Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a stack-buffer-overflow in the dimC_Read function of box_code_3gpp.c:1000 #1348

Closed
gutiniao opened this issue Nov 13, 2019 · 2 comments

Comments

@gutiniao
Copy link

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

[ √] I looked for a similar issue and couldn't find any.
[ √] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
[ √] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A crafted input will lead to crash in box_code_3gpp.c at gpac 0.8.0.

Triggered by
./MP4Box -diso POC -out /dev/null

Poc
011-stack-dimC_Read1000

The ASAN information is as follows:

./MP4Box -diso 011-stack-dimC_Read1000 -out /dev/null 
=================================================================
==3045==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff6e0d88d0 at pc 0x564b9b2d69fb bp 0x7fff6e0d8480 sp 0x7fff6e0d8470
WRITE of size 1 at 0x7fff6e0d88d0 thread T0
    #0 0x564b9b2d69fa in dimC_Read isomedia/box_code_3gpp.c:1000
    #1 0x564b9ae5bb35 in gf_isom_box_read isomedia/box_funcs.c:1528
    #2 0x564b9ae5bb35 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
    #3 0x564b9ae5c1e4 in gf_isom_parse_root_box isomedia/box_funcs.c:42
    #4 0x564b9ae72f44 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
    #5 0x564b9ae75bca in gf_isom_open_file isomedia/isom_intern.c:615
    #6 0x564b9abbe852 in mp4boxMain /home/liuz/gpac-master/applications/mp4box/main.c:4767
    #7 0x7f4b5d817b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x564b9abafb19 in _start (/usr/local/gpac-asan3/bin/MP4Box+0x163b19)

Address 0x7fff6e0d88d0 is located in stack of thread T0 at offset 1056 in frame
    #0 0x564b9b2d641f in dimC_Read isomedia/box_code_3gpp.c:983

  This frame has 1 object(s):
    [32, 1056) 'str' <== Memory access at offset 1056 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow isomedia/box_code_3gpp.c:1000 in dimC_Read
Shadow bytes around the buggy address:
  0x10006dc130c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006dc130d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006dc130e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006dc130f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006dc13100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006dc13110: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 00 00
  0x10006dc13120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006dc13130: 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 00 00 00 00
  0x10006dc13140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006dc13150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006dc13160: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3045==ABORTING
@carnil
Copy link

carnil commented Jan 2, 2020

CVE-2019-20208 has been assigned for this issue.

@aureliendavid
Copy link
Contributor

Thanks for the report.

This should be fixed in master / 0.8.0 as of the above commit.

It will be included in filters / 0.9.0 in the next merge.

Feel free to reopen the issue if necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants