ASAN:SIGSEGV
=================================================================
==27733==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006c3869 bp 0x60200000eff0 sp 0x7fffffff8560 T0)
#00x6c3868 in gf_isom_box_del isomedia/box_funcs.c:1500
#10x6c3a06 in gf_isom_box_array_del isomedia/box_funcs.c:270
#20x6dce18 in gf_isom_delete_movie isomedia/isom_intern.c:657
#30x6dd32b in gf_isom_open_file isomedia/isom_intern.c:624
#40x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/main.c:4767
#50x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#60x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV isomedia/box_funcs.c:1500 gf_isom_box_del
==27733==ABORTING
Edit
This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d
asan
�[33m[iso file] Movie fragment but no moov (yet) - possibly broken parsing!
�[0m�[31m[isom] not enough bytes in box tenc: 0 left, reading 139 (file isomedia/box_code_drm.c, line 1001)
�[0m�[31m[iso file] Read Box "tenc" (start 8) failed (Invalid IsoMedia File) - skipping
�[0mASAN:SIGSEGV
=================================================================
==7918==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006c45d9 bp 0x60200000eff0 sp 0x7fffffff8530 T0)
#0 0x6c45d8 in gf_isom_box_del isomedia/box_funcs.c:1501
#1 0x6c4776 in gf_isom_box_array_del isomedia/box_funcs.c:270
#2 0x6de7d8 in gf_isom_delete_movie isomedia/isom_intern.c:657
#3 0x6deceb in gf_isom_open_file isomedia/isom_intern.c:624
#4 0x42f93d in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_1de1f8d-0.9/applications/mp4box/main.c:4789
#5 0x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x41e278 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan_1de1f8d-0.9/bin/MP4Box+0x41e278)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV isomedia/box_funcs.c:1501 gf_isom_box_del
Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)
asan:
==23293==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000eeb8 at pc 0x0000006d2f36 bp 0x7ffc000b4c30 sp 0x7ffc000b4c20
READ of size 8 at 0x60600000eeb8 thread T0
#0 0x6d2f35 in gf_isom_box_del isomedia/box_funcs.c:1501
#1 0x6d2e5e in gf_isom_box_array_del isomedia/box_funcs.c:270
#2 0x6d2e5e in gf_isom_box_del isomedia/box_funcs.c:1517
#3 0x6d2e5e in gf_isom_box_array_del isomedia/box_funcs.c:270
#4 0x6d2e5e in gf_isom_box_del isomedia/box_funcs.c:1517
#5 0x6d2e5e in gf_isom_box_array_del isomedia/box_funcs.c:270
#6 0x6d2e5e in gf_isom_box_del isomedia/box_funcs.c:1517
#7 0x6d2e5e in gf_isom_box_array_del isomedia/box_funcs.c:270
#8 0x6d2e5e in gf_isom_box_del isomedia/box_funcs.c:1517
#9 0x6d4300 in gf_isom_box_array_read_ex isomedia/box_funcs.c:1422
#10 0xb17c35 in moov_Read isomedia/box_code_base.c:3745
#11 0x6d4817 in gf_isom_box_read isomedia/box_funcs.c:1529
#12 0x6d4817 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#13 0x6d51c7 in gf_isom_parse_root_box isomedia/box_funcs.c:42
#14 0x6eb4fb in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
#15 0x6ee2a2 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194
#16 0x6ee2a2 in gf_isom_open_file isomedia/isom_intern.c:615
#17 0x431899 in mp4boxMain /home/aota05/yyp/fuzzsequence/test/gpac_4c19ae5/SRC_asan/applications/mp4box/main.c:4789
#18 0x7f49dcbd882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#19 0x41f648 in _start (/home/aota05/yyp/fuzzsequence/test/gpac_4c19ae5/SRC_asan/build/bin/MP4Box+0x41f648)
0x60600000eeb8 is located 24 bytes inside of 56-byte region [0x60600000eea0,0x60600000eed8)
freed by thread T0 here:
#0 0x7f49dd75a2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x6d2ea7 in gf_isom_box_del isomedia/box_funcs.c:1509
#2 0xb052ef in stbl_AddBox isomedia/box_code_base.c:5314
#3 0x6d3f11 in gf_isom_box_array_read_ex isomedia/box_funcs.c:1472
#4 0xb1d707 in stbl_Read isomedia/box_code_base.c:5381
#5 0x6d333e in gf_isom_box_read isomedia/box_funcs.c:1529
#6 0x6d333e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#7 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
#8 0xb1701a in minf_Read isomedia/box_code_base.c:3500
#9 0x6d333e in gf_isom_box_read isomedia/box_funcs.c:1529
#10 0x6d333e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#11 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
#12 0xb15187 in mdia_Read isomedia/box_code_base.c:3021
#13 0x6d333e in gf_isom_box_read isomedia/box_funcs.c:1529
#14 0x6d333e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#15 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
#16 0xb249cd in trak_Read isomedia/box_code_base.c:7134
#17 0x6d333e in gf_isom_box_read isomedia/box_funcs.c:1529
#18 0x6d333e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#19 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
#20 0xb17c35 in moov_Read isomedia/box_code_base.c:3745
#21 0x6d4817 in gf_isom_box_read isomedia/box_funcs.c:1529
#22 0x6d4817 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#23 0x6d51c7 in gf_isom_parse_root_box isomedia/box_funcs.c:42
#24 0x6eb4fb in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
#25 0x6ee2a2 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194
#26 0x6ee2a2 in gf_isom_open_file isomedia/isom_intern.c:615
#27 0x431899 in mp4boxMain /home/aota05/yyp/fuzzsequence/test/gpac_4c19ae5/SRC_asan/applications/mp4box/main.c:4789
#28 0x7f49dcbd882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7f49dd75a602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0xb1e93d in stco_New isomedia/box_code_base.c:5616
#2 0x6d28d8 in gf_isom_box_new_ex isomedia/box_funcs.c:1385
#3 0x6d31ae in gf_isom_box_parse_ex isomedia/box_funcs.c:182
#4 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
#5 0xb1d707 in stbl_Read isomedia/box_code_base.c:5381
#6 0x6d333e in gf_isom_box_read isomedia/box_funcs.c:1529
#7 0x6d333e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#8 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
#9 0xb1701a in minf_Read isomedia/box_code_base.c:3500
#10 0x6d333e in gf_isom_box_read isomedia/box_funcs.c:1529
#11 0x6d333e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#12 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
#13 0xb15187 in mdia_Read isomedia/box_code_base.c:3021
#14 0x6d333e in gf_isom_box_read isomedia/box_funcs.c:1529
#15 0x6d333e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#16 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
#17 0xb249cd in trak_Read isomedia/box_code_base.c:7134
#18 0x6d333e in gf_isom_box_read isomedia/box_funcs.c:1529
#19 0x6d333e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#20 0x6d3e2a in gf_isom_box_array_read_ex isomedia/box_funcs.c:1420
#21 0xb17c35 in moov_Read isomedia/box_code_base.c:3745
#22 0x6d4817 in gf_isom_box_read isomedia/box_funcs.c:1529
#23 0x6d4817 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#24 0x6d51c7 in gf_isom_parse_root_box isomedia/box_funcs.c:42
#25 0x6eb4fb in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
#26 0x6ee2a2 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194
#27 0x6ee2a2 in gf_isom_open_file isomedia/isom_intern.c:615
#28 0x431899 in mp4boxMain /home/aota05/yyp/fuzzsequence/test/gpac_4c19ae5/SRC_asan/applications/mp4box/main.c:4789
#29 0x7f49dcbd882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
The text was updated successfully, but these errors were encountered:
Clingto
changed the title
AddressSanitizer: SEGV in gf_isom_box_del isomedia/box_funcs.c:1500
AddressSanitizer: NULL pointer dereference in gf_isom_box_del isomedia/box_funcs.c:1500
Dec 24, 2019
Clingto
changed the title
AddressSanitizer: NULL pointer dereference in gf_isom_box_del isomedia/box_funcs.c:1500
AddressSanitizer: NULL pointer dereference (use-after-free ) in gf_isom_box_del isomedia/box_funcs.c:1500
Jan 26, 2022
System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)
Compile Command:
Run Command:
POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf_isom_box_del
gdb info:
ASAN info:
Edit
This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d
asan
Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)
asan:
The text was updated successfully, but these errors were encountered: