Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap overflow in GPMF_Next GPMF_parser.c:300 #74

Closed
cuanduo opened this issue Oct 15, 2019 · 5 comments
Closed

heap overflow in GPMF_Next GPMF_parser.c:300 #74

cuanduo opened this issue Oct 15, 2019 · 5 comments

Comments

@cuanduo
Copy link

cuanduo commented Oct 15, 2019

Tested in Ubuntu 19.04, 64bit, master(ceb3815)
compiled by gcc -g -fsanitize=address
Triggered by
$ gpmf-parse $POC

POC file
poc0.zip

root@ubuntu:/home/tim/gpmf-parser-asan/build# ./gpmf-parser ../crashes/karma.mp4-out_of_bound-idx\:0x24-0x0 
  STRM of ACCL of type s with 196 samples -- 3 elements per sample
  STRM of GYRO of type s with 392 samples -- 3 elements per sample
  STRM of ISOG of type f with 29 samples 
  STRM of SHUT of type f with 29 samples 
  STRM of FWVS of type c with 8 samples 
  STRM of KBAT of type lLlsSSSSSSSBBBb with 1 sample -- 15 elements per sample
  STRM of GPRI of type JlllSSSSBB with 4 samples -- 10 elements per sample
  STRM of ATTD of type LffffffB with 4 samples -- 8 elements per sample
  STRM of GLPI of type LllllsssS with 4 samples -- 9 elements per sample
  STRM of VFRH of type ffffsS with 4 samples -- 6 elements per sample
  STRM of SYST of type JJ with 1 sample -- 2 elements per sample
  STRM of BPOS of type lllfffff with 2 samples -- 8 elements per sample
  STRM of ATTR of type Jffff with 4 samples -- 5 elements per sample
  STRM of SIMU of type Lsssssssss with 4 samples -- 10 elements per sample
  STRM of ESCS of type JSSSSSSSSssssSSSSSSSSSSSSSSSSB with 1 sample -- 30 elements per sample
  STRM of LNED of type Lffffff with 4 samples -- 7 elements per sample
  STRM of CYTS of type LLLLLfffBB with 4 samples -- 10 elements per sample
  STRM of CSEN of type LffffffLLLL with 4 samples -- 11 elements per sample

MP4 Payload time 0.000 to 1.001 seconds
GPRI 145.912s, 33.125deg, -117.331deg, 15.445m, 0.250m, 0.420m, 0.590m/s, 334.350deg, 3.000, 20.000, 
GPRI 146.312s, 33.125deg, -117.331deg, 15.367m, 0.250m, 0.420m, 1.240m/s, 325.640deg, 3.000, 20.000, 
GPRI 146.413s, 33.125deg, -117.331deg, 15.363m, 0.250m, 0.420m, 1.500m/s, 328.710deg, 3.000, 20.000, 
GPRI 146.710s, 33.125deg, -117.331deg, 15.331m, 0.250m, 0.420m, 2.510m/s, 330.990deg, 3.000, 20.000, 

ACCL sampling rate = 192.549209 Hz (from -0.135230 to 12.313536)
GYRO sampling rate = 385.114885 Hz (from -0.136323 to 12.314507)
ISOG sampling rate = 29.047875 Hz (from -0.113870 to 12.313889)
SHUT sampling rate = 29.047875 Hz (from -0.113870 to 12.313889)
FWVS sampling rate = 7.728535 Hz (from -0.159250 to 12.262250)
KBAT sampling rate = 0.966067 Hz (from -0.159250 to 12.262250)
GPRI sampling rate = 3.803888 Hz (from -0.050556 to 12.305222)
ATTD sampling rate = 3.803888 Hz (from -0.050556 to 12.305222)
GLPI sampling rate = 3.803888 Hz (from -0.050556 to 12.305222)
VFRH sampling rate = 3.803888 Hz (from -0.050556 to 12.305222)
SYST sampling rate = 0.966067 Hz (from -0.159250 to 12.262250)
BPOS sampling rate = 0.905688 Hz (from -0.806867 to 12.442733)
ATTR sampling rate = 3.803888 Hz (from -0.050556 to 12.305222)
SIMU sampling rate = 3.803888 Hz (from -0.050556 to 12.305222)
ESCS sampling rate = 0.966067 Hz (from -0.159250 to 12.262250)
SCPR sampling rate = 0.490026 Hz (from 0.413947 to 12.658188)
LNED sampling rate = 3.803888 Hz (from -0.050556 to 12.305222)
CYTS sampling rate = 3.864268 Hz (from -0.159250 to 12.262250)
CSEN sampling rate = 3.781932 Hz (from -0.111868 to 12.315642)
=================================================================
==63528==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000000c6c at pc 0x5601cc3c88fa bp 0x7fff24d2cb30 sp 0x7fff24d2cb20
READ of size 4 at 0x61f000000c6c thread T0
    #0 0x5601cc3c88f9 in GPMF_Next /home/tim/gpmf-parser-asan/GPMF_parser.c:300
    #1 0x5601cc3c9163 in GPMF_FindNext /home/tim/gpmf-parser-asan/GPMF_parser.c:344
    #2 0x5601cc3ee290 in main /home/tim/gpmf-parser-asan/demo/GPMF_demo.c:245
    #3 0x7f3d5aad3b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)
    #4 0x5601cc3c6299 in _start (/home/tim/gpmf-parser-asan/build/gpmf-parser+0x2299)

0x61f000000c6d is located 0 bytes to the right of 3053-byte region [0x61f000000080,0x61f000000c6d)
allocated by thread T0 here:
    #0 0x7f3d5ada487e in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10c87e)
    #1 0x5601cc3ee6f9 in GetPayload /home/tim/gpmf-parser-asan/demo/GPMF_mp4reader.c:64
    #2 0x5601cc3ed611 in main /home/tim/gpmf-parser-asan/demo/GPMF_demo.c:102
    #3 0x7f3d5aad3b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/tim/gpmf-parser-asan/GPMF_parser.c:300 in GPMF_Next
Shadow bytes around the buggy address:
  0x0c3e7fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3e7fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00[05]fa fa
  0x0c3e7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fff81d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==63528==ABORTING
@dnewman-gpsw
Copy link
Collaborator

I can't reproduce this to failure. Please confirm with the develop branch.

@cuanduo
Copy link
Author

cuanduo commented Oct 18, 2019

I have tried develop version,the result is same.have you compiled with asan.or unzip the zip file

root@ubuntu:/home/tim/gpmf-parser-develop/build# git log
commit 68c9572b51855b0b45afba48787a1b301fa0350e (HEAD -> develop, origin/develop)
Author: Teeto Cheema <tcheema@gopro.com>
Date:   Wed Oct 16 11:17:12 2019 -0700

    Fix for stsz table condition when the sampleSize is non-zero.

commit 644907c739868ccdfb933b36749e066b64272d97
Author: David <dnewman@gopro.com>
Date:   Mon Oct 7 15:56:15 2019 -0700

    Added an API for reading the Edit List offset

commit c92fdd3ec6f1daa44ff693f2b008a44be72f8142
Merge: 1d77465 33f30e5
Author: David Newman <dnewman@gopro.com>
Date:   Mon Oct 7 10:53:55 2019 -0700

    Merge pull request #73 from gopro/Fix-GetPayloadRationalTime
    
    Fix GetPayloadRationalTime to match numbers given by GetPayloadTime

commit 1d7746590d291195fda5919ad837ccfa19510b8d
Author: David <dnewman@gopro.com>
Date:   Fri Oct 4 11:52:28 2019 -0700

    Oopps! Removed left off #endif

commit 33f30e578aec9e3706afa4f80abf4fc2524d2a6a
Author: Teeto Cheema <tcheema@gopro.com>
Date:   Fri Oct 4 11:44:38 2019 -0700

    Fix GetPayloadRationalTime to match numbers given by GetPayloadTime

commit a895c964b1913eef2de48650a526c2dd3561da5a
Author: David <dnewman@gopro.com>
Date:   Fri Oct 4 11:23:13 2019 -0700

    very minor fix debugging using PRINT_MP4_STRUCTURE

commit 2fee9f54b00613f6089aa9fc3f2e73541185e9a9
Author: David <dnewman@gopro.com>
Date:   Fri Sep 27 10:48:10 2019 -0700

    Fixed for handling stts with all entries at duration 1

commit eec612b3ca184d867ff9671ac0119e30293ffb24
Author: David <dnewman@gopro.com>
Date:   Thu Sep 26 08:51:14 2019 -0700

    removed redundant and clashing define

commit c058410217c8e8366a61f14eb92cde3cff6c9646
Author: David <dnewman@gopro.com>
Date:   Wed Sep 25 13:49:15 2019 -0700

    fixed for edit lists and demo for precision video to metadata sync

commit 91fceedd1c5e3e324c9c131146a469f03d7169ed
Merge: 4e17078 c102223
Author: David Newman <dnewman@gopro.com>
Date:   Wed Sep 4 07:33:00 2019 -0700

    Merge pull request #72 from G-P-S/ylaala/fix-negative-offset
    
    mp4reader: switching in_numerator & out_numerator to int32_t
root@ubuntu:/home/tim/gpmf-parser-develop/build# ./gpmf-parser karma.mp4-out_of_bound-idx\:0x24-0x0 
video framerate is 29.97 with 362 frames
  STRM of ACCL of type s with 196 samples -- 3 elements per sample
  STRM of GYRO of type s with 392 samples -- 3 elements per sample
  STRM of ISOG of type f with 29 samples 
  STRM of SHUT of type f with 29 samples 
  STRM of FWVS of type c with 8 samples 
  STRM of KBAT of type lLlsSSSSSSSBBBb with 1 sample -- 15 elements per sample
  STRM of GPRI of type JlllSSSSBB with 4 samples -- 10 elements per sample
  STRM of ATTD of type LffffffB with 4 samples -- 8 elements per sample
  STRM of GLPI of type LllllsssS with 4 samples -- 9 elements per sample
  STRM of VFRH of type ffffsS with 4 samples -- 6 elements per sample
  STRM of SYST of type JJ with 1 sample -- 2 elements per sample
  STRM of BPOS of type lllfffff with 2 samples -- 8 elements per sample
  STRM of ATTR of type Jffff with 4 samples -- 5 elements per sample
  STRM of SIMU of type Lsssssssss with 4 samples -- 10 elements per sample
  STRM of ESCS of type JSSSSSSSSssssSSSSSSSSSSSSSSSSB with 1 sample -- 30 elements per sample
  STRM of SCPR of type Lffs with 1 sample -- 4 elements per sample
  STRM of LNED of type Lffffff with 4 samples -- 7 elements per sample
  STRM of CYTS of type LLLLLfffBB with 4 samples -- 10 elements per sample
  STRM of CSEN of type LffffffLLLL with 4 samples -- 11 elements per sample

MP4 Payload time 0.000 to 1.001 seconds
ACCL 10.158m/s�, -0.852m/s�, -3.701m/s�, 
ACCL 10.218m/s�, -0.806m/s�, -3.380m/s�, 
ACCL 10.333m/s�, -0.778m/s�, -3.445m/s�, 
ACCL 10.191m/s�, -0.861m/s�, -3.622m/s�, 
ACCL 10.103m/s�, -0.701m/s�, -3.737m/s�, 
ACCL 10.093m/s�, -1.010m/s�, -3.577m/s�, 
ACCL 10.316m/s�, -0.895m/s�, -3.270m/s�, 
ACCL 10.108m/s�, -0.565m/s�, -3.349m/s�, 
ACCL 9.938m/s�, -0.596m/s�, -3.447m/s�, 
ACCL 10.187m/s�, -0.792m/s�, -3.022m/s�, 
ACCL 9.900m/s�, -0.132m/s�, -3.510m/s�, 
ACCL 9.560m/s�, -0.624m/s�, -3.746m/s�, 
ACCL 10.012m/s�, -0.663m/s�, -3.002m/s�, 
ACCL 9.778m/s�, -0.562m/s�, -3.342m/s�, 
ACCL 9.610m/s�, -0.804m/s�, -3.402m/s�, 
ACCL 9.849m/s�, -0.981m/s�, -2.821m/s�, 
ACCL 9.919m/s�, -0.868m/s�, -3.057m/s�, 
ACCL 9.533m/s�, -1.043m/s�, -3.476m/s�, 
ACCL 10.091m/s�, -0.751m/s�, -2.634m/s�, 
ACCL 9.754m/s�, -0.749m/s�, -3.301m/s�, 
ACCL 9.560m/s�, -0.488m/s�, -3.682m/s�, 
ACCL 9.699m/s�, -0.694m/s�, -3.335m/s�, 
ACCL 10.325m/s�, -0.907m/s�, -2.660m/s�, 
ACCL 9.957m/s�, -0.691m/s�, -3.261m/s�, 
ACCL 9.763m/s�, -0.656m/s�, -3.507m/s�, 
ACCL 10.268m/s�, -0.911m/s�, -2.914m/s�, 
ACCL 10.069m/s�, -0.543m/s�, -3.347m/s�, 
ACCL 9.868m/s�, -0.507m/s�, -3.529m/s�, 
ACCL 10.325m/s�, -1.000m/s�, -2.612m/s�, 
ACCL 10.502m/s�, -0.502m/s�, -2.986m/s�, 
ACCL 9.756m/s�, -0.512m/s�, -3.751m/s�, 
ACCL 10.359m/s�, -0.902m/s�, -3.196m/s�, 
ACCL 10.194m/s�, -0.706m/s�, -3.572m/s�, 
ACCL 10.136m/s�, -0.701m/s�, -3.512m/s�, 
ACCL 10.581m/s�, -1.134m/s�, -2.739m/s�, 
ACCL 10.541m/s�, -0.799m/s�, -2.847m/s�, 
ACCL 10.189m/s�, -0.938m/s�, -3.440m/s�, 
ACCL 10.383m/s�, -0.682m/s�, -3.093m/s�, 
ACCL 10.249m/s�, -0.591m/s�, -3.407m/s�, 
ACCL 10.194m/s�, -0.423m/s�, -3.292m/s�, 
ACCL 10.340m/s�, -0.476m/s�, -3.029m/s�, 
ACCL 10.423m/s�, -0.703m/s�, -2.847m/s�, 
ACCL 10.100m/s�, -0.536m/s�, -3.220m/s�, 
ACCL 9.995m/s�, -0.636m/s�, -3.232m/s�, 
ACCL 10.139m/s�, -0.849m/s�, -2.962m/s�, 
ACCL 10.074m/s�, -0.577m/s�, -2.792m/s�, 
ACCL 9.823m/s�, -0.545m/s�, -3.038m/s�, 
ACCL 9.935m/s�, -0.775m/s�, -2.519m/s�, 
ACCL 10.036m/s�, -0.531m/s�, -2.538m/s�, 
ACCL 9.598m/s�, -0.766m/s�, -3.153m/s�, 
ACCL 9.878m/s�, -0.952m/s�, -2.589m/s�, 
ACCL 9.713m/s�, -0.978m/s�, -2.904m/s�, 
ACCL 9.620m/s�, -0.708m/s�, -2.785m/s�, 
ACCL 9.945m/s�, -0.940m/s�, -2.239m/s�, 
ACCL 9.828m/s�, -0.486m/s�, -2.438m/s�, 
ACCL 9.433m/s�, -0.199m/s�, -3.041m/s�, 
ACCL 9.914m/s�, -0.127m/s�, -2.407m/s�, 
ACCL 9.821m/s�, -0.550m/s�, -2.921m/s�, 
ACCL 9.622m/s�, -0.208m/s�, -2.871m/s�, 
ACCL 9.888m/s�, -0.567m/s�, -2.385m/s�, 
ACCL 10.038m/s�, -0.856m/s�, -2.282m/s�, 
ACCL 9.742m/s�, -0.419m/s�, -2.876m/s�, 
ACCL 9.756m/s�, -0.873m/s�, -2.543m/s�, 
ACCL 10.275m/s�, -1.069m/s�, -2.222m/s�, 
ACCL 9.622m/s�, -0.586m/s�, -3.189m/s�, 
ACCL 9.797m/s�, -0.478m/s�, -2.766m/s�, 
ACCL 9.892m/s�, -1.055m/s�, -2.514m/s�, 
ACCL 10.270m/s�, -0.569m/s�, -1.902m/s�, 
ACCL 9.995m/s�, -0.813m/s�, -2.184m/s�, 
ACCL 9.596m/s�, -0.361m/s�, -3.005m/s�, 
ACCL 9.727m/s�, -0.538m/s�, -3.134m/s�, 
ACCL 10.139m/s�, -0.368m/s�, -2.467m/s�, 
ACCL 9.507m/s�, -0.292m/s�, -2.967m/s�, 
ACCL 9.921m/s�, -0.565m/s�, -1.813m/s�, 
ACCL 10.203m/s�, -0.656m/s�, -2.012m/s�, 
ACCL 9.605m/s�, -0.577m/s�, -2.976m/s�, 
ACCL 9.955m/s�, -0.471m/s�, -2.218m/s�, 
ACCL 9.919m/s�, -0.782m/s�, -2.335m/s�, 
ACCL 9.821m/s�, -0.648m/s�, -2.782m/s�, 
ACCL 9.892m/s�, -0.675m/s�, -2.474m/s�, 
ACCL 10.249m/s�, -0.610m/s�, -2.117m/s�, 
ACCL 9.677m/s�, -0.201m/s�, -3.007m/s�, 
ACCL 10.251m/s�, -0.208m/s�, -2.151m/s�, 
ACCL 10.220m/s�, -0.634m/s�, -2.136m/s�, 
ACCL 9.904m/s�, -0.222m/s�, -2.734m/s�, 
ACCL 9.787m/s�, -0.502m/s�, -2.715m/s�, 
ACCL 10.266m/s�, -0.639m/s�, -2.278m/s�, 
ACCL 9.844m/s�, -0.220m/s�, -2.665m/s�, 
ACCL 10.012m/s�, -0.538m/s�, -2.108m/s�, 
ACCL 9.923m/s�, -0.428m/s�, -2.294m/s�, 
ACCL 9.225m/s�, -0.390m/s�, -3.359m/s�, 
ACCL 10.069m/s�, -0.352m/s�, -1.725m/s�, 
ACCL 9.909m/s�, -0.608m/s�, -1.656m/s�, 
ACCL 9.696m/s�, -0.445m/s�, -1.938m/s�, 
ACCL 9.462m/s�, -1.005m/s�, -2.287m/s�, 
ACCL 9.313m/s�, -0.498m/s�, -3.010m/s�, 
ACCL 9.227m/s�, -0.337m/s�, -2.703m/s�, 
ACCL 10.105m/s�, -0.285m/s�, -0.976m/s�, 
ACCL 9.622m/s�, -0.416m/s�, -1.931m/s�, 
ACCL 9.306m/s�, -0.476m/s�, -2.239m/s�, 
ACCL 9.751m/s�, -0.438m/s�, -2.443m/s�, 
ACCL 8.986m/s�, -0.646m/s�, -3.325m/s�, 
ACCL 10.136m/s�, 0.053m/s�, -1.395m/s�, 
ACCL 9.876m/s�, -0.144m/s�, -1.644m/s�, 
ACCL 9.768m/s�, 0.225m/s�, -2.077m/s�, 
ACCL 9.689m/s�, -0.158m/s�, -2.211m/s�, 
ACCL 9.959m/s�, -0.416m/s�, -2.347m/s�, 
ACCL 9.526m/s�, -0.531m/s�, -2.847m/s�, 
ACCL 9.943m/s�, -0.768m/s�, -1.993m/s�, 
ACCL 10.057m/s�, -0.684m/s�, -2.029m/s�, 
ACCL 9.579m/s�, -0.352m/s�, -2.431m/s�, 
ACCL 10.175m/s�, -0.373m/s�, -1.526m/s�, 
ACCL 9.679m/s�, -0.455m/s�, -2.251m/s�, 
ACCL 9.478m/s�, -0.287m/s�, -2.907m/s�, 
ACCL 9.541m/s�, -0.569m/s�, -2.299m/s�, 
ACCL 9.727m/s�, -0.246m/s�, -1.878m/s�, 
ACCL 9.438m/s�, -0.196m/s�, -1.620m/s�, 
ACCL 10.091m/s�, -0.289m/s�, -0.900m/s�, 
ACCL 9.282m/s�, -0.292m/s�, -2.469m/s�, 
ACCL 9.146m/s�, -0.443m/s�, -2.971m/s�, 
ACCL 9.481m/s�, -0.400m/s�, -2.440m/s�, 
ACCL 9.474m/s�, -0.258m/s�, -2.024m/s�, 
ACCL 10.005m/s�, -0.187m/s�, -0.689m/s�, 
ACCL 9.959m/s�, -0.373m/s�, -1.156m/s�, 
ACCL 9.517m/s�, -0.476m/s�, -2.526m/s�, 
ACCL 9.720m/s�, -0.376m/s�, -2.557m/s�, 
ACCL 9.548m/s�, -0.065m/s�, -3.033m/s�, 
ACCL 9.699m/s�, -0.294m/s�, -2.342m/s�, 
ACCL 10.481m/s�, -0.400m/s�, -1.060m/s�, 
ACCL 10.000m/s�, -0.713m/s�, -1.947m/s�, 
ACCL 10.148m/s�, -0.502m/s�, -1.859m/s�, 
ACCL 9.955m/s�, -0.443m/s�, -2.486m/s�, 
ACCL 9.720m/s�, -0.476m/s�, -2.974m/s�, 
ACCL 10.115m/s�, -0.036m/s�, -2.010m/s�, 
ACCL 10.184m/s�, -0.041m/s�, -1.761m/s�, 
ACCL 9.837m/s�, -0.017m/s�, -2.222m/s�, 
ACCL 9.950m/s�, -0.287m/s�, -1.880m/s�, 
ACCL 10.100m/s�, -0.323m/s�, -1.799m/s�, 
ACCL 9.550m/s�, -0.301m/s�, -2.390m/s�, 
ACCL 10.060m/s�, -0.376m/s�, -1.859m/s�, 
ACCL 9.560m/s�, -0.033m/s�, -2.254m/s�, 
ACCL 9.541m/s�, 0.273m/s�, -2.323m/s�, 
ACCL 9.737m/s�, -0.239m/s�, -1.883m/s�, 
ACCL 9.847m/s�, -0.100m/s�, -1.481m/s�, 
ACCL 9.837m/s�, -0.397m/s�, -1.356m/s�, 
ACCL 9.794m/s�, -0.670m/s�, -1.589m/s�, 
ACCL 9.483m/s�, -0.419m/s�, -2.749m/s�, 
ACCL 9.397m/s�, -0.720m/s�, -2.751m/s�, 
ACCL 9.718m/s�, -0.067m/s�, -2.098m/s�, 
ACCL 9.648m/s�, -0.313m/s�, -1.770m/s�, 
ACCL 10.266m/s�, -0.404m/s�, -0.469m/s�, 
ACCL 9.813m/s�, -0.464m/s�, -1.316m/s�, 
ACCL 9.557m/s�, -0.469m/s�, -2.244m/s�, 
ACCL 9.507m/s�, -0.467m/s�, -2.854m/s�, 
ACCL 9.342m/s�, -0.108m/s�, -2.969m/s�, 
ACCL 9.677m/s�, 0.036m/s�, -1.816m/s�, 
ACCL 9.928m/s�, -0.234m/s�, -0.978m/s�, 
ACCL 9.868m/s�, -0.256m/s�, -1.014m/s�, 
ACCL 9.792m/s�, -0.251m/s�, -1.213m/s�, 
ACCL 9.311m/s�, -0.371m/s�, -2.718m/s�, 
ACCL 9.026m/s�, -0.323m/s�, -2.828m/s�, 
ACCL 9.833m/s�, 0.196m/s�, -1.526m/s�, 
ACCL 9.478m/s�, -0.017m/s�, -1.632m/s�, 
ACCL 9.821m/s�, 0.270m/s�, -1.031m/s�, 
ACCL 9.488m/s�, -0.555m/s�, -1.840m/s�, 
ACCL 9.620m/s�, -0.368m/s�, -1.916m/s�, 
ACCL 9.380m/s�, -0.529m/s�, -2.428m/s�, 
ACCL 9.713m/s�, -0.471m/s�, -1.799m/s�, 
ACCL 9.849m/s�, 0.048m/s�, -1.545m/s�, 
ACCL 9.713m/s�, -0.222m/s�, -1.622m/s�, 
ACCL 9.931m/s�, -0.299m/s�, -1.868m/s�, 
ACCL 9.447m/s�, -0.522m/s�, -2.337m/s�, 
ACCL 9.957m/s�, -0.256m/s�, -1.825m/s�, 
ACCL 9.323m/s�, -0.292m/s�, -2.476m/s�, 
ACCL 10.014m/s�, 0.167m/s�, -1.385m/s�, 
ACCL 9.715m/s�, 0.124m/s�, -1.483m/s�, 
ACCL 9.687m/s�, 0.093m/s�, -1.660m/s�, 
ACCL 9.672m/s�, -0.478m/s�, -2.062m/s�, 
ACCL 9.557m/s�, -0.608m/s�, -2.409m/s�, 
ACCL 9.268m/s�, -0.416m/s�, -2.565m/s�, 
ACCL 9.591m/s�, -0.330m/s�, -1.467m/s�, 
ACCL 9.608m/s�, 0.435m/s�, -1.440m/s�, 
ACCL 9.459m/s�, -0.084m/s�, -1.431m/s�, 
ACCL 10.022m/s�, -0.158m/s�, -0.749m/s�, 
ACCL 9.146m/s�, -0.682m/s�, -2.478m/s�, 
ACCL 9.639m/s�, -0.426m/s�, -1.538m/s�, 
ACCL 9.294m/s�, -0.557m/s�, -2.866m/s�, 
ACCL 9.344m/s�, -0.407m/s�, -2.610m/s�, 
ACCL 10.323m/s�, 0.301m/s�, -0.888m/s�, 
ACCL 9.754m/s�, -0.139m/s�, -1.323m/s�, 
ACCL 10.105m/s�, 0.328m/s�, -1.117m/s�, 
ACCL 9.677m/s�, -0.687m/s�, -2.074m/s�, 
ACCL 9.754m/s�, -0.211m/s�, -2.835m/s�, 
ACCL 9.258m/s�, -0.608m/s�, -3.060m/s�, 
ACCL 10.285m/s�, -0.306m/s�, -1.033m/s�, 
ACCL 9.854m/s�, -0.084m/s�, -1.349m/s�, 

ACCL sampling rate = 192.549209Hz (time -0.135230 to 12.313536)",
GYRO sampling rate = 385.114885Hz (time -0.136323 to 12.314507)",
ISOG sampling rate = 29.047875Hz (time -0.113870 to 12.313889)",
SHUT sampling rate = 29.047875Hz (time -0.113870 to 12.313889)",
FWVS sampling rate = 7.761469Hz (time -0.138752 to 12.230040)",
KBAT sampling rate = 0.999001Hz (time 0.000000 to 12.012000)",
GPRI sampling rate = 3.836823Hz (time -0.010024 to 12.239695)",
ATTD sampling rate = 3.836823Hz (time -0.010024 to 12.239695)",
GLPI sampling rate = 3.836823Hz (time -0.010024 to 12.239695)",
VFRH sampling rate = 3.836823Hz (time -0.010024 to 12.239695)",
SYST sampling rate = 0.999001Hz (time 0.000000 to 12.012000)",
BPOS sampling rate = 0.999001Hz (time -1.001000 to 11.011000)",
ATTR sampling rate = 3.836823Hz (time -0.010024 to 12.239695)",
SIMU sampling rate = 3.836823Hz (time -0.010024 to 12.239695)",
ESCS sampling rate = 0.999001Hz (time 0.000000 to 12.012000)",
SCPR sampling rate = 0.999001Hz (time 0.000000 to 7.007000)",
LNED sampling rate = 3.836823Hz (time -0.010024 to 12.239695)",
CYTS sampling rate = 3.897202Hz (time -0.118428 to 12.198101)",
CSEN sampling rate = 3.814866Hz (time -0.070574 to 12.249647)",
=================================================================
==52138==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000000c6c at pc 0x564d733ca990 bp 0x7fff74d8b0b0 sp 0x7fff74d8b0a0
READ of size 4 at 0x61f000000c6c thread T0
    #0 0x564d733ca98f in GPMF_Next /home/tim/gpmf-parser-develop/GPMF_parser.c:302
    #1 0x564d733cb1f9 in GPMF_FindNext /home/tim/gpmf-parser-develop/GPMF_parser.c:346
    #2 0x564d734222ec in main /home/tim/gpmf-parser-develop/demo/GPMF_demo.c:276
    #3 0x7fc56d3c2b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)
    #4 0x564d733c82f9 in _start (/home/tim/gpmf-parser-develop/build/gpmf-parser+0x22f9)

0x61f000000c6d is located 0 bytes to the right of 3053-byte region [0x61f000000080,0x61f000000c6d)
allocated by thread T0 here:
    #0 0x7fc56d69387e in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10c87e)
    #1 0x564d73422750 in GetPayload /home/tim/gpmf-parser-develop/demo/GPMF_mp4reader.c:65
    #2 0x564d734214e9 in main /home/tim/gpmf-parser-develop/demo/GPMF_demo.c:110
    #3 0x7fc56d3c2b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/tim/gpmf-parser-develop/GPMF_parser.c:302 in GPMF_Next
Shadow bytes around the buggy address:
  0x0c3e7fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3e7fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00[05]fa fa
  0x0c3e7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fff81d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==52138==ABORTING

@dnewman-gpsw
Copy link
Collaborator

I have not changed my compiler, as I figure the failure would be general, but I did use all the provided zip files, and I get no failure. I can see that the files are corrupted, but the parser correctly handles those corruptions. Maybe you could point out which line of code begins the heap overflow for each POC and what you would change?

@cuanduo
Copy link
Author

cuanduo commented Oct 18, 2019

you should compile with cflags +=-fsanitize=address,or some heap-overflow may not result in segment fault.

and code line is showned in asan info

 GPMF_Next /home/tim/gpmf-parser-develop/GPMF_parser.c:302

294             if (ms->pos < ms->buffer_size_longs)
 295             {
 296                 while (ms->pos < ms->buffer_size_longs && ms->nest_size[ms->nest_level] > 0 && ms->buffer[ms->pos] == GPMF_KEY_END)
 297                 {
 298                     ms->pos++;
 299                     ms->nest_size[ms->nest_level]--;
 300                 }
 301 
 302                 key = ms->buffer[ms->pos];
 303                 if (!GPMF_VALID_FOURCC(key))
 304                     return GPMF_ERROR_BAD_STRUCTURE;
 305 
 306                 if (key == GPMF_KEY_DEVICE_ID)
 307                     ms->device_id = BYTESWAP32(ms->buffer[ms->pos + 2]);
 308                 if (key == GPMF_KEY_DEVICE_NAME)

in this case
ms->pos may exceed ms->buffer

@dnewman-gpsw
Copy link
Collaborator

size field corruption fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants