New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AddressSanitizer: heap-use-after-free in gf_isom_box_dump_ex isomedia/box_funcs.c:1734 #1333
Comments
|
CVE-2019-20168 was assigned for this issue. |
|
Thanks for the report. This should be fixed in master / 0.8.0 as of the above commit. It will be included in filters / 0.9.0 in the next merge. Feel free to reopen the issue if necessary. |
|
Hi, I'm preparing a security upload for older gpac versions at Debian. As far as I can test, 5250afe is not related to this issue: applying it on the reporter's 00dfc93 does not fix the ASAN error, and conversely reverse-applying it on master (cf620e1) does not make it re-appear. Do you know what patch is fixing this CVE? |
|
Hi, you're right, this one is mislabeled and is actually fixed by the previous commit (a8b6246). looks like it also works when applying it to 00dfc93 $ git diff 00dfc93369329f1f549567d1b157566217bbfae0
diff --git a/src/isomedia/box_code_base.c b/src/isomedia/box_code_base.c
index f40c9ba5..1add6c3f 100644
--- a/src/isomedia/box_code_base.c
+++ b/src/isomedia/box_code_base.c
@@ -5311,7 +5311,9 @@ GF_Err stbl_AddBox(GF_Box *s, GF_Box *a)
case GF_ISOM_BOX_TYPE_CO64:
case GF_ISOM_BOX_TYPE_STCO:
if (ptr->ChunkOffset) {
- gf_isom_box_del(ptr->ChunkOffset);
+ extern Bool use_dump_mode;
+ if (!use_dump_mode)
+ gf_isom_box_del(ptr->ChunkOffset);
}
ptr->ChunkOffset = a;
return GF_OK; |
System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)
Compile Command:
Run Command:
POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf_isom_box_dump_ex
gdb info:
ASAN info:
Edit
This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d
Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)
The text was updated successfully, but these errors were encountered: