Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: heap-use-after-free in GF_IPMPX_AUTH_Delete odf/ipmpx_code.c:115 #1328

Closed
Clingto opened this issue Nov 9, 2019 · 2 comments

Comments

@Clingto
Copy link

Clingto commented Nov 9, 2019

System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)
Compile Command:

$ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
$ make

Run Command:

$ MP4Box -diso -out /dev/null $POC-new-GF_IPMPX_AUTH_Delete

POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-GF_IPMPX_AUTH_Delete

gdb info:

Program received signal SIGSEGV, Segmentation fault.
0x000000000056907e in gf_ipmpx_data_del ()
(gdb) bt
#0  0x000000000056907e in gf_ipmpx_data_del ()
#1  0x000000000056aa7c in gf_ipmpx_data_parse ()
#2  0x000000000056274a in gf_odf_read_ipmp ()
#3  0x000000000055a076 in gf_odf_parse_descriptor ()
#4  0x000000000056503b in gf_odf_desc_read ()
#5  0x00000000006ca7b4 in esds_Read ()
#6  0x00000000005137e1 in gf_isom_box_parse_ex.constprop ()
#7  0x0000000000513e15 in gf_isom_parse_root_box ()
#8  0x000000000051b4fe in gf_isom_parse_movie_boxes.part ()
#9  0x000000000051c48c in gf_isom_open_file ()
#10 0x000000000041c082 in mp4boxMain ()
#11 0x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:291
#12 0x000000000040eba9 in _start ()

ASAN info:

ASAN:SIGSEGV
=================================================================
==27770==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000a (pc 0x0000007bacbf bp 0x00000000000a sp 0x7fffffff8020 T0)
    #0 0x7bacbe in GF_IPMPX_AUTH_Delete odf/ipmpx_code.c:115
    #1 0x7bacbe in delete_algo_list odf/ipmpx_code.c:363
    #2 0x7bacbe in DelGF_IPMPX_MutualAuthentication odf/ipmpx_code.c:371
    #3 0x7bacbe in gf_ipmpx_data_del odf/ipmpx_code.c:1853
    #4 0x7bec88 in gf_ipmpx_data_parse odf/ipmpx_code.c:295
    #5 0x7a9969 in gf_odf_read_ipmp odf/odf_code.c:2426
    #6 0x795ce3 in gf_odf_parse_descriptor odf/descriptors.c:159
    #7 0x7afc16 in gf_odf_desc_read odf/odf_codec.c:302
    #8 0xad3fb3 in esds_Read isomedia/box_code_base.c:1256
    #9 0x6c5114 in gf_isom_box_read isomedia/box_funcs.c:1528
    #10 0x6c5114 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #11 0x6c5974 in gf_isom_parse_root_box isomedia/box_funcs.c:42
    #12 0x6da6a0 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
    #13 0x6dd2f3 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194
    #14 0x6dd2f3 in gf_isom_open_file isomedia/isom_intern.c:615
    #15 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/main.c:4767
    #16 0x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV odf/ipmpx_code.c:115 GF_IPMPX_AUTH_Delete
==27770==ABORTING

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d


Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

@Clingto Clingto changed the title AddressSanitizer: SEGV in GF_IPMPX_AUTH_Delete odf/ipmpx_code.c:115 AddressSanitizer: heap-use-after-free in GF_IPMPX_AUTH_Delete odf/ipmpx_code.c:115 Dec 24, 2019
@carnil
Copy link

carnil commented Dec 31, 2019

CVE-2019-20170 was assigned for this issue.

aureliendavid added a commit that referenced this issue Jan 8, 2020
@aureliendavid
Copy link
Contributor

Thanks for the report.

This should be fixed in master / 0.8.0 as of the above commit.

It will be included in filters / 0.9.0 in the next merge.

Feel free to reopen the issue if necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants