Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AddressSanitizer: NULL pointer dereference in gf_odf_avc_cfg_write_bs odf/descriptors.c:567 #1335

Closed
Clingto opened this issue Nov 9, 2019 · 2 comments

Comments

@Clingto
Copy link

Clingto commented Nov 9, 2019

System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)
Compile Command:

$ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
$ make

Run Command:

$ MP4Box -diso -out /dev/null $POC-new-gf_odf_avc_cfg_write_bs

POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf_odf_avc_cfg_write_bs

gdb info:

Program received signal SIGSEGV, Segmentation fault.
0x000000000055aeee in gf_odf_avc_cfg_write_bs ()
(gdb) bt
#0  0x000000000055aeee in gf_odf_avc_cfg_write_bs ()
#1  0x000000000055b1ff in gf_odf_avc_cfg_write ()
#2  0x00000000004f9ba1 in AVC_RewriteESDescriptorEx ()
#3  0x00000000006cf2a8 in video_sample_entry_Read ()
#4  0x0000000000512ce5 in gf_isom_box_parse_ex ()
#5  0x000000000051333b in gf_isom_box_array_read_ex ()
#6  0x0000000000512ce5 in gf_isom_box_parse_ex ()
#7  0x000000000051333b in gf_isom_box_array_read_ex ()
#8  0x00000000006d09d0 in stbl_Read ()
#9  0x0000000000512ce5 in gf_isom_box_parse_ex ()
#10 0x000000000051333b in gf_isom_box_array_read_ex ()
#11 0x00000000006ce02b in minf_Read ()
#12 0x0000000000512ce5 in gf_isom_box_parse_ex ()
#13 0x000000000051333b in gf_isom_box_array_read_ex ()
#14 0x00000000006cd2f0 in mdia_Read ()
#15 0x0000000000512ce5 in gf_isom_box_parse_ex ()
#16 0x000000000051333b in gf_isom_box_array_read_ex ()
#17 0x00000000006d351d in trak_Read ()
#18 0x0000000000512ce5 in gf_isom_box_parse_ex ()
#19 0x000000000051333b in gf_isom_box_array_read_ex ()
#20 0x00000000006ce545 in moov_Read ()
#21 0x00000000005137e1 in gf_isom_box_parse_ex.constprop ()
#22 0x0000000000513e15 in gf_isom_parse_root_box ()
#23 0x000000000051b4fe in gf_isom_parse_movie_boxes.part ()
#24 0x000000000051c48c in gf_isom_open_file ()
#25 0x000000000041c082 in mp4boxMain ()
#26 0x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:291
#27 0x000000000040eba9 in _start ()

ASAN info:

ASAN:SIGSEGV
=================================================================
==25871==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000000797a2b bp 0x60200000ed98 sp 0x7fffffff7230 T0)
    #0 0x797a2a in gf_odf_avc_cfg_write_bs odf/descriptors.c:567
    #1 0x79821e in gf_odf_avc_cfg_write odf/descriptors.c:631
    #2 0x68b393 in AVC_RewriteESDescriptorEx isomedia/avc_ext.c:1063
    #3 0xaddd66 in video_sample_entry_Read isomedia/box_code_base.c:4408
    #4 0x6c3d6e in gf_isom_box_read isomedia/box_funcs.c:1528
    #5 0x6c3d6e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #6 0x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419
    #7 0x6c3d6e in gf_isom_box_read isomedia/box_funcs.c:1528
    #8 0x6c3d6e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #9 0x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419
    #10 0xae19df in stbl_Read isomedia/box_code_base.c:5381
    #11 0x6c3d6e in gf_isom_box_read isomedia/box_funcs.c:1528
    #12 0x6c3d6e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #13 0x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419
    #14 0xadb4fe in minf_Read isomedia/box_code_base.c:3500
    #15 0x6c3d6e in gf_isom_box_read isomedia/box_funcs.c:1528
    #16 0x6c3d6e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #17 0x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419
    #18 0xad96ef in mdia_Read isomedia/box_code_base.c:3021
    #19 0x6c3d6e in gf_isom_box_read isomedia/box_funcs.c:1528
    #20 0x6c3d6e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #21 0x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419
    #22 0xae8ad8 in trak_Read isomedia/box_code_base.c:7129
    #23 0x6c3d6e in gf_isom_box_read isomedia/box_funcs.c:1528
    #24 0x6c3d6e in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #25 0x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419
    #26 0xadc064 in moov_Read isomedia/box_code_base.c:3745
    #27 0x6c5114 in gf_isom_box_read isomedia/box_funcs.c:1528
    #28 0x6c5114 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #29 0x6c5974 in gf_isom_parse_root_box isomedia/box_funcs.c:42
    #30 0x6da6a0 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
    #31 0x6dd2f3 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194
    #32 0x6dd2f3 in gf_isom_open_file isomedia/isom_intern.c:615
    #33 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/main.c:4767
    #34 0x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #35 0x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV odf/descriptors.c:567 gf_odf_avc_cfg_write_bs
==25871==ABORTING

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d


Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

@Clingto Clingto changed the title AddressSanitizer: SEGV in gf_odf_avc_cfg_write_bs odf/descriptors.c:567 AddressSanitizer: NULL pointer dereference in gf_odf_avc_cfg_write_bs odf/descriptors.c:567 Dec 24, 2019
@carnil
Copy link

carnil commented Dec 31, 2019

CVE-2019-20163 was assigned for this issue.

aureliendavid added a commit that referenced this issue Jan 8, 2020
@aureliendavid
Copy link
Contributor

Thanks for the report.

This should be fixed in master / 0.8.0 as of the above commit.

It will be included in filters / 0.9.0 in the next merge.

Feel free to reopen the issue if necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants