You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description
heap-use-after-free in gf_odf_vvc_cfg_read_bs at odf/descriptors.c:1403
Version
./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev23-g5a733aec7-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
same POC can also trigger heap-use-after-free (as of 17 Jan 2023):
./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev27-g5195ad4e2-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Proof of Concept
./MP4Box -hint POC
[iso file] Unknown top-level box type freN
[VVC] Invalid NALU type in vvcC - ignoring
=================================================================
==3978220==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000013d0 at pc 0x7f31abf6419f bp 0x7fff5dfe20c0 sp 0x7fff5dfe20b0
READ of size 1 at 0x6020000013d0 thread T0
#0 0x7f31abf6419e in gf_odf_vvc_cfg_read_bs odf/descriptors.c:1403
#1 0x7f31abaf001c in vvcc_box_read isomedia/avc_ext.c:3085
#2 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
#3 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
#4 0x7f31abb5f774 in video_sample_entry_box_read isomedia/box_code_base.c:4354
#5 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
#6 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
#7 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
#8 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
#9 0x7f31abb6daad in stbl_box_read isomedia/box_code_base.c:5115
#10 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
#11 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
#12 0x7f31abb4e2ea in minf_box_read isomedia/box_code_base.c:3583
#13 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
#14 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
#15 0x7f31abb47884 in mdia_box_read isomedia/box_code_base.c:3134
#16 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
#17 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
#18 0x7f31abb8b0fa in trak_box_read isomedia/box_code_base.c:6907
#19 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
#20 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
#21 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
#22 0x7f31abc85924 in gf_isom_parse_root_box isomedia/box_funcs.c:38
#23 0x7f31abcc3217 in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:378
#24 0x7f31abcc3217 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:868
#25 0x7f31abccde34 in gf_isom_open_file isomedia/isom_intern.c:988
#26 0x556d29130472 in mp4box_main /home/limweicheng/Desktop/Fuzz/gpac/applications/mp4box/mp4box.c:6221
#27 0x7f31aa6cfd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#28 0x7f31aa6cfe3f in __libc_start_main_impl ../csu/libc-start.c:392
#29 0x556d290cb244 in _start (/home/limweicheng/Desktop/Fuzz/gpac/bin/gcc/MP4Box+0x50244)
0x6020000013d0 is located 0 bytes inside of 16-byte region [0x6020000013d0,0x6020000013e0)
freed by thread T0 here:
#0 0x7f31ae2b8517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x7f31abf6282f in gf_odf_vvc_cfg_read_bs odf/descriptors.c:1399
previously allocated by thread T0 here:
#0 0x7f31ae2b8867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f31abf625f9 in gf_odf_vvc_cfg_read_bs odf/descriptors.c:1375
SUMMARY: AddressSanitizer: heap-use-after-free odf/descriptors.c:1403 in gf_odf_vvc_cfg_read_bs
Shadow bytes around the buggy address:
0x0c047fff8220: fa fa 04 fa fa fa 00 04 fa fa 00 00 fa fa 00 00
0x0c047fff8230: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8240: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8250: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 01 fa
0x0c047fff8260: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8270: fa fa 00 00 fa fa 00 00 fa fa[fd]fd fa fa fa fa
0x0c047fff8280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3978220==ABORTING
Impact
This is capable of causing crashes by using unexpected value, or possible code execution.
Occurrences
descriptors.c L1446
The text was updated successfully, but these errors were encountered:
POC file
The text was updated successfully, but these errors were encountered: