Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap overflow in GetPayload GPMF_mp4reader.c:62 #77

Closed
cuanduo opened this issue Oct 15, 2019 · 3 comments
Closed

heap overflow in GetPayload GPMF_mp4reader.c:62 #77

cuanduo opened this issue Oct 15, 2019 · 3 comments

Comments

@cuanduo
Copy link

cuanduo commented Oct 15, 2019

Tested in Ubuntu 19.04, 64bit, master(ceb3815)
compiled by gcc -g -fsanitize=address
Triggered by
$ gpmf-parse $POC
POC
poc3.zip

root@ubuntu:/home/tim/gpmf-parser-asan/build# ./gpmf-parser crashes/karma.mp4-out_of_bound-idx\:0x749-0x3 
  STRM of ACCL of type s with 196 samples -- 3 elements per sample
  STRM of GYRO of type s with 392 samples -- 3 elements per sample
  STRM of ISOG of type f with 29 samples 
  STRM of SHUT of type f with 29 samples 
  STRM of FWVS of type c with 8 samples 
  STRM of KBAT of type lLlsSSSSSSSBBBb with 1 sample -- 15 elements per sample
  STRM of GPRI of type JlllSSSSBB with 4 samples -- 10 elements per sample
  STRM of ATTD of type LffffffB with 4 samples -- 8 elements per sample
  STRM of GLPI of type LllllsssS with 4 samples -- 9 elements per sample
  STRM of VFRH of type ffffsS with 4 samples -- 6 elements per sample
  STRM of SYST of type JJ with 1 sample -- 2 elements per sample
  STRM of BPOS of type lllfffff with 2 samples -- 8 elements per sample
  STRM of ATTR of type Jffff with 4 samples -- 5 elements per sample
  STRM of SIMU of type Lsssssssss with 4 samples -- 10 elements per sample
  STRM of ESCS of type JSSSSSSSSssssSSSSSSSSSSSSSSSSB with 1 sample -- 30 elements per sample
  STRM of LNED of type Lffffff with 4 samples -- 7 elements per sample
  STRM of CYTS of type LLLLLfffBB with 4 samples -- 10 elements per sample
  STRM of CSEN of type LffffffLLLL with 4 samples -- 11 elements per sample

MP4 Payload time 0.000 to 1.001 seconds
GPRI 145.912s, 33.125deg, -117.331deg, 15.445m, 0.250m, 0.420m, 0.590m/s, 334.350deg, 3.000, 20.000, 
GPRI 146.312s, 33.125deg, -117.331deg, 15.367m, 0.250m, 0.420m, 1.240m/s, 325.640deg, 3.000, 20.000, 
GPRI 146.413s, 33.125deg, -117.331deg, 15.363m, 0.250m, 0.420m, 1.500m/s, 328.710deg, 3.000, 20.000, 
GPRI 146.710s, 33.125deg, -117.331deg, 15.331m, 0.250m, 0.420m, 2.510m/s, 330.990deg, 3.000, 20.000, 

=================================================================
==64725==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000040 at pc 0x561601a2863b bp 0x7ffe832b1740 sp 0x7ffe832b1730
READ of size 4 at 0x604000000040 thread T0
    #0 0x561601a2863a in GetPayload /home/tim/gpmf-parser-asan/demo/GPMF_mp4reader.c:62
    #1 0x561601a27611 in main /home/tim/gpmf-parser-asan/demo/GPMF_demo.c:102
    #2 0x7f3f04b53b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)
    #3 0x561601a00299 in _start (/home/tim/gpmf-parser-asan/build/gpmf-parser+0x2299)

0x604000000040 is located 0 bytes to the right of 48-byte region [0x604000000010,0x604000000040)
allocated by thread T0 here:
    #0 0x7f3f04e24448 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10c448)
    #1 0x561601a2be95 in OpenMP4Source /home/tim/gpmf-parser-asan/demo/GPMF_mp4reader.c:386
    #2 0x561601a2738c in main /home/tim/gpmf-parser-asan/demo/GPMF_demo.c:48
    #3 0x7f3f04b53b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/tim/gpmf-parser-asan/demo/GPMF_mp4reader.c:62 in GetPayload
Shadow bytes around the buggy address:
  0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c087fff8000: fa fa 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==64725==ABORTING
@dnewman-gpsw
Copy link
Collaborator

I can't reproduce this to failure. Please confirm with the develop branch.

@cuanduo
Copy link
Author

cuanduo commented Oct 18, 2019

develop version, same

root@ubuntu:/home/tim/gpmf-parser-develop/build# git log
commit 68c9572b51855b0b45afba48787a1b301fa0350e (HEAD -> develop, origin/develop)
Author: Teeto Cheema <tcheema@gopro.com>
Date:   Wed Oct 16 11:17:12 2019 -0700

    Fix for stsz table condition when the sampleSize is non-zero.

commit 644907c739868ccdfb933b36749e066b64272d97
Author: David <dnewman@gopro.com>
Date:   Mon Oct 7 15:56:15 2019 -0700

    Added an API for reading the Edit List offset

commit c92fdd3ec6f1daa44ff693f2b008a44be72f8142
Merge: 1d77465 33f30e5
Author: David Newman <dnewman@gopro.com>
Date:   Mon Oct 7 10:53:55 2019 -0700

    Merge pull request #73 from gopro/Fix-GetPayloadRationalTime
    
    Fix GetPayloadRationalTime to match numbers given by GetPayloadTime

commit 1d7746590d291195fda5919ad837ccfa19510b8d
Author: David <dnewman@gopro.com>
Date:   Fri Oct 4 11:52:28 2019 -0700

    Oopps! Removed left off #endif

commit 33f30e578aec9e3706afa4f80abf4fc2524d2a6a
Author: Teeto Cheema <tcheema@gopro.com>
Date:   Fri Oct 4 11:44:38 2019 -0700

    Fix GetPayloadRationalTime to match numbers given by GetPayloadTime

commit a895c964b1913eef2de48650a526c2dd3561da5a
Author: David <dnewman@gopro.com>
Date:   Fri Oct 4 11:23:13 2019 -0700

    very minor fix debugging using PRINT_MP4_STRUCTURE

commit 2fee9f54b00613f6089aa9fc3f2e73541185e9a9
Author: David <dnewman@gopro.com>
Date:   Fri Sep 27 10:48:10 2019 -0700

    Fixed for handling stts with all entries at duration 1

commit eec612b3ca184d867ff9671ac0119e30293ffb24
Author: David <dnewman@gopro.com>
Date:   Thu Sep 26 08:51:14 2019 -0700

    removed redundant and clashing define

commit c058410217c8e8366a61f14eb92cde3cff6c9646
Author: David <dnewman@gopro.com>
Date:   Wed Sep 25 13:49:15 2019 -0700

    fixed for edit lists and demo for precision video to metadata sync

commit 91fceedd1c5e3e324c9c131146a469f03d7169ed
Merge: 4e17078 c102223
Author: David Newman <dnewman@gopro.com>
Date:   Wed Sep 4 07:33:00 2019 -0700

    Merge pull request #72 from G-P-S/ylaala/fix-negative-offset
    
root@ubuntu:/home/tim/gpmf-parser-develop/build# ./gpmf-parser ../../gpmf-parser-asan/crashes/karma.mp4-out_of_bound-idx\:0x749-0x3 
video framerate is 29.97 with 362 frames
  STRM of ACCL of type s with 196 samples -- 3 elements per sample
  STRM of GYRO of type s with 392 samples -- 3 elements per sample
  STRM of ISOG of type f with 29 samples 
  STRM of SHUT of type f with 29 samples 
  STRM of FWVS of type c with 8 samples 
  STRM of KBAT of type lLlsSSSSSSSBBBb with 1 sample -- 15 elements per sample
  STRM of GPRI of type JlllSSSSBB with 4 samples -- 10 elements per sample
  STRM of ATTD of type LffffffB with 4 samples -- 8 elements per sample
  STRM of GLPI of type LllllsssS with 4 samples -- 9 elements per sample
  STRM of VFRH of type ffffsS with 4 samples -- 6 elements per sample
  STRM of SYST of type JJ with 1 sample -- 2 elements per sample
  STRM of BPOS of type lllfffff with 2 samples -- 8 elements per sample
  STRM of ATTR of type Jffff with 4 samples -- 5 elements per sample
  STRM of SIMU of type Lsssssssss with 4 samples -- 10 elements per sample
  STRM of ESCS of type JSSSSSSSSssssSSSSSSSSSSSSSSSSB with 1 sample -- 30 elements per sample
  STRM of SCPR of type Lffs with 1 sample -- 4 elements per sample
  STRM of LNED of type Lffffff with 4 samples -- 7 elements per sample
  STRM of CYTS of type LLLLLfffBB with 4 samples -- 10 elements per sample
  STRM of CSEN of type LffffffLLLL with 4 samples -- 11 elements per sample

MP4 Payload time 0.000 to 1.001 seconds
ACCL 10.158m/s�, -0.852m/s�, -3.701m/s�, 
ACCL 10.218m/s�, -0.806m/s�, -3.380m/s�, 
ACCL 10.333m/s�, -0.778m/s�, -3.445m/s�, 
ACCL 10.191m/s�, -0.861m/s�, -3.622m/s�, 
ACCL 10.103m/s�, -0.701m/s�, -3.737m/s�, 
ACCL 10.093m/s�, -1.010m/s�, -3.577m/s�, 
ACCL 10.316m/s�, -0.895m/s�, -3.270m/s�, 
ACCL 10.108m/s�, -0.565m/s�, -3.349m/s�, 
ACCL 9.938m/s�, -0.596m/s�, -3.447m/s�, 
ACCL 10.187m/s�, -0.792m/s�, -3.022m/s�, 
ACCL 9.900m/s�, -0.132m/s�, -3.510m/s�, 
ACCL 9.560m/s�, -0.624m/s�, -3.746m/s�, 
ACCL 10.012m/s�, -0.663m/s�, -3.002m/s�, 
ACCL 9.778m/s�, -0.562m/s�, -3.342m/s�, 
ACCL 9.610m/s�, -0.804m/s�, -3.402m/s�, 
ACCL 9.849m/s�, -0.981m/s�, -2.821m/s�, 
ACCL 9.919m/s�, -0.868m/s�, -3.057m/s�, 
ACCL 9.533m/s�, -1.043m/s�, -3.476m/s�, 
ACCL 10.091m/s�, -0.751m/s�, -2.634m/s�, 
ACCL 9.754m/s�, -0.749m/s�, -3.301m/s�, 
ACCL 9.560m/s�, -0.488m/s�, -3.682m/s�, 
ACCL 9.699m/s�, -0.694m/s�, -3.335m/s�, 
ACCL 10.325m/s�, -0.907m/s�, -2.660m/s�, 
ACCL 9.957m/s�, -0.691m/s�, -3.261m/s�, 
ACCL 9.763m/s�, -0.656m/s�, -3.507m/s�, 
ACCL 10.268m/s�, -0.911m/s�, -2.914m/s�, 
ACCL 10.069m/s�, -0.543m/s�, -3.347m/s�, 
ACCL 9.868m/s�, -0.507m/s�, -3.529m/s�, 
ACCL 10.325m/s�, -1.000m/s�, -2.612m/s�, 
ACCL 10.502m/s�, -0.502m/s�, -2.986m/s�, 
ACCL 9.756m/s�, -0.512m/s�, -3.751m/s�, 
ACCL 10.359m/s�, -0.902m/s�, -3.196m/s�, 
ACCL 10.194m/s�, -0.706m/s�, -3.572m/s�, 
ACCL 10.136m/s�, -0.701m/s�, -3.512m/s�, 
ACCL 10.581m/s�, -1.134m/s�, -2.739m/s�, 
ACCL 10.541m/s�, -0.799m/s�, -2.847m/s�, 
ACCL 10.189m/s�, -0.938m/s�, -3.440m/s�, 
ACCL 10.383m/s�, -0.682m/s�, -3.093m/s�, 
ACCL 10.249m/s�, -0.591m/s�, -3.407m/s�, 
ACCL 10.194m/s�, -0.423m/s�, -3.292m/s�, 
ACCL 10.340m/s�, -0.476m/s�, -3.029m/s�, 
ACCL 10.423m/s�, -0.703m/s�, -2.847m/s�, 
ACCL 10.100m/s�, -0.536m/s�, -3.220m/s�, 
ACCL 9.995m/s�, -0.636m/s�, -3.232m/s�, 
ACCL 10.139m/s�, -0.849m/s�, -2.962m/s�, 
ACCL 10.074m/s�, -0.577m/s�, -2.792m/s�, 
ACCL 9.823m/s�, -0.545m/s�, -3.038m/s�, 
ACCL 9.935m/s�, -0.775m/s�, -2.519m/s�, 
ACCL 10.036m/s�, -0.531m/s�, -2.538m/s�, 
ACCL 9.598m/s�, -0.766m/s�, -3.153m/s�, 
ACCL 9.878m/s�, -0.952m/s�, -2.589m/s�, 
ACCL 9.713m/s�, -0.978m/s�, -2.904m/s�, 
ACCL 9.620m/s�, -0.708m/s�, -2.785m/s�, 
ACCL 9.945m/s�, -0.940m/s�, -2.239m/s�, 
ACCL 9.828m/s�, -0.486m/s�, -2.438m/s�, 
ACCL 9.433m/s�, -0.199m/s�, -3.041m/s�, 
ACCL 9.914m/s�, -0.127m/s�, -2.407m/s�, 
ACCL 9.821m/s�, -0.550m/s�, -2.921m/s�, 
ACCL 9.622m/s�, -0.208m/s�, -2.871m/s�, 
ACCL 9.888m/s�, -0.567m/s�, -2.385m/s�, 
ACCL 10.038m/s�, -0.856m/s�, -2.282m/s�, 
ACCL 9.742m/s�, -0.419m/s�, -2.876m/s�, 
ACCL 9.756m/s�, -0.873m/s�, -2.543m/s�, 
ACCL 10.275m/s�, -1.069m/s�, -2.222m/s�, 
ACCL 9.622m/s�, -0.586m/s�, -3.189m/s�, 
ACCL 9.797m/s�, -0.478m/s�, -2.766m/s�, 
ACCL 9.892m/s�, -1.055m/s�, -2.514m/s�, 
ACCL 10.270m/s�, -0.569m/s�, -1.902m/s�, 
ACCL 9.995m/s�, -0.813m/s�, -2.184m/s�, 
ACCL 9.596m/s�, -0.361m/s�, -3.005m/s�, 
ACCL 9.727m/s�, -0.538m/s�, -3.134m/s�, 
ACCL 10.139m/s�, -0.368m/s�, -2.467m/s�, 
ACCL 9.507m/s�, -0.292m/s�, -2.967m/s�, 
ACCL 9.921m/s�, -0.565m/s�, -1.813m/s�, 
ACCL 10.203m/s�, -0.656m/s�, -2.012m/s�, 
ACCL 9.605m/s�, -0.577m/s�, -2.976m/s�, 
ACCL 9.955m/s�, -0.471m/s�, -2.218m/s�, 
ACCL 9.919m/s�, -0.782m/s�, -2.335m/s�, 
ACCL 9.821m/s�, -0.648m/s�, -2.782m/s�, 
ACCL 9.892m/s�, -0.675m/s�, -2.474m/s�, 
ACCL 10.249m/s�, -0.610m/s�, -2.117m/s�, 
ACCL 9.677m/s�, -0.201m/s�, -3.007m/s�, 
ACCL 10.251m/s�, -0.208m/s�, -2.151m/s�, 
ACCL 10.220m/s�, -0.634m/s�, -2.136m/s�, 
ACCL 9.904m/s�, -0.222m/s�, -2.734m/s�, 
ACCL 9.787m/s�, -0.502m/s�, -2.715m/s�, 
ACCL 10.266m/s�, -0.639m/s�, -2.278m/s�, 
ACCL 9.844m/s�, -0.220m/s�, -2.665m/s�, 
ACCL 10.012m/s�, -0.538m/s�, -2.108m/s�, 
ACCL 9.923m/s�, -0.428m/s�, -2.294m/s�, 
ACCL 9.225m/s�, -0.390m/s�, -3.359m/s�, 
ACCL 10.069m/s�, -0.352m/s�, -1.725m/s�, 
ACCL 9.909m/s�, -0.608m/s�, -1.656m/s�, 
ACCL 9.696m/s�, -0.445m/s�, -1.938m/s�, 
ACCL 9.462m/s�, -1.005m/s�, -2.287m/s�, 
ACCL 9.313m/s�, -0.498m/s�, -3.010m/s�, 
ACCL 9.227m/s�, -0.337m/s�, -2.703m/s�, 
ACCL 10.105m/s�, -0.285m/s�, -0.976m/s�, 
ACCL 9.622m/s�, -0.416m/s�, -1.931m/s�, 
ACCL 9.306m/s�, -0.476m/s�, -2.239m/s�, 
ACCL 9.751m/s�, -0.438m/s�, -2.443m/s�, 
ACCL 8.986m/s�, -0.646m/s�, -3.325m/s�, 
ACCL 10.136m/s�, 0.053m/s�, -1.395m/s�, 
ACCL 9.876m/s�, -0.144m/s�, -1.644m/s�, 
ACCL 9.768m/s�, 0.225m/s�, -2.077m/s�, 
ACCL 9.689m/s�, -0.158m/s�, -2.211m/s�, 
ACCL 9.959m/s�, -0.416m/s�, -2.347m/s�, 
ACCL 9.526m/s�, -0.531m/s�, -2.847m/s�, 
ACCL 9.943m/s�, -0.768m/s�, -1.993m/s�, 
ACCL 10.057m/s�, -0.684m/s�, -2.029m/s�, 
ACCL 9.579m/s�, -0.352m/s�, -2.431m/s�, 
ACCL 10.175m/s�, -0.373m/s�, -1.526m/s�, 
ACCL 9.679m/s�, -0.455m/s�, -2.251m/s�, 
ACCL 9.478m/s�, -0.287m/s�, -2.907m/s�, 
ACCL 9.541m/s�, -0.569m/s�, -2.299m/s�, 
ACCL 9.727m/s�, -0.246m/s�, -1.878m/s�, 
ACCL 9.438m/s�, -0.196m/s�, -1.620m/s�, 
ACCL 10.091m/s�, -0.289m/s�, -0.900m/s�, 
ACCL 9.282m/s�, -0.292m/s�, -2.469m/s�, 
ACCL 9.146m/s�, -0.443m/s�, -2.971m/s�, 
ACCL 9.481m/s�, -0.400m/s�, -2.440m/s�, 
ACCL 9.474m/s�, -0.258m/s�, -2.024m/s�, 
ACCL 10.005m/s�, -0.187m/s�, -0.689m/s�, 
ACCL 9.959m/s�, -0.373m/s�, -1.156m/s�, 
ACCL 9.517m/s�, -0.476m/s�, -2.526m/s�, 
ACCL 9.720m/s�, -0.376m/s�, -2.557m/s�, 
ACCL 9.548m/s�, -0.065m/s�, -3.033m/s�, 
ACCL 9.699m/s�, -0.294m/s�, -2.342m/s�, 
ACCL 10.481m/s�, -0.400m/s�, -1.060m/s�, 
ACCL 10.000m/s�, -0.713m/s�, -1.947m/s�, 
ACCL 10.148m/s�, -0.502m/s�, -1.859m/s�, 
ACCL 9.955m/s�, -0.443m/s�, -2.486m/s�, 
ACCL 9.720m/s�, -0.476m/s�, -2.974m/s�, 
ACCL 10.115m/s�, -0.036m/s�, -2.010m/s�, 
ACCL 10.184m/s�, -0.041m/s�, -1.761m/s�, 
ACCL 9.837m/s�, -0.017m/s�, -2.222m/s�, 
ACCL 9.950m/s�, -0.287m/s�, -1.880m/s�, 
ACCL 10.100m/s�, -0.323m/s�, -1.799m/s�, 
ACCL 9.550m/s�, -0.301m/s�, -2.390m/s�, 
ACCL 10.060m/s�, -0.376m/s�, -1.859m/s�, 
ACCL 9.560m/s�, -0.033m/s�, -2.254m/s�, 
ACCL 9.541m/s�, 0.273m/s�, -2.323m/s�, 
ACCL 9.737m/s�, -0.239m/s�, -1.883m/s�, 
ACCL 9.847m/s�, -0.100m/s�, -1.481m/s�, 
ACCL 9.837m/s�, -0.397m/s�, -1.356m/s�, 
ACCL 9.794m/s�, -0.670m/s�, -1.589m/s�, 
ACCL 9.483m/s�, -0.419m/s�, -2.749m/s�, 
ACCL 9.397m/s�, -0.720m/s�, -2.751m/s�, 
ACCL 9.718m/s�, -0.067m/s�, -2.098m/s�, 
ACCL 9.648m/s�, -0.313m/s�, -1.770m/s�, 
ACCL 10.266m/s�, -0.404m/s�, -0.469m/s�, 
ACCL 9.813m/s�, -0.464m/s�, -1.316m/s�, 
ACCL 9.557m/s�, -0.469m/s�, -2.244m/s�, 
ACCL 9.507m/s�, -0.467m/s�, -2.854m/s�, 
ACCL 9.342m/s�, -0.108m/s�, -2.969m/s�, 
ACCL 9.677m/s�, 0.036m/s�, -1.816m/s�, 
ACCL 9.928m/s�, -0.234m/s�, -0.978m/s�, 
ACCL 9.868m/s�, -0.256m/s�, -1.014m/s�, 
ACCL 9.792m/s�, -0.251m/s�, -1.213m/s�, 
ACCL 9.311m/s�, -0.371m/s�, -2.718m/s�, 
ACCL 9.026m/s�, -0.323m/s�, -2.828m/s�, 
ACCL 9.833m/s�, 0.196m/s�, -1.526m/s�, 
ACCL 9.478m/s�, -0.017m/s�, -1.632m/s�, 
ACCL 9.821m/s�, 0.270m/s�, -1.031m/s�, 
ACCL 9.488m/s�, -0.555m/s�, -1.840m/s�, 
ACCL 9.620m/s�, -0.368m/s�, -1.916m/s�, 
ACCL 9.380m/s�, -0.529m/s�, -2.428m/s�, 
ACCL 9.713m/s�, -0.471m/s�, -1.799m/s�, 
ACCL 9.849m/s�, 0.048m/s�, -1.545m/s�, 
ACCL 9.713m/s�, -0.222m/s�, -1.622m/s�, 
ACCL 9.931m/s�, -0.299m/s�, -1.868m/s�, 
ACCL 9.447m/s�, -0.522m/s�, -2.337m/s�, 
ACCL 9.957m/s�, -0.256m/s�, -1.825m/s�, 
ACCL 9.323m/s�, -0.292m/s�, -2.476m/s�, 
ACCL 10.014m/s�, 0.167m/s�, -1.385m/s�, 
ACCL 9.715m/s�, 0.124m/s�, -1.483m/s�, 
ACCL 9.687m/s�, 0.093m/s�, -1.660m/s�, 
ACCL 9.672m/s�, -0.478m/s�, -2.062m/s�, 
ACCL 9.557m/s�, -0.608m/s�, -2.409m/s�, 
ACCL 9.268m/s�, -0.416m/s�, -2.565m/s�, 
ACCL 9.591m/s�, -0.330m/s�, -1.467m/s�, 
ACCL 9.608m/s�, 0.435m/s�, -1.440m/s�, 
ACCL 9.459m/s�, -0.084m/s�, -1.431m/s�, 
ACCL 10.022m/s�, -0.158m/s�, -0.749m/s�, 
ACCL 9.146m/s�, -0.682m/s�, -2.478m/s�, 
ACCL 9.639m/s�, -0.426m/s�, -1.538m/s�, 
ACCL 9.294m/s�, -0.557m/s�, -2.866m/s�, 
ACCL 9.344m/s�, -0.407m/s�, -2.610m/s�, 
ACCL 10.323m/s�, 0.301m/s�, -0.888m/s�, 
ACCL 9.754m/s�, -0.139m/s�, -1.323m/s�, 
ACCL 10.105m/s�, 0.328m/s�, -1.117m/s�, 
ACCL 9.677m/s�, -0.687m/s�, -2.074m/s�, 
ACCL 9.754m/s�, -0.211m/s�, -2.835m/s�, 
ACCL 9.258m/s�, -0.608m/s�, -3.060m/s�, 
ACCL 10.285m/s�, -0.306m/s�, -1.033m/s�, 
ACCL 9.854m/s�, -0.084m/s�, -1.349m/s�, 

=================================================================
==52577==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000040 at pc 0x555c4c000692 bp 0x7fffe26e4dd0 sp 0x7fffe26e4dc0
READ of size 4 at 0x604000000040 thread T0
    #0 0x555c4c000691 in GetPayload /home/tim/gpmf-parser-develop/demo/GPMF_mp4reader.c:63
    #1 0x555c4bfff4e9 in main /home/tim/gpmf-parser-develop/demo/GPMF_demo.c:110
    #2 0x7f4a5c238b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)
    #3 0x555c4bfa62f9 in _start (/home/tim/gpmf-parser-develop/build/gpmf-parser+0x22f9)

0x604000000040 is located 0 bytes to the right of 48-byte region [0x604000000010,0x604000000040)
allocated by thread T0 here:
    #0 0x7f4a5c509448 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10c448)
    #1 0x555c4c004fe9 in OpenMP4Source /home/tim/gpmf-parser-develop/demo/GPMF_mp4reader.c:440
    #2 0x555c4bfff15a in main /home/tim/gpmf-parser-develop/demo/GPMF_demo.c:50
    #3 0x7f4a5c238b6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/tim/gpmf-parser-develop/demo/GPMF_mp4reader.c:63 in GetPayload
Shadow bytes around the buggy address:
  0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c087fff8000: fa fa 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==52577==ABORTING
root@ubuntu:/home/tim/gpmf-parser-develop/build# gcc --version
gcc (Ubuntu 8.3.0-6ubuntu1) 8.3.0
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

root@ubuntu:/home/tim/gpmf-parser-develop/build# cat /etc/
Display all 226 possibilities? (y or n)
root@ubuntu:/home/tim/gpmf-parser-develop/build# cat /etc/i
ifplugd/         init/            init.d/          initramfs-tools/ inputrc          insserv.conf.d/  iproute2/        issue            issue.net        
root@ubuntu:/home/tim/gpmf-parser-develop/build# cat /etc/issue
Ubuntu 19.04 \n \l

@dnewman-gpsw
Copy link
Collaborator

size could corruption fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants