Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: NULL pointer dereference in senc_Parse isomedia/box_code_drm.c:1378 #1330

Closed
Clingto opened this issue Nov 9, 2019 · 2 comments

Comments

@Clingto
Copy link

Clingto commented Nov 9, 2019

System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)
Compile Command:

$ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
$ make

Run Command:

$ MP4Box -diso -out /dev/null $POC-new-senc_Parse

POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-senc_Parse

gdb info:

Program received signal SIGSEGV, Segmentation fault.
0x00000000006e1112 in senc_Parse ()
(gdb) bt
#0  0x00000000006e1112 in senc_Parse ()
#1  0x000000000051b7b2 in gf_isom_parse_movie_boxes.part ()
#2  0x000000000051c48c in gf_isom_open_file ()
#3  0x000000000041c082 in mp4boxMain ()
#4  0x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe328, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe318) at ../csu/libc-start.c:291
#5  0x000000000040eba9 in _start ()

ASAN info:

�[32m[iso file] Unknown box type tfhd in parent moof
�[0m�[32m[iso file] Unknown box type mvhd in parent moof
�[0m�[33m[iso file] Box "tfhd" (start 561) has 68 extra bytes
�[0m�[33m[iso file] Box "tfhd" (start 653) has 594 extra bytes
�[0m�[33m[iso file] extra box tfhd found in traf, deleting
�[0m�[33m[iso file] Box "tfhd" (start 1275) has 68 extra bytes
�[0m�[32m[iso file] Unknown box type VOID in parent moof
�[0m�[33m[iso file] Box "tfhd" (start 1993) has 68 extra bytes
�[0m�[33m[iso file] Box "sgpd" (start 2085) has 373 extra bytes
�[0m�[33m[iso file] Box "traf" is larger than container box
�[0m�[33m[iso file] Box "moof" size 2056 (start 24) invalid (read 2675)
�[0m�[33m[iso file] Movie fragment but no moov (yet) - possibly broken parsing!
�[0m�[33m[isobmf] no moov found, cannot get cenc default info, assuming isEncrypted, IV size 16
�[0m  
ASAN:SIGSEGV
=================================================================
==27812==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x000000b0801d bp 0x000000000003 sp 0x7fffffff82c0 T0)
    #0 0xb0801c in senc_Parse isomedia/box_code_drm.c:1378
    #1 0x6dc006 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:407
    #2 0x6dd2f3 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194
    #3 0x6dd2f3 in gf_isom_open_file isomedia/isom_intern.c:615
    #4 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/main.c:4767
    #5 0x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV isomedia/box_code_drm.c:1378 senc_Parse
==27812==ABORTING

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d


Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

@Clingto Clingto changed the title AddressSanitizer: SEGV in senc_Parse isomedia/box_code_drm.c:1378 AddressSanitizer: NULL pointer dereference in senc_Parse isomedia/box_code_drm.c:1378 Dec 24, 2019
@carnil
Copy link

carnil commented Dec 31, 2019

CVE-2019-20167 was assigned for this issue.

@aureliendavid
Copy link
Contributor

Thanks for the report.

This should be fixed in master / 0.8.0 as of the above commit.

It will be included in filters / 0.9.0 in the next merge.

Feel free to reopen the issue if necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants