==26293==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb1 at pc 0x7ffff6ef6904 bp 0x7fffffff7e90 sp 0x7fffffff7638
WRITE of size 40 at 0x60200000efb1 thread T0
#00x7ffff6ef6903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
#10x4709b5 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
#20x4709b5 in gf_bs_read_data utils/bitstream.c:461
#30x7bc40d in ReadGF_IPMPX_WatermarkingInit odf/ipmpx_code.c:1517
#40x7bc40d in GF_IPMPX_ReadData odf/ipmpx_code.c:2020
#50x7beab7 in gf_ipmpx_data_parse odf/ipmpx_code.c:293
#60x7a97c9 in gf_odf_read_ipmp odf/odf_code.c:2426
#70x795b43 in gf_odf_parse_descriptor odf/descriptors.c:159
#80x7afa76 in gf_odf_desc_read odf/odf_codec.c:302
#90xad3e13 in esds_Read isomedia/box_code_base.c:1256
#100x6c5114 in gf_isom_box_read isomedia/box_funcs.c:1528
#110x6c5114 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#120x6c5974 in gf_isom_parse_root_box isomedia/box_funcs.c:42
#130x6da6a0 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
#140x6dd2f3 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194
#150x6dd2f3 in gf_isom_open_file isomedia/isom_intern.c:615
#160x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan/applications/mp4box/main.c:4767
#170x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#180x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)
0x60200000efb1 is located 0 bytes to the right of 1-byte region [0x60200000efb0,0x60200000efb1)
allocated by thread T0 here:
#00x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#10x7bc3bf in ReadGF_IPMPX_WatermarkingInit odf/ipmpx_code.c:1516
#20x7bc3bf in GF_IPMPX_ReadData odf/ipmpx_code.c:2020
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa[01]fa fa fa 0000 fa fa 00000x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==26293==ABORTING
gdb info:
7ffff70cd000-7ffff72cc000 ---p 0001600008:0267633677 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff72cc000-7ffff72cd000 rw-p 0001500008:0267633677 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff72cd000-7ffff748d000 r-xp 0000000008:0267637542 /lib/x86_64-linux-gnu/libc-2.23.so
7ffff748d000-7ffff768d000 ---p 001c0000 08:0267637542 /lib/x86_64-linux-gnu/libc-2.23.so
7ffff768d000-7ffff7691000 r--p 001c0000 08:0267637542 /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7691000-7ffff7693000 rw-p 001c4000 08:0267637542 /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7693000-7ffff7697000 rw-p 0000000000:000
7ffff7697000-7ffff76b0000 r-xp 0000000008:0267633774 /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff76b0000-7ffff78af000 ---p 0001900008:0267633774 /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff78af000-7ffff78b0000 r--p 0001800008:0267633774 /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff78b0000-7ffff78b1000 rw-p 0001900008:0267633774 /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff78b1000-7ffff79b9000 r-xp 0000000008:0267637545 /lib/x86_64-linux-gnu/libm-2.23.so
7ffff79b9000-7ffff7bb8000 ---p 0010800008:0267637545 /lib/x86_64-linux-gnu/libm-2.23.so
7ffff7bb8000-7ffff7bb9000 r--p 0010700008:0267637545 /lib/x86_64-linux-gnu/libm-2.23.so
7ffff7bb9000-7ffff7bba000 rw-p 0010800008:0267637545 /lib/x86_64-linux-gnu/libm-2.23.so
7ffff7bba000-7ffff7bd2000 r-xp 0000000008:0267637529 /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7bd2000-7ffff7dd1000 ---p 0001800008:0267637529 /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7dd1000-7ffff7dd2000 r--p 0001700008:0267637529 /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7dd2000-7ffff7dd3000 rw-p 0001800008:0267637529 /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7dd3000-7ffff7dd7000 rw-p 0000000000:000
7ffff7dd7000-7ffff7dfd000 r-xp 0000000008:0267637528 /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7fe3000-7ffff7fe8000 rw-p 0000000000:000
7ffff7ff7000-7ffff7ff8000 rw-p 0000000000:000
7ffff7ff8000-7ffff7ffa000 r--p 0000000000:000 [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 0000000000:000 [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 0002500008:0267637528 /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 0002600008:0267637528 /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 0000000000:000
7ffffffde000-7ffffffff000 rw-p 0000000000:000 [stack]
ffffffffff600000-ffffffffff601000 r-xp 0000000000:000 [vsyscall]
Program received signal SIGABRT, Aborted.
0x00007ffff7302428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#00x00007ffff7302428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#10x00007ffff730402a in __GI_abort () at abort.c:89
#20x00007ffff73447ea in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff745ded8"*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#30x00007ffff734d37a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff745df50"free(): invalid next size (fast)", action=3) at malloc.c:5006
#4_int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3867
#50x00007ffff735153c in __GI___libc_free (mem=<optimized out>) at malloc.c:2968
#60x0000000000568b82 in DelGF_IPMPX_OpaqueData (_p=<optimized out>) at odf/ipmpx_code.c:1205
#7gf_ipmpx_data_del (_p=_p@entry=0x9cc760) at odf/ipmpx_code.c:1835
#80x00000000005624bd in gf_odf_del_ipmp (ipmp=0x9cc670) at odf/odf_code.c:2390
#90x000000000055a031 in gf_odf_parse_descriptor (bs=bs@entry=0x9cc610, desc=desc@entry=0x9cc578, desc_size=desc_size@entry=0x7fffffff9694) at odf/descriptors.c:176
#100x0000000000564f7b in gf_odf_desc_read (raw_desc=raw_desc@entry=0x9cc590"\v@\377\377\377\377", descSize=descSize@entry=108, outDesc=outDesc@entry=0x9cc578) at odf/odf_codec.c:302
#110x00000000006ca6f4 in esds_Read (s=0x9cc550, bs=0x9cb460) at isomedia/box_code_base.c:1256
#120x00000000005137e1 in gf_isom_box_read (bs=0x9cb460, a=0x9cc550) at isomedia/box_funcs.c:1528
#13gf_isom_box_parse_ex (outBox=outBox@entry=0x7fffffff9800, bs=bs@entry=0x9cb460, is_root_box=is_root_box@entry=GF_TRUE, parent_type=0) at isomedia/box_funcs.c:208
#140x0000000000513e15 in gf_isom_parse_root_box (outBox=outBox@entry=0x7fffffff9800, bs=0x9cb460, bytesExpected=bytesExpected@entry=0x7fffffff9850, progressive_mode=progressive_mode@entry=GF_FALSE) at isomedia/box_funcs.c:42
#150x000000000051b4fe in gf_isom_parse_movie_boxes (mov=mov@entry=0x9cb010, bytesMissing=bytesMissing@entry=0x7fffffff9850, progressive_mode=progressive_mode@entry=GF_FALSE) at isomedia/isom_intern.c:206
#160x000000000051c48c in gf_isom_parse_movie_boxes (progressive_mode=GF_FALSE, bytesMissing=0x7fffffff9850, mov=0x9cb010) at isomedia/isom_intern.c:194
#17gf_isom_open_file (fileName=0x7fffffffe627"./real-crashs/POC-ReadGF_IPMPX_WatermarkingInit", OpenMode=0, tmp_dir=0x0) at isomedia/isom_intern.c:615
#180x000000000041c082 in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at main.c:4767
#190x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe358, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe348) at ../csu/libc-start.c:291
#200x000000000040eba9 in _start ()
Edit
This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d
Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)
The text was updated successfully, but these errors were encountered:
System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (master 6ada10e)
Compile Command:
Run Command:
POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/POC-ReadGF_IPMPX_WatermarkingInit
ASAN info:
gdb info:
Edit
This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d
Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)
The text was updated successfully, but these errors were encountered: