You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
./bin/gcc/MP4Box -dash 1000 /home/fuzz/crashes/hbo16
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
=================================================================
==60235==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000025d1 at pc 0x7ffff75ed1bd bp 0x7ffffffec720 sp 0x7ffffffebec8
READ of size 53248 at 0x6020000025d1 thread T0
#0 0x7ffff75ed1bc in __interceptor_fwrite ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1103
#1 0x7ffff3ba5226 in gf_fwrite utils/os_file.c:1657
#2 0x7ffff4655f98 in swf_def_bits_jpeg scene_manager/swf_parse.c:2087
#3 0x7ffff46576d4 in swf_process_tag scene_manager/swf_parse.c:2374
#4 0x7ffff46576d4 in swf_parse_tag scene_manager/swf_parse.c:2405
#5 0x7ffff4d55ed9 in gf_text_process_swf filters/load_text.c:2550
#6 0x7ffff4d55ed9 in gf_text_process_swf filters/load_text.c:2527
#7 0x7ffff4d6b4f3 in txtin_process filters/load_text.c:4015
#8 0x7ffff4a5d4ae in gf_filter_process_task filter_core/filter.c:2971
#9 0x7ffff4a2ab11 in gf_fs_thread_proc filter_core/filter_session.c:2105
#10 0x7ffff4a2f8b6 in gf_fs_run filter_core/filter_session.c:2405
#11 0x7ffff43bc0bd in gf_dasher_process media_tools/dash_segmenter.c:1236
#12 0x555555621d26 in do_dash /home/fuzz/gpac/applications/mp4box/mp4box.c:4831
#13 0x555555621d26 in mp4box_main /home/fuzz/gpac/applications/mp4box/mp4box.c:6245
#14 0x7ffff164c082 in __libc_start_main ../csu/libc-start.c:308
#15 0x5555555fa05d in _start (/home/fuzz/gpac/bin/gcc/MP4Box+0xa605d)
0x6020000025d1 is located 0 bytes to the right of 1-byte region [0x6020000025d0,0x6020000025d1)
allocated by thread T0 here:
#0 0x7ffff7690808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7ffff465a345 in swf_def_hdr_jpeg scene_manager/swf_parse.c:2044
#2 0x7ffff465a345 in swf_process_tag scene_manager/swf_parse.c:2372
#3 0x7ffff465a345 in swf_parse_tag scene_manager/swf_parse.c:2405
#4 0x7ffff4d55ed9 in gf_text_process_swf filters/load_text.c:2550
#5 0x7ffff4d55ed9 in gf_text_process_swf filters/load_text.c:2527
#6 0x7ffff4d6b4f3 in txtin_process filters/load_text.c:4015
#7 0x7ffff4a5d4ae in gf_filter_process_task filter_core/filter.c:2971
#8 0x7ffff4a2ab11 in gf_fs_thread_proc filter_core/filter_session.c:2105
#9 0x7ffff4a2f8b6 in gf_fs_run filter_core/filter_session.c:2405
#10 0x7ffff43bc0bd in gf_dasher_process media_tools/dash_segmenter.c:1236
#11 0x555555621d26 in do_dash /home/fuzz/gpac/applications/mp4box/mp4box.c:4831
#12 0x555555621d26 in mp4box_main /home/fuzz/gpac/applications/mp4box/mp4box.c:6245
#13 0x7ffff164c082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1103 in __interceptor_fwrite
Shadow bytes around the buggy address:
0x0c047fff8460: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa fd fa
0x0c047fff8470: fa fa fd fd fa fa fd fa fa fa 00 07 fa fa 00 07
0x0c047fff8480: fa fa 04 fa fa fa 00 05 fa fa 00 00 fa fa 00 00
0x0c047fff8490: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff84a0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff84b0: fa fa 00 00 fa fa 00 00 fa fa[01]fa fa fa fa fa
0x0c047fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==60235==ABORTING
Impact
This vulnerability allows a remote attacker to cause a denial of service or even arbitrary code execution on an affected gpac MP4Box. Exploiting this vulnerability requires user interaction, as the target must access a malicious page or open a malicious file.
Credit
Janette88 (Jq Wang)
The text was updated successfully, but these errors were encountered:
Description
heap-buffer-overflow in gf_fwrite at utils/os_file.c:1657
Version
POC
https://github.com/Janette88/test_pocs/blob/main/hbo16
Reproduce
Impact
This vulnerability allows a remote attacker to cause a denial of service or even arbitrary code execution on an affected gpac MP4Box. Exploiting this vulnerability requires user interaction, as the target must access a malicious page or open a malicious file.
Credit
Janette88 (Jq Wang)
The text was updated successfully, but these errors were encountered: