You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
=================================================================
==3459603==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000006b71 at pc 0x0000004a2c4f bp 0x7ffffffec1a0 sp 0x7ffffffeb968
WRITE of size 4 at 0x602000006b71 thread T0
#0 0x4a2c4e in __asan_memset (/afltest/gpac/bin/gcc/MP4Box+0x4a2c4e)#1 0x7ffff665aacc in gf_isom_use_compact_size /afltest/gpac/src/isomedia/isom_write.c:3403:3#2 0x54e099 in import_file /afltest/gpac/applications/mp4box/fileimport.c:1707:8#3 0x4f7d1e in do_add_cat /afltest/gpac/applications/mp4box/mp4box.c#4 0x4f7d1e in mp4box_main /afltest/gpac/applications/mp4box/mp4box.c:6196:13#5 0x7ffff58cc082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16#6 0x42adad in _start (/afltest/gpac/bin/gcc/MP4Box+0x42adad)
0x602000006b71 is located 0 bytes to the right of 1-byte region [0x602000006b70,0x602000006b71)
allocated by thread T0 here:
#0 0x4a34ed in malloc (/afltest/gpac/bin/gcc/MP4Box+0x4a34ed)#1 0x7ffff665aa7d in gf_isom_use_compact_size /afltest/gpac/src/isomedia/isom_write.c:3401:24
SUMMARY: AddressSanitizer: heap-buffer-overflow (/afltest/gpac/bin/gcc/MP4Box+0x4a2c4e) in __asan_memset
Shadow bytes around the buggy address:
0x0c047fff8d10: fa fa 00 04 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8d20: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 05
0x0c047fff8d30: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8d40: fa fa 00 00 fa fa 00 00 fa fa 04 fa fa fa 00 00
0x0c047fff8d50: fa fa 00 00 fa fa fd fd fa fa fd fa fa fa fd fd
=>0x0c047fff8d60: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa[01]fa
0x0c047fff8d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3459603==ABORTING
Reproduction
git clone https://github.com/gpac/gpac.git
cd gpac
./configure --enable-sanitizer
make -j24
./bin/gcc/MP4Box -add self:moovts=-1:noedit:stz2:profile=high:level=7 poc1gpac
heap-buffer-overflow in gf_isom_use_compact_size gpac/src/isomedia/isom_write.c:3403:3 in gpac/gpac
Description
Heap-buffer-overflow in MP4Box.
Version
MP4Box - GPAC version 2.3-DEV-rev605-gfc9e29089-master (c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC Configuration: Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_FFMPEG GPAC_HAS_VORBIS GPAC_HAS_LINUX_DVBASAN Log
./MP4Box -add self:moovts=-1:noedit:stz2:profile=high:level=7 poc1gpac
================================================================= ==3459603==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000006b71 at pc 0x0000004a2c4f bp 0x7ffffffec1a0 sp 0x7ffffffeb968 WRITE of size 4 at 0x602000006b71 thread T0 #0 0x4a2c4e in __asan_memset (/afltest/gpac/bin/gcc/MP4Box+0x4a2c4e) #1 0x7ffff665aacc in gf_isom_use_compact_size /afltest/gpac/src/isomedia/isom_write.c:3403:3 #2 0x54e099 in import_file /afltest/gpac/applications/mp4box/fileimport.c:1707:8 #3 0x4f7d1e in do_add_cat /afltest/gpac/applications/mp4box/mp4box.c #4 0x4f7d1e in mp4box_main /afltest/gpac/applications/mp4box/mp4box.c:6196:13 #5 0x7ffff58cc082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16 #6 0x42adad in _start (/afltest/gpac/bin/gcc/MP4Box+0x42adad) 0x602000006b71 is located 0 bytes to the right of 1-byte region [0x602000006b70,0x602000006b71) allocated by thread T0 here: #0 0x4a34ed in malloc (/afltest/gpac/bin/gcc/MP4Box+0x4a34ed) #1 0x7ffff665aa7d in gf_isom_use_compact_size /afltest/gpac/src/isomedia/isom_write.c:3401:24 SUMMARY: AddressSanitizer: heap-buffer-overflow (/afltest/gpac/bin/gcc/MP4Box+0x4a2c4e) in __asan_memset Shadow bytes around the buggy address: 0x0c047fff8d10: fa fa 00 04 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8d20: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 05 0x0c047fff8d30: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8d40: fa fa 00 00 fa fa 00 00 fa fa 04 fa fa fa 00 00 0x0c047fff8d50: fa fa 00 00 fa fa fd fd fa fa fd fa fa fa fd fd =>0x0c047fff8d60: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa[01]fa 0x0c047fff8d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3459603==ABORTINGReproduction
git clone https://github.com/gpac/gpac.git cd gpac ./configure --enable-sanitizer make -j24 ./bin/gcc/MP4Box -add self:moovts=-1:noedit:stz2:profile=high:level=7 poc1gpacPoC
poc1gpac: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc1gpac
Impact
This vulnerability is capable of causing crashes.
Reference
https://github.com/gpac/gpac
Environment
Credit
Zeng Yunxiang
Song Jiaxuan
The text was updated successfully, but these errors were encountered: