Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: NULL pointer dereference in gf_isom_dump isomedia/box_dump.c:133 #1331

Closed
Clingto opened this issue Nov 9, 2019 · 2 comments

Comments

@Clingto
Copy link

Clingto commented Nov 9, 2019

System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)
Compile Command:

$ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
$ make

Run Command:

$ MP4Box -diso -out /dev/null $POC-new-gf_isom_dump

POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf_isom_dump

gdb info:

Error in bin/MP4Box: free(): invalid next size (fast): 0x00000000009cc600
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff73447e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7ffff734d37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ffff735153c]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff72ed830]
======= Memory map: ========

009c8000-009ec000 rw-p 00000000 00:00 0                                  [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0
7ffff70b7000-7ffff70cd000 r-xp 00000000 08:02 67633677                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff70cd000-7ffff72cc000 ---p 00016000 08:02 67633677                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff72cc000-7ffff72cd000 rw-p 00015000 08:02 67633677                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff72cd000-7ffff748d000 r-xp 00000000 08:02 67637542                   /lib/x86_64-linux-gnu/libc-2.23.so
7ffff748d000-7ffff768d000 ---p 001c0000 08:02 67637542                   /lib/x86_64-linux-gnu/libc-2.23.so
7ffff768d000-7ffff7691000 r--p 001c0000 08:02 67637542                   /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7691000-7ffff7693000 rw-p 001c4000 08:02 67637542                   /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7693000-7ffff7697000 rw-p 00000000 00:00 0
7ffff7697000-7ffff76b0000 r-xp 00000000 08:02 67633774                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff76b0000-7ffff78af000 ---p 00019000 08:02 67633774                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff78af000-7ffff78b0000 r--p 00018000 08:02 67633774                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff78b0000-7ffff78b1000 rw-p 00019000 08:02 67633774                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff78b1000-7ffff79b9000 r-xp 00000000 08:02 67637545                   /lib/x86_64-linux-gnu/libm-2.23.so
7ffff79b9000-7ffff7bb8000 ---p 00108000 08:02 67637545                   /lib/x86_64-linux-gnu/libm-2.23.so
7ffff7bb8000-7ffff7bb9000 r--p 00107000 08:02 67637545                   /lib/x86_64-linux-gnu/libm-2.23.so
7ffff7bb9000-7ffff7bba000 rw-p 00108000 08:02 67637545                   /lib/x86_64-linux-gnu/libm-2.23.so
7ffff7bba000-7ffff7bd2000 r-xp 00000000 08:02 67637529                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7bd2000-7ffff7dd1000 ---p 00018000 08:02 67637529                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7dd1000-7ffff7dd2000 r--p 00017000 08:02 67637529                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7dd2000-7ffff7dd3000 rw-p 00018000 08:02 67637529                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:02 67637528                   /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7fdf000-7ffff7fe4000 rw-p 00000000 00:00 0
7ffff7ff7000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:02 67637528                   /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:02 67637528                   /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff7302428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7302428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff730402a in __GI_abort () at abort.c:89
#2  0x00007ffff73447ea in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff745ded8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff734d37a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff745df50 "free(): invalid next size (fast)", action=3) at malloc.c:5006
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3867
#5  0x00007ffff735153c in __GI___libc_free (mem=<optimized out>) at malloc.c:2968
#6  0x0000000000512a7d in gf_isom_box_del ()
#7  0x0000000000513eae in gf_isom_parse_root_box ()
#8  0x000000000051b4fe in gf_isom_parse_movie_boxes.part ()
#9  0x000000000051c48c in gf_isom_open_file ()
#10 0x000000000041c082 in mp4boxMain ()
#11 0x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe328, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe318) at ../csu/libc-start.c:291
#12 0x000000000040eba9 in _start ()

ASAN info:

�[33m[iso file] Movie fragment but no moov (yet) - possibly broken parsing!
�[0m�[33m[iso file] Box "tenc" (start 8) has 389 extra bytes
�[0m�[32m[iso file] Unknown top-level box type ffff
�[0m�[31m[iso file] Incomplete box ffff - start 532 size 1717986903
�[0m�[31m[iso file] Incomplete file while reading for dump - aborting parsing
�[0m   
ASAN:SIGSEGV
=================================================================
==26000==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006a3968 bp 0x61600000ea80 sp 0x7fffffff8080 T0)
    #0 0x6a3967 in gf_isom_dump isomedia/box_dump.c:133
    #1 0x443b9a in dump_isom_xml /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/filedump.c:1930
    #2 0x43246d in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/main.c:4982
    #3 0x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #4 0x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV isomedia/box_dump.c:133 gf_isom_dump
==26000==ABORTING

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d


Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

@Clingto Clingto changed the title AddressSanitizer: SEGV in gf_isom_dump isomedia/box_dump.c:133 AddressSanitizer: NULL pointer dereference in gf_isom_dump isomedia/box_dump.c:133 Dec 24, 2019
@carnil
Copy link

carnil commented Dec 31, 2019

CVE-2019-20166 was assigned for this issue.

aureliendavid added a commit that referenced this issue Jan 8, 2020
@aureliendavid
Copy link
Contributor

Thanks for the report.

This should be fixed in master / 0.8.0 as of the above commit.

It will be included in filters / 0.9.0 in the next merge.

Feel free to reopen the issue if necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants