Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-buffer-overflow in ReadGF_IPMPX_WatermarkingInit at ipmpx_code.c:1517 #1320

Closed
Clingto opened this issue Oct 28, 2019 · 2 comments

Comments

@Clingto
Copy link

Clingto commented Oct 28, 2019

System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (master 6ada10e)
Compile Command:

$ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
$ make

Run Command:

$ MP4Box -diso -out /dev/null $POC-ReadGF_IPMPX_WatermarkingInit

POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/POC-ReadGF_IPMPX_WatermarkingInit
ASAN info:

==26293==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb1 at pc 0x7ffff6ef6904 bp 0x7fffffff7e90 sp 0x7fffffff7638
WRITE of size 40 at 0x60200000efb1 thread T0
    #0 0x7ffff6ef6903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
    #1 0x4709b5 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #2 0x4709b5 in gf_bs_read_data utils/bitstream.c:461
    #3 0x7bc40d in ReadGF_IPMPX_WatermarkingInit odf/ipmpx_code.c:1517
    #4 0x7bc40d in GF_IPMPX_ReadData odf/ipmpx_code.c:2020
    #5 0x7beab7 in gf_ipmpx_data_parse odf/ipmpx_code.c:293
    #6 0x7a97c9 in gf_odf_read_ipmp odf/odf_code.c:2426
    #7 0x795b43 in gf_odf_parse_descriptor odf/descriptors.c:159
    #8 0x7afa76 in gf_odf_desc_read odf/odf_codec.c:302
    #9 0xad3e13 in esds_Read isomedia/box_code_base.c:1256
    #10 0x6c5114 in gf_isom_box_read isomedia/box_funcs.c:1528
    #11 0x6c5114 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #12 0x6c5974 in gf_isom_parse_root_box isomedia/box_funcs.c:42
    #13 0x6da6a0 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
    #14 0x6dd2f3 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194
    #15 0x6dd2f3 in gf_isom_open_file isomedia/isom_intern.c:615
    #16 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan/applications/mp4box/main.c:4767
    #17 0x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #18 0x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)

0x60200000efb1 is located 0 bytes to the right of 1-byte region [0x60200000efb0,0x60200000efb1)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7bc3bf in ReadGF_IPMPX_WatermarkingInit odf/ipmpx_code.c:1516
    #2 0x7bc3bf in GF_IPMPX_ReadData odf/ipmpx_code.c:2020

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa[01]fa fa fa 00 00 fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==26293==ABORTING

gdb info:

7ffff70cd000-7ffff72cc000 ---p 00016000 08:02 67633677                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff72cc000-7ffff72cd000 rw-p 00015000 08:02 67633677                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff72cd000-7ffff748d000 r-xp 00000000 08:02 67637542                   /lib/x86_64-linux-gnu/libc-2.23.so
7ffff748d000-7ffff768d000 ---p 001c0000 08:02 67637542                   /lib/x86_64-linux-gnu/libc-2.23.so
7ffff768d000-7ffff7691000 r--p 001c0000 08:02 67637542                   /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7691000-7ffff7693000 rw-p 001c4000 08:02 67637542                   /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7693000-7ffff7697000 rw-p 00000000 00:00 0
7ffff7697000-7ffff76b0000 r-xp 00000000 08:02 67633774                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff76b0000-7ffff78af000 ---p 00019000 08:02 67633774                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff78af000-7ffff78b0000 r--p 00018000 08:02 67633774                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff78b0000-7ffff78b1000 rw-p 00019000 08:02 67633774                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff78b1000-7ffff79b9000 r-xp 00000000 08:02 67637545                   /lib/x86_64-linux-gnu/libm-2.23.so
7ffff79b9000-7ffff7bb8000 ---p 00108000 08:02 67637545                   /lib/x86_64-linux-gnu/libm-2.23.so
7ffff7bb8000-7ffff7bb9000 r--p 00107000 08:02 67637545                   /lib/x86_64-linux-gnu/libm-2.23.so
7ffff7bb9000-7ffff7bba000 rw-p 00108000 08:02 67637545                   /lib/x86_64-linux-gnu/libm-2.23.so
7ffff7bba000-7ffff7bd2000 r-xp 00000000 08:02 67637529                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7bd2000-7ffff7dd1000 ---p 00018000 08:02 67637529                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7dd1000-7ffff7dd2000 r--p 00017000 08:02 67637529                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7dd2000-7ffff7dd3000 rw-p 00018000 08:02 67637529                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:02 67637528                   /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7fe3000-7ffff7fe8000 rw-p 00000000 00:00 0
7ffff7ff7000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:02 67637528                   /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:02 67637528                   /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff7302428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7302428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff730402a in __GI_abort () at abort.c:89
#2  0x00007ffff73447ea in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff745ded8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff734d37a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff745df50 "free(): invalid next size (fast)", action=3) at malloc.c:5006
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3867
#5  0x00007ffff735153c in __GI___libc_free (mem=<optimized out>) at malloc.c:2968
#6  0x0000000000568b82 in DelGF_IPMPX_OpaqueData (_p=<optimized out>) at odf/ipmpx_code.c:1205
#7  gf_ipmpx_data_del (_p=_p@entry=0x9cc760) at odf/ipmpx_code.c:1835
#8  0x00000000005624bd in gf_odf_del_ipmp (ipmp=0x9cc670) at odf/odf_code.c:2390
#9  0x000000000055a031 in gf_odf_parse_descriptor (bs=bs@entry=0x9cc610, desc=desc@entry=0x9cc578, desc_size=desc_size@entry=0x7fffffff9694) at odf/descriptors.c:176
#10 0x0000000000564f7b in gf_odf_desc_read (raw_desc=raw_desc@entry=0x9cc590 "\v@\377\377\377\377", descSize=descSize@entry=108, outDesc=outDesc@entry=0x9cc578) at odf/odf_codec.c:302
#11 0x00000000006ca6f4 in esds_Read (s=0x9cc550, bs=0x9cb460) at isomedia/box_code_base.c:1256
#12 0x00000000005137e1 in gf_isom_box_read (bs=0x9cb460, a=0x9cc550) at isomedia/box_funcs.c:1528
#13 gf_isom_box_parse_ex (outBox=outBox@entry=0x7fffffff9800, bs=bs@entry=0x9cb460, is_root_box=is_root_box@entry=GF_TRUE, parent_type=0) at isomedia/box_funcs.c:208
#14 0x0000000000513e15 in gf_isom_parse_root_box (outBox=outBox@entry=0x7fffffff9800, bs=0x9cb460, bytesExpected=bytesExpected@entry=0x7fffffff9850, progressive_mode=progressive_mode@entry=GF_FALSE) at isomedia/box_funcs.c:42
#15 0x000000000051b4fe in gf_isom_parse_movie_boxes (mov=mov@entry=0x9cb010, bytesMissing=bytesMissing@entry=0x7fffffff9850, progressive_mode=progressive_mode@entry=GF_FALSE) at isomedia/isom_intern.c:206
#16 0x000000000051c48c in gf_isom_parse_movie_boxes (progressive_mode=GF_FALSE, bytesMissing=0x7fffffff9850, mov=0x9cb010) at isomedia/isom_intern.c:194
#17 gf_isom_open_file (fileName=0x7fffffffe627 "./real-crashs/POC-ReadGF_IPMPX_WatermarkingInit", OpenMode=0, tmp_dir=0x0) at isomedia/isom_intern.c:615
#18 0x000000000041c082 in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at main.c:4767
#19 0x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe358, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe348) at ../csu/libc-start.c:291
#20 0x000000000040eba9 in _start ()

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d


Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

@carnil
Copy link

carnil commented Dec 31, 2019

CVE-2019-20161 was assigned for this issue.

aureliendavid added a commit that referenced this issue Jan 8, 2020
@aureliendavid
Copy link
Contributor

Thanks for the report.

This should be fixed in master / 0.8.0 as of the above commit.

It will be included in filters / 0.9.0 in the next merge.

Feel free to reopen the issue if necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants