Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEGV in MP4Box in gf_avc_change_vui /afltest/gpac/src/media_tools/av_parsers.c:6872:55 #2662

Closed
Frank-Z7 opened this issue Oct 24, 2023 · 0 comments

Comments

@Frank-Z7
Copy link

SEGV in MP4Box

Description

SEGV in gpac/MP4Box.

#0 0x7ffff67d35c7 in gf_avc_change_vui /afltest/gpac/src/media_tools/av_parsers.c:6872:55

Version

MP4Box - GPAC version 2.3-DEV-rev605-gfc9e29089-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_FFMPEG GPAC_HAS_VORBIS GPAC_HAS_LINUX_DVB

ASAN Log

./MP4Box -add self:hdr=none:videofmt=undef:asemode=v1-qt poc2gpac

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3037856==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7ffff67d35c7 bp 0x7ffffffec090 sp 0x7ffffffe29c0 T0)
==3037856==The signal is caused by a READ memory access.
==3037856==Hint: address points to the zero page.
    #0 0x7ffff67d35c7 in gf_avc_change_vui /afltest/gpac/src/media_tools/av_parsers.c:6872:55
    #1 0x7ffff67d6ce5 in gf_avc_change_color /afltest/gpac/src/media_tools/av_parsers.c:6950:9
    #2 0x7ffff677f62c in gf_media_change_color /afltest/gpac/src/media_tools/isom_tools.c:198:3
    #3 0x54e165 in import_file /afltest/gpac/applications/mp4box/fileimport.c:1670:9
    #4 0x4f7d1e in do_add_cat /afltest/gpac/applications/mp4box/mp4box.c
    #5 0x4f7d1e in mp4box_main /afltest/gpac/applications/mp4box/mp4box.c:6196:13
    #6 0x7ffff58cc082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
    #7 0x42adad in _start (/afltest/gpac/bin/gcc/MP4Box+0x42adad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /afltest/gpac/src/media_tools/av_parsers.c:6872:55 in gf_avc_change_vui
==3037856==ABORTING

Reproduction

git clone https://github.com/gpac/gpac.git
cd gpac
./configure --enable-sanitizer
make -j24

./bin/gcc/MP4Box -add self:hdr=none:videofmt=undef:asemode=v1-qt poc2gpac

PoC

poc2gpac: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc2gpac

Impact

This vulnerability is capable of causing crashes.

Reference

https://github.com/gpac/gpac

Environment

ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09

Credit

Zeng Yunxiang

Song Jiaxuan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant