Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x7ffff6867010) at malloc.c:2958
2958 malloc.c: No such file or directory.
(gdb) bt
#0__GI___libc_free (mem=0x7ffff6867010) at malloc.c:2958
#10x00000000008d8557 in co64_box_del ()
#20x000000000053f9d4 in gf_isom_box_del ()
#30x000000000053fa07 in gf_isom_box_del ()
#40x000000000053fa07 in gf_isom_box_del ()
#50x000000000053fa07 in gf_isom_box_del ()
#60x000000000053fa07 in gf_isom_box_del ()
#70x000000000053fa07 in gf_isom_box_del ()
#80x0000000000541407 in gf_isom_box_array_del ()
#90x000000000054ab73 in gf_isom_delete_movie ()
#100x000000000054d89d in gf_isom_close ()
#110x00000000004171c3 in mp4boxMain ()
#120x00007ffff6ec7840 in __libc_start_main (main=0x409dc0 <main>, argc=5, argv=0x7fffffffdf78, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf68) at ../csu/libc-start.c:291
#130x0000000000409df9 in _start ()
ASAN info:
==17415==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000e7f8 at pc 0x000000736277 bp 0x7fff80125400 sp 0x7fff801253f0
READ of size 8 at 0x60600000e7f8 thread T0
#00x736276 in gf_isom_box_del isomedia/box_funcs.c:1696
#10x7361e6 in gf_isom_box_array_reset isomedia/box_funcs.c:346
#20x7361e6 in gf_isom_box_array_del isomedia/box_funcs.c:352
#30x7361e6 in gf_isom_box_del isomedia/box_funcs.c:1707
#40x7361e6 in gf_isom_box_array_reset isomedia/box_funcs.c:346
#50x7361e6 in gf_isom_box_array_del isomedia/box_funcs.c:352
#60x7361e6 in gf_isom_box_del isomedia/box_funcs.c:1707
#70x7361e6 in gf_isom_box_array_reset isomedia/box_funcs.c:346
#80x7361e6 in gf_isom_box_array_del isomedia/box_funcs.c:352
#90x7361e6 in gf_isom_box_del isomedia/box_funcs.c:1707
#100x7361e6 in gf_isom_box_array_reset isomedia/box_funcs.c:346
#110x7361e6 in gf_isom_box_array_del isomedia/box_funcs.c:352
#120x7361e6 in gf_isom_box_del isomedia/box_funcs.c:1707
#130x7361e6 in gf_isom_box_array_reset isomedia/box_funcs.c:346
#140x7361e6 in gf_isom_box_array_del isomedia/box_funcs.c:352
#150x7361e6 in gf_isom_box_del isomedia/box_funcs.c:1707
#160x738e3e in gf_isom_box_array_reset isomedia/box_funcs.c:346
#170x738e3e in gf_isom_box_array_del isomedia/box_funcs.c:352
#180x7545bd in gf_isom_delete_movie isomedia/isom_intern.c:908
#190x75bf4e in gf_isom_close isomedia/isom_read.c:618
#200x42c0c0 in mp4boxMain /opt/data/yyp/fuzzsequence/test/0-day/SRC_asan/applications/mp4box/main.c:6718
#210x7f6c5505883f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#220x417638 in _start (/opt/data/yyp/fuzzsequence/test/0-day/SRC_asan/build/bin/MP4Box+0x417638)
0x60600000e7f8 is located 24 bytes inside of 56-byte region [0x60600000e7e0,0x60600000e818)
freed by thread T0 here:
#00x7f6c560002ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#10x7361af in gf_isom_box_del isomedia/box_funcs.c:1703
#20x78000e in CleanWriters isomedia/isom_store.c:105
#30x78000e in WriteInterleaved isomedia/isom_store.c:1728
#40x7811f2 in WriteToFile isomedia/isom_store.c:1885
#50x75ba6e in gf_isom_write isomedia/isom_read.c:592
#60x75bf43 in gf_isom_close isomedia/isom_read.c:616
#70x42c0c0 in mp4boxMain /opt/data/yyp/fuzzsequence/test/0-day/SRC_asan/applications/mp4box/main.c:6718
#80x7f6c5505883f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
previously allocated by thread T0 here:
#00x7f6c56000602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#10x102065d in co64_box_new isomedia/box_code_base.c:65
#20x735fdf in gf_isom_box_new_ex isomedia/box_funcs.c:1582
#30x735fdf in gf_isom_box_new isomedia/box_funcs.c:1605
#40x7feec4 in stbl_AddOffset isomedia/stbl_write.c:1989
#50x7feec4 in stbl_SetChunkAndOffset isomedia/stbl_write.c:2090
#60x77f65a in DoInterleave isomedia/isom_store.c:1537
#70x780197 in WriteInterleaved isomedia/isom_store.c:1665
#80x7811f2 in WriteToFile isomedia/isom_store.c:1885
#90x75ba6e in gf_isom_write isomedia/isom_read.c:592
#100x75bf43 in gf_isom_close isomedia/isom_read.c:616
#110x42c0c0 in mp4boxMain /opt/data/yyp/fuzzsequence/test/0-day/SRC_asan/applications/mp4box/main.c:6718
#120x7f6c5505883f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
SUMMARY: AddressSanitizer: heap-use-after-free isomedia/box_funcs.c:1696 gf_isom_box_del
Shadow bytes around the buggy address:
0x0c0c7fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9cf0: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd[fd]
0x0c0c7fff9d00: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c7fff9d10: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c7fff9d20: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c7fff9d30: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff9d40: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==17415==ABORTING
System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master c4f8bc6 and the latest V1.0.1 d8538e8)
I think it is probably due to an imcomplete fix of #1340 、#1440 and #1332.
Compile Command:
Run Command:
POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-c4f8bc6e_poc/gf_isom_box_del-UAF
gdb info:
ASAN info:
Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Xiangkun Jia(xiangkun@iscas.ac.cn) 、Marsman1996(lqliuyuwei@outlook.com) and Yanhao.
The text was updated successfully, but these errors were encountered: