SEGV in gf_dash_setup_period /gpac/src/media_tools/dash_client.c:6387:11

[gandalf4a]

Version

$ ./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master

Platform

$ uname -a
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Asan

/home/user/vul/MP4Box_crash/id000047sig11src000947time29319138execs272958ophavocrep4
[32m[DASH] Updated manifest:
[0m[32m        P#1: start 0 - duration 0 - xlink none
[0m[32m[DASH] Manifest after update:
[0m[32m        P#1: start 0 - duration 0 - xlink none
[0m[32m[DASH] Setting up period start 0 duration 0 xlink none ID DID1
[0m[32m[DASH] AS#1 changed quality to bitrate 10 kbps - Width 1280 Height 720 FPS 30/1 (playback speed 1)
[0mAddressSanitizer:DEADLYSIGNAL
=================================================================
==828815==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f3d0b7997ab bp 0x7ffd3348c3e0 sp 0x7ffd3348c398 T0)
==828815==The signal is caused by a READ memory access.
==828815==Hint: address points to the zero page.
    #0 0x7f3d0b7997ab  string/../sysdeps/x86_64/multiarch/memchr-avx2.S:81
    #1 0x7f3d0b68f9e7 in _IO_str_init_static_internal libio/./libio/strops.c:41:11
    #2 0x7f3d0b662401 in _IO_strfile_read stdio-common/../libio/strfile.h:95:3
    #3 0x7f3d0b662401 in __isoc99_vsscanf stdio-common/./stdio-common/isoc99_vsscanf.c:33:13
    #4 0x5631380a2040 in __isoc99_sscanf (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0xa4040) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
    #5 0x7f3d0c7a50ec in gf_dash_setup_period /home/user/fuzzing_gpac/gpac/src/media_tools/dash_client.c:6387:11
    #6 0x7f3d0c75886f in dash_setup_period_and_groups /home/user/fuzzing_gpac/gpac/src/media_tools/dash_client.c:7686:7
    #7 0x7f3d0c75886f in gf_dash_process_internal /home/user/fuzzing_gpac/gpac/src/media_tools/dash_client.c:8018:7
    #8 0x7f3d0c75886f in gf_dash_process /home/user/fuzzing_gpac/gpac/src/media_tools/dash_client.c:8089:9
    #9 0x7f3d0cee2e03 in dashdmx_process /home/user/fuzzing_gpac/gpac/src/filters/dmx_dash.c:3192:6
    #10 0x7f3d0cdafa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7
    #11 0x7f3d0cd7d47b in gf_fs_thread_proc /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2105:3
    #12 0x7f3d0cd7b5cf in gf_fs_run /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2405:3
    #13 0x7f3d0c62ac6a in gf_dasher_process /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:1236:6
    #14 0x5631381676dc in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4831:15
    #15 0x563138158b6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
    #16 0x7f3d0b629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #17 0x7f3d0b629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #18 0x563138080dd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV string/../sysdeps/x86_64/multiarch/memchr-avx2.S:81 
==828815==ABORTING

Reproduce

./MP4Box -dash 10000 poc

POC File

https://github.com/gandalf4a/crash_report/blob/main/gpac/MP4Box/segv_81

Credit

Gandalf4a