Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Memory leaks in NewSFDouble scenegraph/vrml_tools.c:300 #2658

Closed
3 tasks
ReturnHere opened this issue Oct 23, 2023 · 2 comments
Closed
3 tasks

Memory leaks in NewSFDouble scenegraph/vrml_tools.c:300 #2658

ReturnHere opened this issue Oct 23, 2023 · 2 comments

Comments

@ReturnHere
Copy link

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/bug-reporting/

1、version
./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev602-ged8424300-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D

2、platform
uname -a
Linux returnzero-virtual-machine 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

3、Reproduce
./MP4Box -bt $poc

4、ASCAN
./MP4Box -bt '/home/returnzero/gpac/out/default/crashes/id:000000,sig:06,src:000008,time:167295,execs:4216,op:havoc,rep:6'
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type traI in parent moov
[iso file] Box "stss" (start 9939) has 32 extra bytes
[iso file] extra box maxr found in hinf, deleting
[iso file] Track with no sample description box !
[iso file] Incomplete box mdat - start 11495 size 861217
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type traI in parent moov
[iso file] Box "stss" (start 9939) has 32 extra bytes
[iso file] extra box maxr found in hinf, deleting
[iso file] Track with no sample description box !
[iso file] Incomplete box mdat - start 11495 size 861217
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[MP4 Loading] decoding sample 1 from track ID 8 failed
Error loading scene: BitStream Not Compliant

Error: BitStream Not Compliant

=================================================================
==3703==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x7f0d974b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f0d95d38b3b in NewSFDouble scenegraph/vrml_tools.c:300
#2 0x7f0d95d38b3b in gf_sg_vrml_field_pointer_new scenegraph/vrml_tools.c:558

SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s).

5、Impact
This vulnerability allows a remote attacker to cause a denial of service on an affected gpac MP4Box. Exploiting this vulnerability requires user interaction, as the target must access a malicious page or open a malicious file.

6、poc
https://github.com/ReturnHere/CrashReport/blob/main/id%5E%25000000%2Csig%5E%2506%2Csrc%5E%25000008%2Ctime%5E%25167295%2Cexecs%5E%254216%2Cop%5E%25havoc%2Crep%5E%256

@rbouqueau
Copy link
Member

Thanks for reporting. Yet I think that the impact paragraph is overstated ;)

@rbouqueau
Copy link
Member

@ReturnHere I'm sorry but leaking 8 bytes doesn't lead to a Denial of Service : GHSA-84cp-p2p2-jfjr . That was a small memory leak that happens in a rare (if not improbable) scenario. Thanks for reporting anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants