x7f1e81a15b3e in (anonymous namespace)::EbmlTypeDispatcher::send(libebml::EbmlElement* const&, void*) const /home/henices/tests/vlc-code/modules/demux/mkv/Ebml_dispatcher.hpp:74:14 #1 0x7f1e81998aa6 in void (anonymous namespace)::Dispatcher<(anonymous namespace)::EbmlTypeDispatcher, void (*)(libebml::EbmlElement*, void*)>::iterate<__gnu_cxx::__normal_iterator > > >(__gnu_cxx::__normal_iterator > >, __gnu_cxx::__normal_iterator > >, void* const&) const /home/henices/tests/vlc-code/modules/demux/mkv/dispatcher.hpp:44:50 #2 0x7f1e8199853f in mkv::matroska_segment_c::ParseTracks(libmatroska::KaxTracks*) /home/henices/tests/vlc-code/modules/demux/mkv/matroska_segment_parse.cpp:1099:33 #3 0x7f1e81956cb0 in mkv::matroska_segment_c::LoadSeekHeadItem(libebml::EbmlCallbacks const&, long) /home/henices/tests/vlc-code/modules/demux/mkv/matroska_segment.cpp:737:13 #4 0x7f1e819942ac in mkv::matroska_segment_c::ParseSeekHead(libmatroska::KaxSeekHead*) /home/henices/tests/vlc-code/modules/demux/mkv/matroska_segment_parse.cpp:170:21 #5 0x7f1e8194f68f in mkv::matroska_segment_c::Preload() /home/henices/tests/vlc-code/modules/demux/mkv/matroska_segment.cpp:590:17 #6 0x7f1e81a4e53d in mkv::demux_sys_t::AnalyseAllSegmentsFound(stream_t*, mkv::matroska_stream_c*) /home/henices/tests/vlc-code/modules/demux/mkv/demux.cpp:109:25 #7 0x7f1e81b0c04e in mkv::Open(vlc_object_t*) /home/henices/tests/vlc-code/modules/demux/mkv/mkv.cpp:136:17 #8 0x7f1e9ff230ec in demux_Probe /home/henices/tests/vlc-code/src/input/demux.c:180:15 #9 0x7f1e9fe8c318 in module_load /home/henices/tests/vlc-code/src/modules/modules.c:212:15 #10 0x7f1e9fe8b01b in vlc_module_load /home/henices/tests/vlc-code/src/modules/modules.c:265:19 #11 0x7f1e9ff224ad in demux_NewAdvanced /home/henices/tests/vlc-code/src/input/demux.c:248:20 #12 0x7f1e9ff9be92 in InputDemuxNew /home/henices/tests/vlc-code/src/input/input.c:2519:22 #13 0x7f1e9ff92187 in InputSourceInit /home/henices/tests/vlc-code/src/input/input.c:2653:27 #14 0x7f1e9ff8c9ba in Init /home/henices/tests/vlc-code/src/input/input.c:1282:15 #15 0x7f1e9ff878c7 in Preparse /home/henices/tests/vlc-code/src/input/input.c:495:10 #16 0x7f1e9fa9e431 in start_thread (/lib64/libpthread.so.0+0x9431) #17 0x7f1e9f99d912 in clone (/lib64/libc.so.6+0x101912) 0x60200003e8b2 is located 0 bytes to the right of 2-byte region [0x60200003e8b0,0x60200003e8b2) allocated by thread T5 here: #0 0x497b5d in malloc /tmp/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7f1e818815b7 in libebml::EbmlBinary::ReadData(libebml::IOCallback&, libebml::ScopeMode) (/lib64/libebml.so.5+0xf5b7) Thread T5 created by T4 here: #0 0x481f2a in pthread_create /tmp/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:214:3 #1 0x7f1ea0194a6e in vlc_clone_attr /home/henices/tests/vlc-code/src/posix/thread.c:208:11 #2 0x7f1ea01946e4 in vlc_clone /home/henices/tests/vlc-code/src/posix/thread.c:221:12 #3 0x7f1e9ff87429 in input_Start /home/henices/tests/vlc-code/src/input/input.c:178:25 #4 0x7f1e9feedbb9 in input_item_Parse /home/henices/tests/vlc-code/src/input/item.c:1416:27 #5 0x7f1e9fedae6a in PreparserOpenInput /home/henices/tests/vlc-code/src/preparser/preparser.c:136:20 #6 0x7f1ea010bdfe in Thread /home/henices/tests/vlc-code/src/misc/background_worker.c:231:13 #7 0x7f1e9fa9e431 in start_thread (/lib64/libpthread.so.0+0x9431) Thread T4 created by T0 here: #0 0x481f2a in pthread_create /tmp/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:214:3 #1 0x7f1ea0194a6e in vlc_clone_attr /home/henices/tests/vlc-code/src/posix/thread.c:208:11 #2 0x7f1ea0194faa in vlc_clone_detach /home/henices/tests/vlc-code/src/posix/thread.c:262:12 #3 0x7f1ea010a491 in SpawnThread /home/henices/tests/vlc-code/src/misc/background_worker.c:274:9 #4 0x7f1ea0109f6a in background_worker_Push /home/henices/tests/vlc-code/src/misc/background_worker.c:302:9 #5 0x7f1e9fedbefc in input_preparser_Push /home/henices/tests/vlc-code/src/preparser/preparser.c:293:9 #6 0x7f1e9fe2117a in vlc_MetadataRequest /home/henices/tests/vlc-code/src/libvlc.c:464:5 #7 0x7f1e9fec3373 in vlc_playlist_Preparse /home/henices/tests/vlc-code/src/playlist/preparse.c:123:5 #8 0x7f1e9fec3484 in vlc_playlist_AutoPreparse /home/henices/tests/vlc-code/src/playlist/preparse.c:134:9 #9 0x7f1e9feb2f4b in vlc_playlist_ItemsInserted /home/henices/tests/vlc-code/src/playlist/content.c:82:9 #10 0x7f1e9feb1d6c in vlc_playlist_Insert /home/henices/tests/vlc-code/src/playlist/content.c:285:5 #11 0x7f1e9feae7ed in vlc_playlist_InsertOne /home/henices/tests/vlc-code/src/../include/vlc_playlist.h:458:12 #12 0x7f1e9feae65f in intf_InsertItem /home/henices/tests/vlc-code/src/interface/interface.c:218:19 #13 0x7f1e9fe20ec4 in GetFilenames /home/henices/tests/vlc-code/src/libvlc.c:446:9 #14 0x7f1e9fe1f6b0 in libvlc_InternalInit /home/henices/tests/vlc-code/src/libvlc.c:302:5 #15 0x7f1ea0387532 in libvlc_new /home/henices/tests/vlc-code/lib/core.c:56:9 #16 0x4c7fca in main /home/henices/tests/vlc-code/bin/vlc.c:229:30 #17 0x7f1e9f8c3041 in __libc_start_main (/lib64/libc.so.6+0x27041) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/henices/tests/vlc-code/modules/demux/mkv/Ebml_dispatcher.hpp:74:14 in (anonymous namespace)::EbmlTypeDispatcher::send(libebml::EbmlElement* const&, void*) const Shadow bytes around the buggy address: 0x0c047ffffcc0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c047ffffcd0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047ffffce0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd 0x0c047ffffcf0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa 0x0c047ffffd00: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa =>0x0c047ffffd10: fa fa 00 00 fa fa[02]fa fa fa fa fa fa fa fa fa 0x0c047ffffd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047ffffd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047ffffd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047ffffd50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047ffffd60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3816222==ABORTING [Reporter] Zhen Zhou of NSFOCUS Security Team [Solution] Update VLC media player to 3.0.12 or newer version. [References] http://www.videolan.org/ http://git.videolan.org/?p=vlc.git https://code.videolan.org/videolan/vlc-3.0/-/commit/ec1f55ee9ace5cc675395a1bc9700d99679e7e8c [Disclosure Timeline] 2020-09-17 - Issue reported to vendor 2020-09-17 - Vendor responded and confirmed the issues 2020-09-18 - Vendor fix the issues 2020-12-16 - Vendor tagged the version 3.0.12 2020-12-31 - CVE Team RESERVED CVE-2020-26664 for this issue 2021-01-08 - Public Release