Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
[ √] I looked for a similar issue and couldn't find any. [ √] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/ [ √] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95 Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
A crafted input will lead to crash in box_code_3gpp.c at gpac 0.8.0.
Triggered by ./MP4Box -diso POC -out /dev/null
Poc 011-stack-dimC_Read1000
The ASAN information is as follows:
./MP4Box -diso 011-stack-dimC_Read1000 -out /dev/null ================================================================= ==3045==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff6e0d88d0 at pc 0x564b9b2d69fb bp 0x7fff6e0d8480 sp 0x7fff6e0d8470 WRITE of size 1 at 0x7fff6e0d88d0 thread T0 #0 0x564b9b2d69fa in dimC_Read isomedia/box_code_3gpp.c:1000 #1 0x564b9ae5bb35 in gf_isom_box_read isomedia/box_funcs.c:1528 #2 0x564b9ae5bb35 in gf_isom_box_parse_ex isomedia/box_funcs.c:208 #3 0x564b9ae5c1e4 in gf_isom_parse_root_box isomedia/box_funcs.c:42 #4 0x564b9ae72f44 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206 #5 0x564b9ae75bca in gf_isom_open_file isomedia/isom_intern.c:615 #6 0x564b9abbe852 in mp4boxMain /home/liuz/gpac-master/applications/mp4box/main.c:4767 #7 0x7f4b5d817b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #8 0x564b9abafb19 in _start (/usr/local/gpac-asan3/bin/MP4Box+0x163b19) Address 0x7fff6e0d88d0 is located in stack of thread T0 at offset 1056 in frame #0 0x564b9b2d641f in dimC_Read isomedia/box_code_3gpp.c:983 This frame has 1 object(s): [32, 1056) 'str' <== Memory access at offset 1056 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow isomedia/box_code_3gpp.c:1000 in dimC_Read Shadow bytes around the buggy address: 0x10006dc130c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006dc130d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006dc130e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006dc130f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006dc13100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10006dc13110: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 00 00 0x10006dc13120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006dc13130: 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 00 00 00 00 0x10006dc13140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006dc13150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10006dc13160: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3045==ABORTING
The text was updated successfully, but these errors were encountered:
CVE-2019-20208 has been assigned for this issue.
Sorry, something went wrong.
add some array checks (#1334, #1348)
bcfcb3e
Thanks for the report.
This should be fixed in master / 0.8.0 as of the above commit.
It will be included in filters / 0.9.0 in the next merge.
Feel free to reopen the issue if necessary.
No branches or pull requests
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
[ √] I looked for a similar issue and couldn't find any.
[ √] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
[ √] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
A crafted input will lead to crash in box_code_3gpp.c at gpac 0.8.0.
Triggered by
./MP4Box -diso POC -out /dev/null
Poc
011-stack-dimC_Read1000
The ASAN information is as follows:
The text was updated successfully, but these errors were encountered: