Closed
Description
- I looked for a similar issue and couldn't find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels,
Description
segment fault (/stack overflow) due to infinite recursion in Media_GetSample isomedia/media.c:662
Version info
latest version atm
MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
compile and run
./configure --enable-sanitizer
make
./MP4Box import -cat poc_segfault2.mp4
Crash reported by sanitizer
[HEVC] Error parsing NAL unit type 63
Track Importing L-HEVC - Width 1 Height 6 FPS 25000/1000
[HEVC] NAL Unit type 26 not handled - adding
[HEVC] xPS changed but could not flush frames before signaling state change !
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing NAL unit type 32
[HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing Sequence Param Set
[HEVC] Error parsing NAL unit type 34
[HEVC] Error parsing NAL unit type 0
[HEVC] Error parsing NAL unit type 32
[HEVC] Error parsing NAL unit type 32
HEVC Import results: 7 samples (39 NALUs) - Slices: 0 I 0 P 1 B - 0 SEI - 0 IDR - 0 CRA
HEVC L-HEVC Import results: Slices: 3 I 0 P 2 B
HEVC Stream uses forward prediction - stream CTS offset: 6 frames
HEVC Max NALU size is 106 - stream could be optimized by setting nal_length=1
Appending file /home/sumuchuan/Desktop/gpac_fuzz/cat_gpac/bin/gcc/out/default/crashes/160.mp4
No suitable destination track found - creating new one (type vide)
AddressSanitizer:DEADLYSIGNAL | (57/100)
=================================================================
==738673==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdae782bc0 (pc 0x7f415d384491 bp 0x7ffdae783400 sp 0x7ffdae782bc0 T0)
#0 0x7f415d384491 in __sanitizer::StackTrace::StackTrace(unsigned long const*, unsigned int) ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:52
#1 0x7f415d384491 in __sanitizer::BufferedStackTrace::BufferedStackTrace() ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:105
#2 0x7f415d384491 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#3 0x7f415787f858 in __GI__IO_free_backup_area libio/genops.c:190
#4 0x7f415787cae3 in _IO_new_file_seekoff libio/fileops.c:975
#5 0x7f415787ad52 in __fseeko libio/fseeko.c:40
#6 0x7f4159a1536a in BS_SeekIntern utils/bitstream.c:1338
#7 0x7f4159a1536a in gf_bs_seek utils/bitstream.c:1373
#8 0x7f4159fbbfc9 in gf_isom_fdm_get_data isomedia/data_map.c:501
#9 0x7f4159fbbfc9 in gf_isom_datamap_get_data isomedia/data_map.c:279
#10 0x7f415a0a1f40 in Media_GetSample isomedia/media.c:641
#11 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
#12 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
#13 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
#14 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
#15 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
#16 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
#17 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
#18 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
#19 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
#20 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
#21 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
#22 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
#23 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
#24 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
...
looks like an infinite recursion
Media_GetSample isomedia/media.c:662
-> gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
-> gf_isom_get_sample_ex isomedia/isom_read.c:1916
-> Media_GetSample isomedia/media.c:662
if compile without ASAN and run the same poc
./configure --static-bin
make
./MP4Box import -cat poc_segfault2.mp4
there will be a segment fault
[HEVC] Error parsing NAL unit type 63
Track Importing L-HEVC - Width 1 Height 6 FPS 25000/1000
[HEVC] NAL Unit type 26 not handled - adding
[HEVC] xPS changed but could not flush frames before signaling state change !
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing NAL unit type 32
[HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing Sequence Param Set
[HEVC] Error parsing NAL unit type 34
[HEVC] Error parsing NAL unit type 0
[HEVC] Error parsing NAL unit type 32
[HEVC] Error parsing NAL unit type 32
HEVC Import results: 7 samples (39 NALUs) - Slices: 0 I 0 P 1 B - 0 SEI - 0 IDR - 0 CRA
HEVC L-HEVC Import results: Slices: 3 I 0 P 2 B
HEVC Stream uses forward prediction - stream CTS offset: 6 frames
HEVC Max NALU size is 106 - stream could be optimized by setting nal_length=1
Appending file /home/sumuchuan/Desktop/gpac_fuzz/cat_gpac/bin/gcc/out/default/crashes/160.mp4
No suitable destination track found - creating new one (type vide)
Segmentation fault===== | (57/100)
Because it ran out of stack space, making rsp and rbp point to an unmapped memory, causing seg fault. backtrace atm
pwndbg> bt
...
#16487 0x000000000054d599 in gf_isom_get_sample_ex ()
#16488 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
#16489 0x0000000000570e13 in Media_GetSample ()
#16490 0x000000000054d599 in gf_isom_get_sample_ex ()
#16491 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
#16492 0x0000000000570e13 in Media_GetSample ()
#16493 0x000000000054d599 in gf_isom_get_sample_ex ()
#16494 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
#16495 0x0000000000570e13 in Media_GetSample ()
...
POC
Impact
Potentially causing DoS
Credit
Xdchase
Metadata
Metadata
Assignees
Labels
No labels