Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in function mp3_dmx_process filters/reframe_mp3.c:677 #2396

Closed
3 tasks done
qianshuidewajueji opened this issue Feb 9, 2023 · 1 comment
Closed
3 tasks done

Comments

@qianshuidewajueji
Copy link

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version

MP4Box - GPAC version 2.3-DEV-rev40-g3602a5ded-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer --verbose
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

complie and run

./configure --enable-sanitizer --enable-debug
make
./MP4Box -info mp3_dmx_process_poc2

information reported by sanitizer

[MP3Dmx] invalid frame, resyncing
=================================================================
==29937==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00000e322 at pc 0x7fe02eb39490 bp 0x7ffdcd4a3c40 sp 0x7ffdcd4a33e8
READ of size 316 at 0x61a00000e322 thread T0
    #0 0x7fe02eb3948f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
    #1 0x7fe02c490c9f in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
    #2 0x7fe02c490c9f in mp3_dmx_process filters/reframe_mp3.c:677
    #3 0x7fe02c0700ed in gf_filter_process_task filter_core/filter.c:2828
    #4 0x7fe02c032082 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #5 0x7fe02c03e856 in gf_fs_run filter_core/filter_session.c:2120
    #6 0x7fe02ba7c806 in gf_media_import media_tools/media_import.c:1228
    #7 0x55576950e3b1 in convert_file_info /home/qianshuidewajueji/gpac/applications/mp4box/fileimport.c:130
    #8 0x5557694dddb5 in mp4box_main /home/qianshuidewajueji/gpac/applications/mp4box/mp4box.c:6302
    #9 0x7fe028d14082 in __libc_start_main ../csu/libc-start.c:308
    #10 0x5557694b1cfd in _start (/home/qianshuidewajueji/gpac/bin/gcc/MP4Box+0xa3cfd)

0x61a00000e322 is located 0 bytes to the right of 1186-byte region [0x61a00000de80,0x61a00000e322)
allocated by thread T0 here:
    #0 0x7fe02ebabc3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
    #1 0x7fe02c492248 in mp3_dmx_process filters/reframe_mp3.c:547
    #2 0x7fe02c0700ed in gf_filter_process_task filter_core/filter.c:2828
    #3 0x7fe02c032082 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #4 0x7fe02c03e856 in gf_fs_run filter_core/filter_session.c:2120
    #5 0x7fe02ba7c806 in gf_media_import media_tools/media_import.c:1228
    #6 0x55576950e3b1 in convert_file_info /home/qianshuidewajueji/gpac/applications/mp4box/fileimport.c:130
    #7 0x5557694dddb5 in mp4box_main /home/qianshuidewajueji/gpac/applications/mp4box/mp4box.c:6302
    #8 0x7fe028d14082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
Shadow bytes around the buggy address:
  0x0c347fff9c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff9c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff9c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff9c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff9c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff9c60: 00 00 00 00[02]fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff9c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==29937==ABORTING

Poc

https://github.com/qianshuidewajueji/poc/blob/main/gpac/mp3_dmx_process_poc2

@qianshuidewajueji qianshuidewajueji changed the title in mp3_dmx_process filters/reframe_mp3.c:677 heap-buffer-overflow in function mp3_dmx_process filters/reframe_mp3.c:677 Feb 9, 2023
@aureliendavid
Copy link
Member

previous fix wasn't generic enough

should be ok now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants