Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x6a06e81bf20d02) at malloc.c:2951
2951 malloc.c: No such file or directory.
(gdb) bt
#0__GI___libc_free (mem=0x6a06e81bf20d02) at malloc.c:2951
#10x00000000006d4ab7 in reftype_del ()
#20x0000000000512a7d in gf_isom_box_del ()
#30x00000000005135fe in gf_isom_box_array_read_ex ()
#40x00000000005137e1 in gf_isom_box_parse_ex.constprop ()
#50x0000000000513e15 in gf_isom_parse_root_box ()
#60x000000000051b4fe in gf_isom_parse_movie_boxes.part ()
#70x000000000051c48c in gf_isom_open_file ()
#80x000000000041c082 in mp4boxMain ()
#90x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:291
#100x000000000040eba9 in _start ()
For POC-new-gf_isom_box_parse_ex-2
gdb info:
Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x1c1c1c1c1c1c1c1c) at malloc.c:2951
2951 malloc.c: No such file or directory.
(gdb) bt
#0__GI___libc_free (mem=0x1c1c1c1c1c1c1c1c) at malloc.c:2951
#10x00000000006d4ab7 in reftype_del ()
#20x0000000000512a7d in gf_isom_box_del ()
#30x00000000005135fe in gf_isom_box_array_read_ex ()
#40x00000000005137e1 in gf_isom_box_parse_ex.constprop ()
#50x0000000000513e15 in gf_isom_parse_root_box ()
#60x000000000051b4fe in gf_isom_parse_movie_boxes.part ()
#70x000000000051c48c in gf_isom_open_file ()
#80x000000000041c082 in mp4boxMain ()
#90x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:291
#100x000000000040eba9 in _start ()
For POC-new-gf_isom_box_parse_ex
ASAN info:
==25783==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000df80 at pc 0x0000006c4392 bp 0x7fffffff8090 sp 0x7fffffff8080
WRITE of size 4 at 0x60400000df80 thread T0
#00x6c4391 in gf_isom_box_parse_ex isomedia/box_funcs.c:189
#10x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419
#20x6c5114 in gf_isom_box_read isomedia/box_funcs.c:1528
#30x6c5114 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#40x6c5974 in gf_isom_parse_root_box isomedia/box_funcs.c:42
#50x6da6a0 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
#60x6dd2f3 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194
#70x6dd2f3 in gf_isom_open_file isomedia/isom_intern.c:615
#80x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/main.c:4767
#90x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#100x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)
0x60400000df80 is located 0 bytes to the right of 48-byte region [0x60400000df50,0x60400000df80)
allocated by thread T0 here:
#00x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#10xaec17d in reftype_New isomedia/box_code_base.c:7521
SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box_funcs.c:189 gf_isom_box_parse_ex
Shadow bytes around the buggy address:
0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa 000000000000
=>0x0c087fff9bf0:[fa]fa 000000000000 fa fa 0000000000000x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==25783==ABORTING
For POC-new-gf_isom_box_parse_ex-2
ASAN info:
==25917==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e000 at pc 0x0000006c4392 bp 0x7fffffff8090 sp 0x7fffffff8080
WRITE of size 4 at 0x60400000e000 thread T0
#00x6c4391 in gf_isom_box_parse_ex isomedia/box_funcs.c:189
#10x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419
#20x6c5114 in gf_isom_box_read isomedia/box_funcs.c:1528
#30x6c5114 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#40x6c5974 in gf_isom_parse_root_box isomedia/box_funcs.c:42
#50x6da6a0 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
#60x6dd2f3 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194
#70x6dd2f3 in gf_isom_open_file isomedia/isom_intern.c:615
#80x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/main.c:4767
#90x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#100x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)
0x60400000e000 is located 0 bytes to the right of 48-byte region [0x60400000dfd0,0x60400000e000)
allocated by thread T0 here:
#00x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#10xaec17d in reftype_New isomedia/box_code_base.c:7521
SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box_funcs.c:189 gf_isom_box_parse_ex
Shadow bytes around the buggy address:
0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bf0: fa fa fa fa fa fa fa fa fa fa 000000000000
=>0x0c087fff9c00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==25917==ABORTING
Edit
This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d
Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)
The text was updated successfully, but these errors were encountered:
System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)
Compile Command:
Run Command:
POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf_isom_box_parse_ex
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf_isom_box_parse_ex-2
For POC-new-gf_isom_box_parse_ex
gdb info:
For POC-new-gf_isom_box_parse_ex-2
gdb info:
For POC-new-gf_isom_box_parse_ex
ASAN info:
For POC-new-gf_isom_box_parse_ex-2
Edit
This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d
Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)
The text was updated successfully, but these errors were encountered: