-
Notifications
You must be signed in to change notification settings - Fork 525
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Null Pointer Dereference in function BS_ReadByte #2550
Comments
|
Hi, thanks for the report and the PR on the latest version of gpac, I have a different sanitizer output, it is now a use-after-free in the bifs parsing I am currently testing a fix but I'm not quite satisfied with it so I'll wait until it can be reviewed by others to maybe merge it. Will keep this issue up to date. |
|
Thanks for your reply Yeah, there's something wrong with my sanitizer, correct reporting is a use-after-free issue as follows ==57372==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000001030 at pc 0x7f6bf19b9154 bp 0x7ffd09243090 sp 0x7ffd09243088 0x603000001030 is located 0 bytes inside of 24-byte region [0x603000001030,0x603000001048) previously allocated by thread T0 here: SUMMARY: AddressSanitizer: heap-use-after-free (/usr/local/lib/libgpac.so.12+0x135a153) in gf_bifs_flush_command_list |
previous fix review and adapted into 0018b5e which fixes the issue thanks for reporting |
|
This issue was assigned CVE-2023-41000 |
Description
There is a Null Pointer Dereference detected by AddressSanitizer
System info
Ubuntu 22.04.2 LTS
GPAC-2.2.1
Build command
CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-ggdb -O0 -fsanitize=address,undefined -fno-omit-frame-pointer" CXXFLAGS="-ggdb -O0 -fsanitize=address,undefined -fno-omit-frame-pointer" LDFLAGS="-ggdb -O0 -fsanitize=address,undefined" ./configure && make
crash command
MP4Box -bt poc_file
poc_file:
poc_file.zip
Crash output
AddressSanitizer:DEADLYSIGNAL
==841115==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fae75bd843e bp 0x7ffc7386e7a0 sp 0x7ffc7386e770 T0)
==841115==The signal is caused by a READ memory access.
==841115==Hint: address points to the zero page.
#0 0x7fae75bd843e in BS_ReadByte /root/fuzz/gpac/src/utils/bitstream.c:458:9
#1 0x7fae75bd8257 in gf_bs_read_bit /root/fuzz/gpac/src/utils/bitstream.c:538:17
#2 0x7fae75bd8fae in gf_bs_read_int /root/fuzz/gpac/src/utils/bitstream.c:571:10
#3 0x7fae75fc7481 in BM_ParseCommand /root/fuzz/gpac/src/bifs/memory_decoder.c:907:10
#4 0x7fae75fc797a in gf_bifs_flush_command_list /root/fuzz/gpac/src/bifs/memory_decoder.c:965:9
#5 0x7fae75fc81f5 in gf_bifs_decode_command_list /root/fuzz/gpac/src/bifs/memory_decoder.c:1045:3
#6 0x7fae7645d0e4 in gf_sm_load_run_isom /root/fuzz/gpac/src/scene_manager/loader_isom.c:303:10
#7 0x7fae7641bf38 in gf_sm_load_run /root/fuzz/gpac/src/scene_manager/scene_manager.c:719:28
#8 0x555d766c901c in dump_isom_scene /root/fuzz/gpac/applications/mp4box/filedump.c:209:14
#9 0x555d766b9725 in mp4box_main /root/fuzz/gpac/applications/mp4box/mp4box.c:6461:7
#10 0x7fae75814d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#11 0x7fae75814e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#12 0x555d765e8d84 in _start (/usr/local/bin/MP4Box+0x33d84) (BuildId: b4d8f1db695ed5d11720498d0e1dbdb36eaf06af)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/fuzz/gpac/src/utils/bitstream.c:458:9 in BS_ReadByte
==841115==ABORTING
The text was updated successfully, but these errors were encountered: