Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Double Free in filedump.c:199 #1956

Closed
ZFeiXQ opened this issue Dec 10, 2021 · 0 comments
Closed

Double Free in filedump.c:199 #1956

ZFeiXQ opened this issue Dec 10, 2021 · 0 comments

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 10, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
	MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 

System information
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

command:

./bin/gcc/MP4Box -bt POC

POC.zip

Result

[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[ODF] Not enough bytes (10) to read descriptor (size=127)
[ODF] Error reading descriptor (tag 4 size 21): Invalid MPEG-4 Descriptor
[iso file] Incomplete box mdat - start 11495 size 75
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[ODF] Not enough bytes (10) to read descriptor (size=127)
[ODF] Error reading descriptor (tag 4 size 21): Invalid MPEG-4 Descriptor
[iso file] Incomplete box mdat - start 11495 size 75
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[MP4 Loading] Unable to fetch sample 1 from track ID 7 - aborting track import
free(): double free detected in tcache 2
[3]    3698317 abort      ./bin/gcc/MP4Box -bt 

gdb information:

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7ffff5654740 (0x00007ffff5654740)
RCX: 0x7ffff61d118b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
RDX: 0x0 
RSI: 0x7fffffff6fd0 --> 0x0 
RDI: 0x2 
RBP: 0x7fffffff7320 --> 0x7ffff6376b80 --> 0x0 
RSP: 0x7fffffff6fd0 --> 0x0 
RIP: 0x7ffff61d118b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
R8 : 0x0 
R9 : 0x7fffffff6fd0 --> 0x0 
R10: 0x8 
R11: 0x246 
R12: 0x7fffffff7240 --> 0x0 
R13: 0x10 
R14: 0x7ffff7ffb000 --> 0x6565726600001000 
R15: 0x1
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff61d117f <__GI_raise+191>:	mov    edi,0x2
   0x7ffff61d1184 <__GI_raise+196>:	mov    eax,0xe
   0x7ffff61d1189 <__GI_raise+201>:	syscall 
=> 0x7ffff61d118b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
   0x7ffff61d1193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
   0x7ffff61d119c <__GI_raise+220>:	jne    0x7ffff61d11c4 <__GI_raise+260>
   0x7ffff61d119e <__GI_raise+222>:	mov    eax,r8d
   0x7ffff61d11a1 <__GI_raise+225>:	add    rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff6fd0 --> 0x0 
0008| 0x7fffffff6fd8 --> 0x0 
0016| 0x7fffffff6fe0 --> 0x7ffff6b0ffca (<Media_GetESD+842>:	mov    rax,QWORD PTR [rsp+0x10])
0024| 0x7fffffff6fe8 --> 0x0 
0032| 0x7fffffff6ff0 --> 0x1 
0040| 0x7fffffff6ff8 --> 0x0 
0048| 0x7fffffff7000 --> 0x5555556709a0 --> 0x80003 
0056| 0x7fffffff7008 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff61b0859 in __GI_abort () at abort.c:79
#2  0x00007ffff621b3ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff6345285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff622347c in malloc_printerr (str=str@entry=0x7ffff63475d0 "free(): double free detected in tcache 2") at malloc.c:5347
#4  0x00007ffff62250ed in _int_free (av=0x7ffff6376b80 <main_arena>, p=0x555555671790, have_lock=0x0) at malloc.c:4201
#5  0x00007ffff6bf30f5 in gf_odf_del_default () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
#6  0x00007ffff6f56654 in gf_sm_load_run_isom () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
#7  0x00005555555c3a18 in dump_isom_scene (file=<optimized out>, inName=0x555555644d20 <outfile> "../../result/gpac/afl-outbox-bt-d/crashes/id:000000,sig:06,src:000181,op:havoc,rep:64", is_final_name=GF_FALSE, 
    dump_mode=GF_SM_DUMP_BT, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:199
#8  0x000055555559edd0 in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at main.c:6044
#9  0x00007ffff61b20b3 in __libc_start_main (main=0x55555556d540 <main>, argc=0x3, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
#10 0x000055555556d5be in _start () at main.c:6496
gdb-peda$ 
'''
@jeanlf jeanlf closed this as completed in 9bbce96 Dec 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant