Skip to content

heap-use-after-free filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid #2344

Closed
@xidoo123

Description

@xidoo123

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Description

heap-use-after-free filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid

Version info

MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

compile and run

./configure --enable-sanitizer
make
./MP4Box import -add poc_uaf.avi

Crash reported by sanitizer

Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
[MPEG-2 TS] PID 1863: Bad Adaptation Descriptor found (tag 100) size is 100 but only 93 bytes available
stream type DSM CC user private sections on pid 32 
[MPEG-2 TS] Invalid PMT es descriptor size for PID 32
[MPEG-2 TS] Invalid PMT es descriptor size for PID 5364
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
[MPEG-2 TS] PID 1863: Bad Adaptation Descriptor found (tag 100) size is 100 but only 93 bytes available
stream type DSM CC user private sections on pid 32 
[MPEG-2 TS] Invalid PMT es descriptor size for PID 32
[MPEG-2 TS] Invalid PMT es descriptor size for PID 5364
=================================================================
==583780==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000004548 at pc 0x7fa6cb05f685 bp 0x7ffc93e21020 sp 0x7ffc93e21010
READ of size 8 at 0x607000004548 thread T0
    #0 0x7fa6cb05f684 in m2tsdmx_declare_pid filters/dmx_m2ts.c:470
    #1 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
    #2 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
    #3 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
    #4 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
    #5 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
    #6 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
    #7 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
    #8 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
    #9 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
    #10 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
    #11 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #12 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
    #13 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
    #14 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
    #15 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
    #16 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
    #17 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #18 0x7fa6c7ec3e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #19 0x55f87201ecb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)

0x607000004548 is located 8 bytes inside of 80-byte region [0x607000004540,0x607000004590)
freed by thread T0 here:
    #0 0x7fa6cda1ec18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
    #1 0x7fa6ca0aff20 in realloc_chain utils/list.c:621
    #2 0x7fa6ca0aff20 in gf_list_add utils/list.c:630
    #3 0x7fa6caed06d0 in gf_props_set_property filter_core/filter_props.c:1098
    #4 0x7fa6cae8a35d in gf_filter_pid_set_property_full filter_core/filter_pid.c:5411
    #5 0x7fa6cae8a35d in gf_filter_pid_set_property filter_core/filter_pid.c:5418
    #6 0x7fa6cb05c6b3 in m2tsdmx_declare_pid filters/dmx_m2ts.c:454
    #7 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
    #8 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
    #9 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
    #10 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
    #11 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
    #12 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
    #13 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
    #14 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
    #15 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
    #16 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
    #17 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #18 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
    #19 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
    #20 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
    #21 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
    #22 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
    #23 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    #0 0x7fa6cda1ec18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
    #1 0x7fa6ca0aff20 in realloc_chain utils/list.c:621
    #2 0x7fa6ca0aff20 in gf_list_add utils/list.c:630
    #3 0x7fa6caed0d5f in gf_props_merge_property filter_core/filter_props.c:1199
    #4 0x7fa6cae9661b in gf_filter_pid_new filter_core/filter_pid.c:5258
    #5 0x7fa6cb05adf9 in m2tsdmx_declare_pid filters/dmx_m2ts.c:411
    #6 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
    #7 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
    #8 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
    #9 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
    #10 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
    #11 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
    #12 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
    #13 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
    #14 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
    #15 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
    #16 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #17 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
    #18 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
    #19 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
    #20 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
    #21 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
    #22 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid
Shadow bytes around the buggy address:
  0x0c0e7fff8850: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
  0x0c0e7fff8860: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0e7fff8870: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
  0x0c0e7fff8880: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0e7fff8890: 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 00 00
=>0x0c0e7fff88a0: 00 00 00 00 fa fa fa fa fd[fd]fd fd fd fd fd fd
  0x0c0e7fff88b0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff88c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff88d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff88e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==583780==ABORTING

POC

poc_uaf.zip

Impact

Potentially causing DoS and RCE

Credit

Xdchase

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions