src/MediaInfoLib/Source/MediaInfo/Video/File_Vc1.cpp:293 Invalid Array Index Leading to SEGV in MediaInfoLib::File_Vc1::Streams_Fill

[sigdevel]

src/MediaInfoLib/Source/MediaInfo/Video/File_Vc1.cpp:293 Invalid Array Index Leading to SEGV in MediaInfoLib::File_Vc1::Streams_Fill

Description:

When processing a crafted VC-1 sample, MediaInfo crashes in MediaInfoLib::File_Vc1::Streams_Fill() at src/MediaInfoLib/Source/MediaInfo/Video/File_Vc1.cpp:293.

Streams_Fill() uses the bitstream-controlled fields AspectRatio, profile, and colordiff_format as raw indices into three separate fixed-size const-pointer tables without validating any of them. The fatal access is at line 293:

Fill(Stream_Video, 0, Video_ChromaSubsampling, Vc1_ChromaSubsamplingFormat[colordiff_format]);

Vc1_ChromaSubsamplingFormat has four entries. A crafted VC-1 bitstream sets colordiff_format (along with AspectRatio and profile) to 190, which UBSAN flags in sequence at lines 279 (Vc1_PixelAspectRatio[AspectRatio]), 287 (Vc1_Profile[profile]), and 293. The garbage const char* read from Vc1_ChromaSubsamplingFormat[190] is a near-zero address; when it reaches strlen() inside Ztring::From_UTF8(), the process faults.

Output:

asan-build:

show relevant excerpt - click to expand

/run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/Video/File_Vc1.cpp:279:26: runtime error: index 190 out of bounds for type 'const float32[16]' (aka 'const float[16]')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/Video/File_Vc1.cpp:279:26 
/run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/Video/File_Vc1.cpp:287:17: runtime error: index 190 out of bounds for type 'const char *[4]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/Video/File_Vc1.cpp:287:17 
/run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/Video/File_Vc1.cpp:293:52: runtime error: index 190 out of bounds for type 'const char *[4]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/Video/File_Vc1.cpp:293:52 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==900278==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000003 (pc 0x7f281b17d0d9 bp 0x7ffe26eeee20 sp 0x7ffe26eee5d8 T0)
==900278==The signal is caused by a READ memory access.                                                                                                     
==900278==Hint: address points to the zero page.
    #0 0x7f281b17d0d9 in __strlen_avx2_rtm string/../sysdeps/x86_64/multiarch/strlen-avx2.S:76
    #1 0x55b49e994547 in strlen (/run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/runtime/fuzz_harness/fuzz_mediainfo_asan+0x232b547) (BuildId: bea5f1543242f0d0639eacc3bc8ac2978314c4a4)
    #2 0x55b4a17ddcf0 in ZenLib::Ztring::From_UTF8(char const*, unsigned long, unsigned long) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/ZenLib/Source/ZenLib/Ztring.cpp:408:16
    #3 0x55b49ebf29d8 in ZenLib::Ztring::From_UTF8(char const*, unsigned long) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Project/CMake/../../../ZenLib/Source/ZenLib/Ztring.h:91:89
    #4 0x55b49ebf1b48 in MediaInfoLib::File__Analyze::Fill(MediaInfoLib::stream_t, unsigned long, unsigned long, char const*, unsigned long, bool, bool) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Project/CMake/../../Source/MediaInfo/File__Analyze.h:1162:226
    #5 0x55b4a0eb8763 in MediaInfoLib::File_Vc1::Streams_Fill() /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/Video/File_Vc1.cpp:293:5
    #6 0x55b4a103c451 in MediaInfoLib::File__Analyze::Fill(char const*) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/File__Analyze.cpp:3569:5
    #7 0x55b4a107ceae in MediaInfoLib::File__Analyze::Fill(MediaInfoLib::File__Analyze*) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/File__Analyze.cpp:3586:13
    #8 0x55b49fc55730 in MediaInfoLib::File_Mpeg4::Streams_Finish() /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/Multiple/File_Mpeg4.cpp:983:17
    #9 0x55b4a1025080 in MediaInfoLib::File__Analyze::ForceFinish(char const*) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/File__Analyze.cpp:3672:9
    #10 0x55b4a1039c37 in MediaInfoLib::File__Analyze::Open_Buffer_Finalize(bool) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/File__Analyze.cpp:1732:9
    #11 0x55b4a129dc75 in MediaInfoLib::File__MultipleParsing::Read_Buffer_Continue() /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/File__MultipleParsing.cpp:952:26
    #12 0x55b4a101dd6c in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/File__Analyze.cpp:1501:5
    #13 0x55b4a101110b in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/File__Analyze.cpp:1114:16
    #14 0x55b49ebba057 in MediaInfoLib::MediaInfo_Internal::Open_Buffer_Continue(unsigned char const*, unsigned long) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/MediaInfo_Internal.cpp:1723:11
    #15 0x55b49ea60ebb in MediaInfoLib::MediaInfo::Open_Buffer_Continue(unsigned char const*, unsigned long) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/MediaInfo.cpp:110:22
    #16 0x55b49ea6012f in run_one(MediaInfoLib::MediaInfo&, unsigned char const*, unsigned long) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/runtime/fuzz_harness/fuzz_mediainfo.cpp:53:28
    #17 0x55b49ea6012f in main /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/runtime/fuzz_harness/fuzz_mediainfo.cpp:101:5
    #18 0x7f281b033f74 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #19 0x7f281b034026 in __libc_start_main csu/../csu/libc-start.c:360:3
    #20 0x55b49e97c830 in _start (/run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/runtime/fuzz_harness/fuzz_mediainfo_asan+0x2313830) (BuildId: bea5f1543242f0d0639eacc3bc8ac2978314c4a4)

==900278==Register values:
rax = 0x0000000000000003  rbx = 0x0000000026eeef01  rcx = 0x0000000000000001  rdx = 0x0000000000000003  
rdi = 0x0000000000000003  rsi = 0x0000000000000003  rbp = 0x00007ffe26eeee20  rsp = 0x00007ffe26eee5d8  
 r8 = 0x0000000000000000   r9 = 0x00007fffffffff01  r10 = 0x000051d000026201  r11 = 0x0000000000000246  
r12 = 0x000051b000000080  r13 = 0x0000000000000600  r14 = 0x0000000000000003  r15 = 0x000051b000000080  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV string/../sysdeps/x86_64/multiarch/strlen-avx2.S:76 in __strlen_avx2_rtm
==900278==ABORTING

Environment

OS: Linux rack1 6.19.14+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.19.14-1+kali1 (2026-05-05) x86_64 GNU/Linux ;
Compiler version: Debian clang version 21.1.8 (3+b1) ;
Build-opts: -fsanitize=address,undefined -g ;
CPU type: x86_64 ;
MediaInfo - commit hash c1b98df276b93c95849380248e82acb8554def26 ;
MediaInfo version - 26.01 ;

Additional context

sample:

mediainfo_8

Screenshot

[cjee21]

Again the same 190 (0xBE) as the other two similar crashes. Should be due to uninitialized variable and the PoC causing the flow to change such that Streams_Fill() is run before/without parsing the stream.

[sigdevel]

Аlso reprorused at 702c9b7

show relevant excerpt - click to expand

/run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/Video/File_Vc1.cpp:279:26: runtime error: index 190 out of bounds for type 'const float32[16]' (aka 'const float[16]')
    #0 0x561e14354e29 in MediaInfoLib::File_Vc1::Streams_Fill() /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/Video/File_Vc1.cpp:279:26
    #1 0x561e1445c34b in MediaInfoLib::File__Analyze::Fill(char const*) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/File__Analyze.cpp:3571:5
    #2 0x561e1375377b in MediaInfoLib::File_Mpeg4::Streams_Finish() /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/Multiple/File_Mpeg4.cpp:986:17
    #3 0x561e1444873d in MediaInfoLib::File__Analyze::ForceFinish(char const*) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/File__Analyze.cpp:3674:9
    #4 0x561e1445ab57 in MediaInfoLib::File__Analyze::Open_Buffer_Finalize(bool) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/File__Analyze.cpp:1732:9
    #5 0x561e14627104 in MediaInfoLib::File__MultipleParsing::Read_Buffer_Continue() /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/File__MultipleParsing.cpp:952:26
    #6 0x561e1444284e in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/File__Analyze.cpp:1501:5
    #7 0x561e1443729a in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/File__Analyze.cpp:1114:16
    #8 0x561e12c0d171 in MediaInfoLib::MediaInfo_Internal::Open_Buffer_Continue(unsigned char const*, unsigned long) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/MediaInfo_Internal.cpp:1723:11
    #9 0x561e12b3cd8f in run_one(MediaInfoLib::MediaInfo&, unsigned char const*, unsigned long) /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/runtime/fuzz_harness/fuzz_mediainfo.cpp:53:28
    #10 0x561e12b3cd8f in main /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/runtime/fuzz_harness/fuzz_mediainfo.cpp:101:5
    #11 0x7fcd2ba33f74 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7fcd2ba34026 in __libc_start_main csu/../csu/libc-start.c:360:3
    #13 0x561e12b3b6f0 in _start (/run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/runtime/fuzz_harness/fuzz_mediainfo_asan+0xf8b6f0) (BuildId: a36ff63e8a4dcd9a83125b75d59401c897f711a6)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mediainfo/src/MediaInfoLib/Source/MediaInfo/Video/File_Vc1.cpp:279:26