Program received signal SIGSEGV, Segmentation fault.
0x0000000000505aee in stco_dump ()
(gdb) bt
#00x0000000000505aee in stco_dump ()
#10x0000000000514918 in gf_isom_box_dump_ex ()
#20x0000000000502e15 in gf_isom_box_array_dump ()
#30x00000000005149dc in gf_isom_box_dump_done ()
#40x0000000000503a1b in stbl_dump ()
#50x0000000000514918 in gf_isom_box_dump_ex ()
#60x0000000000502e15 in gf_isom_box_array_dump ()
#70x00000000005149dc in gf_isom_box_dump_done ()
#80x000000000050615d in minf_dump ()
#90x0000000000514918 in gf_isom_box_dump_ex ()
#100x0000000000502e15 in gf_isom_box_array_dump ()
#110x00000000005149dc in gf_isom_box_dump_done ()
#120x000000000050644d in mdia_dump ()
#130x0000000000514918 in gf_isom_box_dump_ex ()
#140x0000000000502e15 in gf_isom_box_array_dump ()
#150x00000000005149dc in gf_isom_box_dump_done ()
#160x000000000050435f in trak_dump ()
#170x0000000000514918 in gf_isom_box_dump_ex ()
#180x0000000000502e15 in gf_isom_box_array_dump ()
#190x00000000005149dc in gf_isom_box_dump_done ()
#200x000000000050337a in moov_dump ()
#210x0000000000514918 in gf_isom_box_dump_ex ()
#220x0000000000502f10 in gf_isom_dump ()
#230x0000000000425faa in dump_isom_xml ()
#240x000000000041c69a in mp4boxMain ()
#250x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe328, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe318) at ../csu/libc-start.c:291
#260x000000000040eba9 in _start ()
ASAN info:
==27939==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000eea0 at pc 0x000000aea883 bp 0x7fffffff7f90 sp 0x7fffffff7f80
READ of size 4 at 0x60600000eea0 thread T0
#00xaea882 in trak_Read isomedia/box_code_base.c:7148
#10x6c3d6e in gf_isom_box_read isomedia/box_funcs.c:1528
#20x6c3d6e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#30x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419
#40xadc064 in moov_Read isomedia/box_code_base.c:3745
#50x6c5114 in gf_isom_box_read isomedia/box_funcs.c:1528
#60x6c5114 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#70x6c5974 in gf_isom_parse_root_box isomedia/box_funcs.c:42
#80x6da6a0 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
#90x6dd2f3 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194
#100x6dd2f3 in gf_isom_open_file isomedia/isom_intern.c:615
#110x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/main.c:4767
#120x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#130x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)
0x60600000eea0 is located 0 bytes inside of 56-byte region [0x60600000eea0,0x60600000eed8)
freed by thread T0 here:
#00x7ffff6f022ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#10x6c393f in gf_isom_box_del isomedia/box_funcs.c:1508
previously allocated by thread T0 here:
#00x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#10xae2b8d in stco_New isomedia/box_code_base.c:5616
SUMMARY: AddressSanitizer: heap-use-after-free isomedia/box_code_base.c:7148 trak_Read
Shadow bytes around the buggy address:
0x0c0c7fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9da0: fa fa fa fa 0000000000000000 fa fa fa fa
0x0c0c7fff9db0: 00000000000000 fa fa fa fa fa 000000000x0c0c7fff9dc0: 00000000 fa fa fa fa 0000000000000004
=>0x0c0c7fff9dd0: fa fa fa fa[fd]fd fd fd fd fd fd fa fa fa fa fa
0x0c0c7fff9de0: 00000000000000 fa fa fa fa fa 000000000x0c0c7fff9df0: 000000 fa fa fa fa fa 00000000000000000x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==27939==ABORTING
Edit
This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d
asan
�[33m[iso file] Box "stco" (start 817) has 142 extra bytes
�[0m�[33m[iso file] Track with no sample description box !
�[0m=================================================================
==11412==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000eea0 at pc 0x000000aee083 bp 0x7fffffff7f70 sp 0x7fffffff7f60
READ of size 4 at 0x60600000eea0 thread T0
#0 0xaee082 in trak_Read isomedia/box_code_base.c:7153
#1 0x6c4ade in gf_isom_box_read isomedia/box_funcs.c:1529
#2 0x6c4ade in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#3 0x6c552c in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
#4 0xadf844 in moov_Read isomedia/box_code_base.c:3745
#5 0x6c5e84 in gf_isom_box_read isomedia/box_funcs.c:1529
#6 0x6c5e84 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#7 0x6c66e4 in gf_isom_parse_root_box isomedia/box_funcs.c:42
#8 0x6dc060 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
#9 0x6decb3 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194
#10 0x6decb3 in gf_isom_open_file isomedia/isom_intern.c:615
#11 0x42f93d in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_1de1f8d-0.9/applications/mp4box/main.c:4789
#12 0x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x41e278 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan_1de1f8d-0.9/bin/MP4Box+0x41e278)
0x60600000eea0 is located 0 bytes inside of 56-byte region [0x60600000eea0,0x60600000eed8)
freed by thread T0 here:
#0 0x7ffff6f022ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x6c46af in gf_isom_box_del isomedia/box_funcs.c:1509
previously allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0xae636d in stco_New isomedia/box_code_base.c:5616
SUMMARY: AddressSanitizer: heap-use-after-free isomedia/box_code_base.c:7153 trak_Read
Shadow bytes around the buggy address:
0x0c0c7fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9da0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c7fff9db0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0c7fff9dc0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 04
=>0x0c0c7fff9dd0: fa fa fa fa[fd]fd fd fd fd fd fd fa fa fa fa fa
0x0c0c7fff9de0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0c7fff9df0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==11412==ABORTING
Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)
The text was updated successfully, but these errors were encountered:
Clingto
changed the title
AddressSanitizer: heap-use-after-free in trak_Read isomedia/box_code_base.c:7148
AddressSanitizer: heap-use-after-free in trak_Read isomedia/box_code_base.c:7153
Dec 24, 2019
System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)
Compile Command:
Run Command:
POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-trak_Read
gdb info:
ASAN info:
Edit
This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d
asan
Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)
The text was updated successfully, but these errors were encountered: