Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null Pointer Dereference in function BS_ReadByte #2550

Closed
xiaoxiaoafeifei opened this issue Aug 8, 2023 · 4 comments
Closed

Null Pointer Dereference in function BS_ReadByte #2550

xiaoxiaoafeifei opened this issue Aug 8, 2023 · 4 comments

Comments

@xiaoxiaoafeifei
Copy link
Contributor

xiaoxiaoafeifei commented Aug 8, 2023

  • [Y ] I looked for a similar issue and couldn't find any.
  • [Y] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • [Y] I give enough information for contributors to reproduce my issue

Description
There is a Null Pointer Dereference detected by AddressSanitizer

System info
Ubuntu 22.04.2 LTS
GPAC-2.2.1

Build command
CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-ggdb -O0 -fsanitize=address,undefined -fno-omit-frame-pointer" CXXFLAGS="-ggdb -O0 -fsanitize=address,undefined -fno-omit-frame-pointer" LDFLAGS="-ggdb -O0 -fsanitize=address,undefined" ./configure && make

crash command
MP4Box -bt poc_file

poc_file:
poc_file.zip

Crash output

AddressSanitizer:DEADLYSIGNAL

==841115==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fae75bd843e bp 0x7ffc7386e7a0 sp 0x7ffc7386e770 T0)
==841115==The signal is caused by a READ memory access.
==841115==Hint: address points to the zero page.
#0 0x7fae75bd843e in BS_ReadByte /root/fuzz/gpac/src/utils/bitstream.c:458:9
#1 0x7fae75bd8257 in gf_bs_read_bit /root/fuzz/gpac/src/utils/bitstream.c:538:17
#2 0x7fae75bd8fae in gf_bs_read_int /root/fuzz/gpac/src/utils/bitstream.c:571:10
#3 0x7fae75fc7481 in BM_ParseCommand /root/fuzz/gpac/src/bifs/memory_decoder.c:907:10
#4 0x7fae75fc797a in gf_bifs_flush_command_list /root/fuzz/gpac/src/bifs/memory_decoder.c:965:9
#5 0x7fae75fc81f5 in gf_bifs_decode_command_list /root/fuzz/gpac/src/bifs/memory_decoder.c:1045:3
#6 0x7fae7645d0e4 in gf_sm_load_run_isom /root/fuzz/gpac/src/scene_manager/loader_isom.c:303:10
#7 0x7fae7641bf38 in gf_sm_load_run /root/fuzz/gpac/src/scene_manager/scene_manager.c:719:28
#8 0x555d766c901c in dump_isom_scene /root/fuzz/gpac/applications/mp4box/filedump.c:209:14
#9 0x555d766b9725 in mp4box_main /root/fuzz/gpac/applications/mp4box/mp4box.c:6461:7
#10 0x7fae75814d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#11 0x7fae75814e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#12 0x555d765e8d84 in _start (/usr/local/bin/MP4Box+0x33d84) (BuildId: b4d8f1db695ed5d11720498d0e1dbdb36eaf06af)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/fuzz/gpac/src/utils/bitstream.c:458:9 in BS_ReadByte
==841115==ABORTING

@aureliendavid
Copy link
Member

Hi,

thanks for the report and the PR

on the latest version of gpac, I have a different sanitizer output, it is now a use-after-free in the bifs parsing

I am currently testing a fix but I'm not quite satisfied with it so I'll wait until it can be reviewed by others to maybe merge it.

Will keep this issue up to date.

@xiaoxiaoafeifei
Copy link
Contributor Author

xiaoxiaoafeifei commented Aug 19, 2023

Thanks for your reply

Yeah, there's something wrong with my sanitizer, correct reporting is a use-after-free issue as follows

==57372==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000001030 at pc 0x7f6bf19b9154 bp 0x7ffd09243090 sp 0x7ffd09243088
READ of size 4 at 0x603000001030 thread T0
#0 0x7f6bf19b9153 in gf_bifs_flush_command_list (/usr/local/lib/libgpac.so.12+0x135a153)
#1 0x7f6bf19b94be in gf_bifs_decode_command_list (/usr/local/lib/libgpac.so.12+0x135a4be)
#2 0x7f6bf21f5d05 in gf_sm_load_run_isom (/usr/local/lib/libgpac.so.12+0x1b96d05)
#3 0x51eea8 in dump_isom_scene /root/fuzz_pro/fuzz_gpac/gpac/applications/mp4box/filedump.c:209:14
#4 0x50a1df in mp4box_main /root/fuzz_pro/fuzz_gpac/gpac/applications/mp4box/mp4box.c:6461:7
#5 0x7f6bf0359d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
#6 0x7f6bf0359e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
#7 0x42fcf4 in _start (/usr/local/bin/MP4Box+0x42fcf4)

0x603000001030 is located 0 bytes inside of 24-byte region [0x603000001030,0x603000001048)
freed by thread T0 here:
#0 0x4ac972 in __interceptor_free (/usr/local/bin/MP4Box+0x4ac972)
#1 0x7f6bf1529ad5 in gf_sg_command_del (/usr/local/lib/libgpac.so.12+0xecaad5)
#2 0x7f6bf19b189c in BM_ParseInsert (/usr/local/lib/libgpac.so.12+0x135289c)
#3 0x7f6bf19b7be6 in BM_ParseCommand (/usr/local/lib/libgpac.so.12+0x1358be6)
#4 0x7f6bf19b8336 in gf_bifs_flush_command_list (/usr/local/lib/libgpac.so.12+0x1359336)
#5 0x7f6bf19b94be in gf_bifs_decode_command_list (/usr/local/lib/libgpac.so.12+0x135a4be)
#6 0x7f6bf21f5d05 in gf_sm_load_run_isom (/usr/local/lib/libgpac.so.12+0x1b96d05)
#7 0x51eea8 in dump_isom_scene /root/fuzz_pro/fuzz_gpac/gpac/applications/mp4box/filedump.c:209:14
#8 0x50a1df in mp4box_main /root/fuzz_pro/fuzz_gpac/gpac/applications/mp4box/mp4box.c:6461:7
#9 0x7f6bf0359d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

previously allocated by thread T0 here:
#0 0x4acbdd in malloc (/usr/local/bin/MP4Box+0x4acbdd)
#1 0x7f6bf174e467 in gf_sg_vrml_field_pointer_new (/usr/local/lib/libgpac.so.12+0x10ef467)
#2 0x7f6bf19b12ab in BM_ParseInsert (/usr/local/lib/libgpac.so.12+0x13522ab)
#3 0x7f6bf19b7be6 in BM_ParseCommand (/usr/local/lib/libgpac.so.12+0x1358be6)
#4 0x7f6bf19b8336 in gf_bifs_flush_command_list (/usr/local/lib/libgpac.so.12+0x1359336)
#5 0x7f6bf19b94be in gf_bifs_decode_command_list (/usr/local/lib/libgpac.so.12+0x135a4be)
#6 0x7f6bf21f5d05 in gf_sm_load_run_isom (/usr/local/lib/libgpac.so.12+0x1b96d05)
#7 0x51eea8 in dump_isom_scene /root/fuzz_pro/fuzz_gpac/gpac/applications/mp4box/filedump.c:209:14
#8 0x50a1df in mp4box_main /root/fuzz_pro/fuzz_gpac/gpac/applications/mp4box/mp4box.c:6461:7
#9 0x7f6bf0359d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/local/lib/libgpac.so.12+0x135a153) in gf_bifs_flush_command_list
Shadow bytes around the buggy address:
0x0c067fff81b0: fa fa 00 00 00 01 fa fa 00 00 04 fa fa fa fd fd
0x0c067fff81c0: fd fd fa fa 00 00 04 fa fa fa 00 00 00 fa fa fa
0x0c067fff81d0: 00 00 00 01 fa fa 00 00 04 fa fa fa fd fd fd fd
0x0c067fff81e0: fa fa 00 00 04 fa fa fa 00 00 00 00 fa fa 00 00
0x0c067fff81f0: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
=>0x0c067fff8200: 00 00 00 00 fa fa[fd]fd fd fa fa fa fd fd fd fa
0x0c067fff8210: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c067fff8220: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
0x0c067fff8230: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
0x0c067fff8240: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fa fa
0x0c067fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==57372==ABORTING

@aureliendavid
Copy link
Member

I am currently testing a fix but I'm not quite satisfied with it so I'll wait until it can be reviewed by others to maybe merge it.

previous fix review and adapted into 0018b5e which fixes the issue

thanks for reporting

@xiaoxiaoafeifei
Copy link
Contributor Author

This issue was assigned CVE-2023-41000

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants