Null pointer deference in gf_dash_setup_period at media_tools/dash_client.c:6333

[Janette88]

Description

Null pointer deference in gf_dash_setup_period at media_tools/dash_client.c:6333

Version

git log
commit 7edc40feef23efd8c9948292d269eae76fa475af (HEAD -> master, origin/master, origin/HEAD)
Author: jeanlf <jeanlf@gpac.io>
Date:   Thu Oct 12 16:58:53 2023 +0200

./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev588-g7edc40fee-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Poc :

https://github.com/Janette88/test_pocs/blob/main/poc15

Reproduce

compile:
./configure --enable-sanitizer
make

./bin/gcc/MP4Box -dash 1000 /home/fuzz/crashes/poc15
[DASH] Updated manifest:
	P#1: start 0 - duration 0 - xlink none
[DASH] Manifest after update:
	P#1: start 0 - duration 0 - xlink none
[DASH] Setting up period start 0 duration 0 xlink none ID DID1
media_tools/dash_client.c:6333:9: runtime error: null pointer passed as argument 1, which is declared to never be null

Asan log:
./bin/gcc/MP4Box -dash 1000 /home/fuzz/crash/poc15

[DASH] Updated manifest:
	P#1: start 0 - duration 0 - xlink none
[DASH] Manifest after update:
	P#1: start 0 - duration 0 - xlink none
[DASH] Setting up period start 0 duration 0 xlink none ID DID1
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2807995==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000043f7e0 bp 0x7ffe04691450 sp 0x7ffe04690bf0 T0)
==2807995==The signal is caused by a READ memory access.
==2807995==Hint: address points to the zero page.
    #0 0x43f7e0 in strcmp (/home/fuzz/gpac/gpac/bin/gcc/MP4Box+0x43f7e0)
    #1 0x7fe80797751b in gf_dash_setup_period (/home/fuzz/gpac/gpac/bin/gcc/libgpac.so.12+0xd4851b)
    #2 0x7fe80792b0be in gf_dash_process (/home/fuzz/gpac/gpac/bin/gcc/libgpac.so.12+0xcfc0be)
    #3 0x7fe807fc31d3 in dashdmx_process (/home/fuzz/gpac/gpac/bin/gcc/libgpac.so.12+0x13941d3)
    #4 0x7fe807e90d3e in gf_filter_process_task (/home/fuzz/gpac/gpac/bin/gcc/libgpac.so.12+0x1261d3e)
    #5 0x7fe807e5ed86 in gf_fs_thread_proc (/home/fuzz/gpac/gpac/bin/gcc/libgpac.so.12+0x122fd86)
    #6 0x7fe807e5d67f in gf_fs_run (/home/fuzz/gpac/gpac/bin/gcc/libgpac.so.12+0x122e67f)
    #7 0x7fe8077fb9e7 in gf_dasher_process (/home/fuzz/gpac/gpac/bin/gcc/libgpac.so.12+0xbcc9e7)
    #8 0x50205c in do_dash /home/fuzz/gpac/gpac/applications/mp4box/mp4box.c:4831:15
    #9 0x4f34ee in mp4box_main /home/fuzz/gpac/gpac/applications/mp4box/mp4box.c:6245:7
    #10 0x7fe8068b0082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x42ad4d in _start (/home/fuzz/gpac/gpac/bin/gcc/MP4Box+0x42ad4d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/fuzz/gpac/gpac/bin/gcc/MP4Box+0x43f7e0) in strcmp
==2807995==ABORTING

Impact:

The vulnerability can potentially cause a crash or other effects.

Credit:

Janette88 (Jq Wang)

[stevebeattie]

For reference, this issue was assigned CVE-2023-46427.

(I did not assign this CVE, I just noticed it while triaging new CVEs.)