Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: NULL pointer dereference (use-after-free ) in gf_isom_box_del isomedia/box_funcs.c:1500 #1332

Closed
Clingto opened this issue Nov 9, 2019 · 2 comments

Comments

@Clingto
Copy link

Clingto commented Nov 9, 2019

System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)
Compile Command:

$ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
$ make

Run Command:

$ MP4Box -diso -out /dev/null $POC-new-gf_isom_box_del

POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf_isom_box_del

gdb info:

Error in /bin/MP4Box: free(): invalid next size (fast): 0x00000000009cc5a0
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff73447e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7ffff734d37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ffff735153c]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff72ed830]
======= Memory map: ========
009c8000-009ec000 rw-p 00000000 00:00 0                                  [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0
7ffff70b7000-7ffff70cd000 r-xp 00000000 08:02 67633677                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff70cd000-7ffff72cc000 ---p 00016000 08:02 67633677                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff72cc000-7ffff72cd000 rw-p 00015000 08:02 67633677                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff72cd000-7ffff748d000 r-xp 00000000 08:02 67637542                   /lib/x86_64-linux-gnu/libc-2.23.so
7ffff748d000-7ffff768d000 ---p 001c0000 08:02 67637542                   /lib/x86_64-linux-gnu/libc-2.23.so
7ffff768d000-7ffff7691000 r--p 001c0000 08:02 67637542                   /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7691000-7ffff7693000 rw-p 001c4000 08:02 67637542                   /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7693000-7ffff7697000 rw-p 00000000 00:00 0
7ffff7697000-7ffff76b0000 r-xp 00000000 08:02 67633774                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff76b0000-7ffff78af000 ---p 00019000 08:02 67633774                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff78af000-7ffff78b0000 r--p 00018000 08:02 67633774                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff78b0000-7ffff78b1000 rw-p 00019000 08:02 67633774                   /lib/x86_64-linux-gnu/libz.so.1.2.8
7ffff78b1000-7ffff79b9000 r-xp 00000000 08:02 67637545                   /lib/x86_64-linux-gnu/libm-2.23.so
7ffff79b9000-7ffff7bb8000 ---p 00108000 08:02 67637545                   /lib/x86_64-linux-gnu/libm-2.23.so
7ffff7bb8000-7ffff7bb9000 r--p 00107000 08:02 67637545                   /lib/x86_64-linux-gnu/libm-2.23.so
7ffff7bb9000-7ffff7bba000 rw-p 00108000 08:02 67637545                   /lib/x86_64-linux-gnu/libm-2.23.so
7ffff7bba000-7ffff7bd2000 r-xp 00000000 08:02 67637529                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7bd2000-7ffff7dd1000 ---p 00018000 08:02 67637529                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7dd1000-7ffff7dd2000 r--p 00017000 08:02 67637529                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7dd2000-7ffff7dd3000 rw-p 00018000 08:02 67637529                   /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:02 67637528                   /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7fdf000-7ffff7fe4000 rw-p 00000000 00:00 0
7ffff7ff7000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:02 67637528                   /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:02 67637528                   /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff7302428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7302428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff730402a in __GI_abort () at abort.c:89
#2  0x00007ffff73447ea in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff745ded8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff734d37a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff745df50 "free(): invalid next size (fast)", action=3) at malloc.c:5006
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3867
#5  0x00007ffff735153c in __GI___libc_free (mem=<optimized out>) at malloc.c:2968
#6  0x0000000000512a7d in gf_isom_box_del ()
#7  0x0000000000513810 in gf_isom_box_parse_ex.constprop ()
#8  0x0000000000513e15 in gf_isom_parse_root_box ()
#9  0x000000000051b4fe in gf_isom_parse_movie_boxes.part ()
#10 0x000000000051c48c in gf_isom_open_file ()
#11 0x000000000041c082 in mp4boxMain ()
#12 0x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:291
#13 0x000000000040eba9 in _start ()

ASAN info:

ASAN:SIGSEGV
=================================================================
==27733==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006c3869 bp 0x60200000eff0 sp 0x7fffffff8560 T0)
    #0 0x6c3868 in gf_isom_box_del isomedia/box_funcs.c:1500
    #1 0x6c3a06 in gf_isom_box_array_del isomedia/box_funcs.c:270
    #2 0x6dce18 in gf_isom_delete_movie isomedia/isom_intern.c:657
    #3 0x6dd32b in gf_isom_open_file isomedia/isom_intern.c:624
    #4 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/main.c:4767
    #5 0x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV isomedia/box_funcs.c:1500 gf_isom_box_del
==27733==ABORTING

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d
asan

�[33m[iso file] Movie fragment but no moov (yet) - possibly broken parsing!
�[0m�[31m[isom] not enough bytes in box tenc: 0 left, reading 139 (file isomedia/box_code_drm.c, line 1001)
�[0m�[31m[iso file] Read Box "tenc" (start 8) failed (Invalid IsoMedia File) - skipping
�[0mASAN:SIGSEGV
=================================================================
==7918==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006c45d9 bp 0x60200000eff0 sp 0x7fffffff8530 T0)
    #0 0x6c45d8 in gf_isom_box_del isomedia/box_funcs.c:1501
    #1 0x6c4776 in gf_isom_box_array_del isomedia/box_funcs.c:270
    #2 0x6de7d8 in gf_isom_delete_movie isomedia/isom_intern.c:657
    #3 0x6deceb in gf_isom_open_file isomedia/isom_intern.c:624
    #4 0x42f93d in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_1de1f8d-0.9/applications/mp4box/main.c:4789
    #5 0x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x41e278 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan_1de1f8d-0.9/bin/MP4Box+0x41e278)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV isomedia/box_funcs.c:1501 gf_isom_box_del

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)
asan:

==23293==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000eeb8 at pc 0x0000006d2f36 bp 0x7ffc000b4c30 sp 0x7ffc000b4c20
READ of size 8 at 0x60600000eeb8 thread T0
    #0 0x6d2f35 in gf_isom_box_del isomedia/box_funcs.c:1501
    #1 0x6d2e5e in gf_isom_box_array_del isomedia/box_funcs.c:270
    #2 0x6d2e5e in gf_isom_box_del isomedia/box_funcs.c:1517
    #3 0x6d2e5e in gf_isom_box_array_del isomedia/box_funcs.c:270
    #4 0x6d2e5e in gf_isom_box_del isomedia/box_funcs.c:1517
    #5 0x6d2e5e in gf_isom_box_array_del isomedia/box_funcs.c:270
    #6 0x6d2e5e in gf_isom_box_del isomedia/box_funcs.c:1517
    #7 0x6d2e5e in gf_isom_box_array_del isomedia/box_funcs.c:270
    #8 0x6d2e5e in gf_isom_box_del isomedia/box_funcs.c:1517
    #9 0x6d4300 in gf_isom_box_array_read_ex isomedia/box_funcs.c:1422
    #10 0xb17c35 in moov_Read isomedia/box_code_base.c:3745
    #11 0x6d4817 in gf_isom_box_read isomedia/box_funcs.c:1529
    #12 0x6d4817 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #13 0x6d51c7 in gf_isom_parse_root_box isomedia/box_funcs.c:42
    #14 0x6eb4fb in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
    #15 0x6ee2a2 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194
    #16 0x6ee2a2 in gf_isom_open_file isomedia/isom_intern.c:615
    #17 0x431899 in mp4boxMain /home/aota05/yyp/fuzzsequence/test/gpac_4c19ae5/SRC_asan/applications/mp4box/main.c:4789
    #18 0x7f49dcbd882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #19 0x41f648 in _start (/home/aota05/yyp/fuzzsequence/test/gpac_4c19ae5/SRC_asan/build/bin/MP4Box+0x41f648)

0x60600000eeb8 is located 24 bytes inside of 56-byte region [0x60600000eea0,0x60600000eed8)
freed by thread T0 here:
    #0 0x7f49dd75a2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x6d2ea7 in gf_isom_box_del isomedia/box_funcs.c:1509
    #2 0xb052ef in stbl_AddBox isomedia/box_code_base.c:5314
	
    #3 0x6d3f11 in gf_isom_box_array_read_ex isomedia/box_funcs.c:1472
    #4 0xb1d707 in stbl_Read isomedia/box_code_base.c:5381
	
    #5 0x6d333e in gf_isom_box_read isomedia/box_funcs.c:1529
    #6 0x6d333e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #7 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
    #8 0xb1701a in minf_Read isomedia/box_code_base.c:3500
    #9 0x6d333e in gf_isom_box_read isomedia/box_funcs.c:1529
    #10 0x6d333e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #11 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
    #12 0xb15187 in mdia_Read isomedia/box_code_base.c:3021
    #13 0x6d333e in gf_isom_box_read isomedia/box_funcs.c:1529
    #14 0x6d333e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #15 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
    #16 0xb249cd in trak_Read isomedia/box_code_base.c:7134
    #17 0x6d333e in gf_isom_box_read isomedia/box_funcs.c:1529
    #18 0x6d333e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #19 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
	
    #20 0xb17c35 in moov_Read isomedia/box_code_base.c:3745
    #21 0x6d4817 in gf_isom_box_read isomedia/box_funcs.c:1529
    #22 0x6d4817 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #23 0x6d51c7 in gf_isom_parse_root_box isomedia/box_funcs.c:42
    #24 0x6eb4fb in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
    #25 0x6ee2a2 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194
    #26 0x6ee2a2 in gf_isom_open_file isomedia/isom_intern.c:615
    #27 0x431899 in mp4boxMain /home/aota05/yyp/fuzzsequence/test/gpac_4c19ae5/SRC_asan/applications/mp4box/main.c:4789
    #28 0x7f49dcbd882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f49dd75a602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xb1e93d in stco_New isomedia/box_code_base.c:5616
    #2 0x6d28d8 in gf_isom_box_new_ex isomedia/box_funcs.c:1385
    #3 0x6d31ae in gf_isom_box_parse_ex isomedia/box_funcs.c:182
	
	
    #4 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
    #5 0xb1d707 in stbl_Read isomedia/box_code_base.c:5381
    #6 0x6d333e in gf_isom_box_read isomedia/box_funcs.c:1529
    #7 0x6d333e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #8 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
    #9 0xb1701a in minf_Read isomedia/box_code_base.c:3500
    #10 0x6d333e in gf_isom_box_read isomedia/box_funcs.c:1529
    #11 0x6d333e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #12 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
    #13 0xb15187 in mdia_Read isomedia/box_code_base.c:3021
    #14 0x6d333e in gf_isom_box_read isomedia/box_funcs.c:1529
    #15 0x6d333e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #16 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
    #17 0xb249cd in trak_Read isomedia/box_code_base.c:7134
    #18 0x6d333e in gf_isom_box_read isomedia/box_funcs.c:1529
    #19 0x6d333e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #20 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
	
    #21 0xb17c35 in moov_Read isomedia/box_code_base.c:3745
    #22 0x6d4817 in gf_isom_box_read isomedia/box_funcs.c:1529
    #23 0x6d4817 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #24 0x6d51c7 in gf_isom_parse_root_box isomedia/box_funcs.c:42
    #25 0x6eb4fb in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
    #26 0x6ee2a2 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194
    #27 0x6ee2a2 in gf_isom_open_file isomedia/isom_intern.c:615
    #28 0x431899 in mp4boxMain /home/aota05/yyp/fuzzsequence/test/gpac_4c19ae5/SRC_asan/applications/mp4box/main.c:4789
    #29 0x7f49dcbd882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

@Clingto Clingto changed the title AddressSanitizer: SEGV in gf_isom_box_del isomedia/box_funcs.c:1500 AddressSanitizer: NULL pointer dereference in gf_isom_box_del isomedia/box_funcs.c:1500 Dec 24, 2019
@carnil
Copy link

carnil commented Dec 31, 2019

CVE-2019-20164 was assigned for this issue.

aureliendavid added a commit that referenced this issue Jan 8, 2020
@aureliendavid
Copy link
Contributor

Thanks for the report.

This should be fixed in master / 0.8.0 as of the above commit.

It will be included in filters / 0.9.0 in the next merge.

Feel free to reopen the issue if necessary.

@Clingto Clingto changed the title AddressSanitizer: NULL pointer dereference in gf_isom_box_del isomedia/box_funcs.c:1500 AddressSanitizer: NULL pointer dereference (use-after-free ) in gf_isom_box_del isomedia/box_funcs.c:1500 Jan 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants