heap use-after-free when parsing malformed file
When running mkvinfo on the attached file (uaf.mkv) uaf.mkv the program segfaults. Running with ASAN (thanks for integrating this option in your configure script!) we see this as a heap-use-after-free:
$ src/mkvinfo uaf.mkv
+ EBML head
|+ EBML version: 1
|+ EBML read version: 1
|+ Maximum EBML ID length: 4
|+ Maximum EBML size length: 8
|+ Document type: matroska
|+ Document type version: 4
|+ (Unknown element: DummyElement; ID: 0x4220 size: 4)
+ Segment: size 129
|+ Seek head (subentries will be skipped)
=================================================================
==3450434==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000002a70 at pc 0x56503002594f bp 0x7fffa1be42c0 sp 0x7fffa1be42b0
READ of size 8 at 0x60f000002a70 thread T0
#0 0x56503002594e in kax_file_c::read_one_element() src/common/kax_file.cpp:170
#1 0x56503002356d in kax_file_c::read_next_level1_element_internal(unsigned int) src/common/kax_file.cpp:104
#2 0x5650300216bd in kax_file_c::read_next_level1_element(unsigned int, bool) src/common/kax_file.cpp:48
#3 0x56502fe6ff2f in mtx::kax_info_c::handle_segment(libebml::EbmlElement*) src/common/kax_info.cpp:1092
#4 0x56502fe72703 in mtx::kax_info_c::process_file() src/common/kax_info.cpp:1242
#5 0x56502fe732ce in mtx::kax_info_c::open_and_process_file() src/common/kax_info.cpp:1298
#6 0x56502fe72bf9 in mtx::kax_info_c::open_and_process_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) src/common/kax_info.cpp:1261
#7 0x56502fd0ac39 in main src/info/mkvinfo.cpp:55
#8 0x7f62448c00b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#9 0x56502fcfbebd in _start (/home/nate/mkv-checkup/mkvtoolnix/src/mkvinfo+0xe3ebd)
I've attached the full asan output. use-after-free-asan.txt.txt Valgrind will also catch this. This file was generated while fuzzing with AFL. I've marked the issue as confidential as a use-after-free could be a security issue.
Edited by Moritz Bunkus