Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A heap-use-after-free crash in bitstream.c:1225:19 in gf_bs_align #2537

Closed
ChanStormstout opened this issue Jul 24, 2023 · 0 comments
Closed

Comments

@ChanStormstout
Copy link

Description

While fuzzing yasm, a "heap-use-after-free" crash occurs,which was positioned in /gpac/src/utils/bitstream.c:1225:19 in gf_bs_align.
This bug may allow attackers to cause remote malicious code execution and denial of service via crafted files.

Software version info

/AFLplusplus/my_test/fuzz_gpac # ./install/bin/MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev449-g5948e4f70-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

System version info

/AFLplusplus/my_test/fuzz_gpac # uname -a
Linux 1344a5115a85 5.15.0-76-generic #83~20.04.1-Ubuntu SMP Wed Jun 21 20:23:31 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Command to reproduce

./MP4Box -xmt poc

Result

[iso file] Unknown box type 0000bt in parent moov
[iso file] Read Box type 00000000 (0x00000000) at position 1484 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 0) has 16719 extra bytes
[iso file] Box "cmvd" (start 0) has 3 extra bytes
=================================================================
==102==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000001a4 at pc 0x7fc2471e90b9 bp 0x7ffd7e96f7b0 sp 0x7ffd7e96f7a8
READ of size 4 at 0x6110000001a4 thread T0
    #0 0x7fc2471e90b8 in gf_bs_align /AFLplusplus/my_test/gpac/src/utils/bitstream.c:1225:19
    #1 0x7fc2471f9825 in gf_bs_skip_bytes /AFLplusplus/my_test/gpac/src/utils/bitstream.c:1371:2
    #2 0x7fc247e0c122 in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:381:3
    #3 0x7fc247e1202e in gf_isom_box_array_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1891:7
    #4 0x7fc247cbcc00 in moov_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_code_base.c:3920:9
    #5 0x7fc247e0e2bc in gf_isom_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1998:9
    #6 0x7fc247e0b57d in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:309:14
    #7 0x7fc247e0870f in gf_isom_parse_root_box /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:38:8
    #8 0x7fc247e4dd88 in gf_isom_parse_movie_boxes_internal /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:385:7
    #9 0x7fc247e4d3f7 in gf_isom_parse_movie_boxes /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:897:6
    #10 0x7fc247e5c426 in gf_isom_open_file /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:1023:19
    #11 0x7fc247e6cf8e in gf_isom_open /AFLplusplus/my_test/gpac/src/isomedia/isom_read.c:531:11
    #12 0x55fdd8167c04 in mp4box_main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6291:12
    #13 0x55fdd818ca05 in main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6933:1
    #14 0x7fc2466f6d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #15 0x7fc2466f6e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
    #16 0x55fdd8079be4 in _start (/AFLplusplus/my_test/fuzz_gpac/install/bin/MP4Box+0xebbe4) (BuildId: fc72159612509ffb)

0x6110000001a4 is located 36 bytes inside of 200-byte region [0x611000000180,0x611000000248)
freed by thread T0 here:
    #0 0x55fdd80fc782 in free (/AFLplusplus/my_test/fuzz_gpac/install/bin/MP4Box+0x16e782) (BuildId: fc72159612509ffb)
    #1 0x7fc2472250a8 in gf_free /AFLplusplus/my_test/gpac/src/utils/alloc.c:165:2
    #2 0x7fc2471e46c6 in gf_bs_del /AFLplusplus/my_test/gpac/src/utils/bitstream.c:381:2
    #3 0x7fc247e0b6ec in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:319:3
    #4 0x7fc247e1202e in gf_isom_box_array_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1891:7
    #5 0x7fc247cbcc00 in moov_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_code_base.c:3920:9
    #6 0x7fc247e0e2bc in gf_isom_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1998:9
    #7 0x7fc247e0b57d in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:309:14
    #8 0x7fc247e0870f in gf_isom_parse_root_box /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:38:8
    #9 0x7fc247e4dd88 in gf_isom_parse_movie_boxes_internal /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:385:7
    #10 0x7fc247e4d3f7 in gf_isom_parse_movie_boxes /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:897:6
    #11 0x7fc247e5c426 in gf_isom_open_file /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:1023:19
    #12 0x7fc247e6cf8e in gf_isom_open /AFLplusplus/my_test/gpac/src/isomedia/isom_read.c:531:11
    #13 0x55fdd8167c04 in mp4box_main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6291:12
    #14 0x55fdd818ca05 in main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6933:1
    #15 0x7fc2466f6d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

previously allocated by thread T0 here:
    #0 0x55fdd80fca2e in malloc (/AFLplusplus/my_test/fuzz_gpac/install/bin/MP4Box+0x16ea2e) (BuildId: fc72159612509ffb)
    #1 0x7fc247224fc8 in gf_malloc /AFLplusplus/my_test/gpac/src/utils/alloc.c:150:9
    #2 0x7fc2471e0c1c in gf_bs_new /AFLplusplus/my_test/gpac/src/utils/bitstream.c:135:38
    #3 0x7fc247e09f1c in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:207:17
    #4 0x7fc247e1202e in gf_isom_box_array_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1891:7
    #5 0x7fc247cbcc00 in moov_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_code_base.c:3920:9
    #6 0x7fc247e0e2bc in gf_isom_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1998:9
    #7 0x7fc247e0b57d in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:309:14
    #8 0x7fc247e0870f in gf_isom_parse_root_box /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:38:8
    #9 0x7fc247e4dd88 in gf_isom_parse_movie_boxes_internal /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:385:7
    #10 0x7fc247e4d3f7 in gf_isom_parse_movie_boxes /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:897:6
    #11 0x7fc247e5c426 in gf_isom_open_file /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:1023:19
    #12 0x7fc247e6cf8e in gf_isom_open /AFLplusplus/my_test/gpac/src/isomedia/isom_read.c:531:11
    #13 0x55fdd8167c04 in mp4box_main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6291:12
    #14 0x55fdd818ca05 in main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6933:1
    #15 0x7fc2466f6d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)

SUMMARY: AddressSanitizer: heap-use-after-free /AFLplusplus/my_test/gpac/src/utils/bitstream.c:1225:19 in gf_bs_align
Shadow bytes around the buggy address:
  0x0c227fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8020: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c227fff8030: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff8040: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c227fff8050: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff8070: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==102==ABORTING

Poc

Use the PoC in the attachment or in the following link.
poc.zip

https://github.com/ChanStormstout/Pocs/blob/master/gpac_POC/id%3A000000%2Csig%3A06%2Csrc%3A003771%2Ctime%3A328254%2Cexecs%3A120473%2Cop%3Ahavoc%2Crep%3A8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant