Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Double free in gf_av1_reset_state media_tools/av_parsers.c:4024 #2387

Closed
3 tasks done
xxy1126 opened this issue Feb 2, 2023 · 2 comments
Closed
3 tasks done

Double free in gf_av1_reset_state media_tools/av_parsers.c:4024 #2387

xxy1126 opened this issue Feb 2, 2023 · 2 comments

Comments

@xxy1126
Copy link

xxy1126 commented Feb 2, 2023

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

version

MP4Box - GPAC version 2.3-DEV-rev35-gbbca86917-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer --enable-debug
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

reproduce

complie and run

./configure --enable-sanitizer
make
./MP4Box -info poc

information reported by sanitizer

[AV1] unknown OBU type 12 (size 100). Skipping.
[AV1] unknown OBU type 12 (size 100). Skipping.
[AV1] unknown OBU type 12 (size 100). Skipping.
[AV1] unknown OBU type 12 (size 100). Skipping.
[AV1] unknown OBU type 12 (size 100). Skipping.
[AV1] unknown OBU type 12 (size 100). Skipping.
[AV1] unknown OBU type 12 (size 100). Skipping.
[AV1] unknown OBU type 12 (size 100). Skipping.
[AV1] unknown OBU type 12 (size 100). Skipping.
[AV1] unknown OBU type 12 (size 100). Skipping.
[AV1] unknown OBU type 12 (size 100). Skipping.
[AV1] unknown OBU type 12 (size 100). Skipping.
[AV1] computed OBU size -1 (input value = 0). Skipping.
=================================================================
==4000990==ERROR: AddressSanitizer: attempting double-free on 0x615000013400 in thread T0:
    #0 0x7fe4a288c40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x7fe49b5abbd9 in gf_free utils/alloc.c:165
    #2 0x7fe49c378e6f in gf_av1_reset_state media_tools/av_parsers.c:4024
    #3 0x7fe49d61b5db in av1dmx_finalize filters/reframe_av1.c:1246
    #4 0x7fe49ce06b63 in gf_fs_del filter_core/filter_session.c:771
    #5 0x7fe49c42688d in gf_media_import media_tools/media_import.c:1293
    #6 0x55a5ca2469ab in convert_file_info /root/gpac/applications/mp4box/fileimport.c:130
    #7 0x55a5ca1ff07d in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6302
    #8 0x55a5ca201cc0 in main /root/gpac/applications/mp4box/mp4box.c:6846
    #9 0x7fe4973ab082 in __libc_start_main ../csu/libc-start.c:308
    #10 0x55a5ca1bfb6d in _start (/root/gpac/bin/gcc/MP4Box+0x104b6d)

0x615000013400 is located 0 bytes inside of 512-byte region [0x615000013400,0x615000013600)
freed by thread T0 here:
    #0 0x7fe4a288cc3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
    #1 0x7fe49b5abbbb in gf_realloc utils/alloc.c:160
    #2 0x7fe49b58ae0e in gf_bs_write_data utils/bitstream.c:1059
    #3 0x7fe49c3667af in av1_add_obu_internal media_tools/av_parsers.c:2519
    #4 0x7fe49c36785c in av1_populate_state_from_obu media_tools/av_parsers.c:2596
    #5 0x7fe49c367d8f in aom_av1_parse_temporal_unit_from_section5 media_tools/av_parsers.c:2623
    #6 0x7fe49d616bd4 in av1dmx_parse_av1 filters/reframe_av1.c:1006
    #7 0x7fe49d6179ee in av1dmx_process_buffer filters/reframe_av1.c:1084
    #8 0x7fe49d61b0ff in av1dmx_process filters/reframe_av1.c:1225
    #9 0x7fe49ce6abe4 in gf_filter_process_task filter_core/filter.c:2828
    #10 0x7fe49ce156d7 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #11 0x7fe49ce18ce8 in gf_fs_run filter_core/filter_session.c:2120
    #12 0x7fe49c424742 in gf_media_import media_tools/media_import.c:1228
    #13 0x55a5ca2469ab in convert_file_info /root/gpac/applications/mp4box/fileimport.c:130
    #14 0x55a5ca1ff07d in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6302
    #15 0x55a5ca201cc0 in main /root/gpac/applications/mp4box/mp4box.c:6846
    #16 0x7fe4973ab082 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7fe4a288c808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7fe49b5abb69 in gf_malloc utils/alloc.c:150
    #2 0x7fe49b57ab5d in gf_bs_new utils/bitstream.c:154
    #3 0x7fe49c3661b6 in av1_add_obu_internal media_tools/av_parsers.c:2492
    #4 0x7fe49c36785c in av1_populate_state_from_obu media_tools/av_parsers.c:2596
    #5 0x7fe49c367d8f in aom_av1_parse_temporal_unit_from_section5 media_tools/av_parsers.c:2623
    #6 0x7fe49d606a79 in av1dmx_check_format filters/reframe_av1.c:269
    #7 0x7fe49d617838 in av1dmx_process_buffer filters/reframe_av1.c:1075
    #8 0x7fe49d61b0ff in av1dmx_process filters/reframe_av1.c:1225
    #9 0x7fe49ce6abe4 in gf_filter_process_task filter_core/filter.c:2828
    #10 0x7fe49ce156d7 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #11 0x7fe49ce18ce8 in gf_fs_run filter_core/filter_session.c:2120
    #12 0x7fe49c424742 in gf_media_import media_tools/media_import.c:1228
    #13 0x55a5ca2469ab in convert_file_info /root/gpac/applications/mp4box/fileimport.c:130
    #14 0x55a5ca1ff07d in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6302
    #15 0x55a5ca201cc0 in main /root/gpac/applications/mp4box/mp4box.c:6846
    #16 0x7fe4973ab082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 in __interceptor_free
==4000990==ABORTING

poc

https://github.com/xxy1126/Vuln/blob/main/gpac/2

@aureliendavid
Copy link
Contributor

Hi,

Thanks for the report. This should be fixed in the latest commit. Reopen if needed.

@stevebeattie
Copy link

FYI, this issue was assigned CVE-2023-1449.

(I'm just the messenger, I'm not the one who assigned this CVE.)

rbouqueau pushed a commit to rbouqueau/gpac that referenced this issue Apr 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants