Wireshark-bugs: [Wireshark-bugs] [Bug 6407] New: SDP dissector failure caused by slightly malfor

Date: Thu, 29 Sep 2011 07:27:31 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6407

           Summary: SDP dissector failure caused by slightly malformed
                    sprops-parameter-sets (H.264)
           Product: Wireshark
           Version: 1.6.2
          Platform: x86-64
        OS/Version: Windows 7
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: c.caughie@xxxxxxxxxxxxxxxx


Build Information:
wireshark 1.6.2 (SVN Rev 38942 from /releases/wireshark-1.6.2)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.22.1, with GLib 2.26.1, with WinPcap (version
unknown), with libz 1.2.5, without POSIX capabilities, without libpcre, with
SMI

0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.10.3,
with

Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built
Sep

29 2011), with AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.10.3, Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 21022

--
We have observed certain SDP files describing H.264 streams, in which the
sprops-parameter-sets parameter is slightly malformed; namely the SPS NALU has
an extra zero byte appended to the end.

This does not cause any problems to any real RTSP client that we have seen, but
Wireshark reports a malformed packet and does not display any lines of the SDP
file after the offending a=fmtp line.

It turns out this is caused by a simple buffer underrun in packet-h264.c; in
dissect_h264_nal_unit(), tvb_get_bits32 is called without first checking that
there are at least 4 bytes left in the buffer.

Fixing this unmasks another problem; the proto_tree_add_text calls in this
function pass the data starting _after_ the NALU type byte; if there is no
further data then these calls will throw an exception, again causing a
malformed packet error. This can be fixed by passing the data starting _at_ the
NALU type byte, guaranteeing that the data will cover at least one byte.

Patch follows.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.