Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in str2ulong src/media_tools/avilib.c:137:16 in gpac/MP4Box #2669

Closed
Frank-Z7 opened this issue Oct 26, 2023 · 0 comments

Comments

@Frank-Z7
Copy link

heap-buffer-overflow in str2ulong src/media_tools/avilib.c:137:16 in gpac/MP4Box

Description

Heap-buffer-overflow in MP4Box.
#0 0x7ffff694c441 in str2ulong /afltest/gpac2/src/media_tools/avilib.c:137:16

Version

MP4Box - GPAC version 2.3-DEV-rev617-g671976fcc-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_FFMPEG GPAC_HAS_VORBIS GPAC_HAS_LINUX_DVB

ASAN Log

./MP4Box -dash 500 -check-xml -dm2ts -bin -out /dev/null poc6gpac

=================================================================
==1173259==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001a330 at pc 0x7ffff694c442 bp 0x7ffffffeea70 sp 0x7ffffffeea68
READ of size 1 at 0x62100001a330 thread T0
    #0 0x7ffff694c441 in str2ulong /afltest/gpac2/src/media_tools/avilib.c:137:16
    #1 0x7ffff694c441 in avi_parse_input_file /afltest/gpac2/src/media_tools/avilib.c:2004:9
    #2 0x7ffff694220a in AVI_open_input_file /afltest/gpac2/src/media_tools/avilib.c:1840:2
    #3 0x7ffff6f9d3f3 in avidmx_process /afltest/gpac2/src/filters/dmx_avi.c:492:14
    #4 0x7ffff6e8f502 in gf_filter_process_task /afltest/gpac2/src/filter_core/filter.c:2971:7
    #5 0x7ffff6e62ee9 in gf_fs_thread_proc /afltest/gpac2/src/filter_core/filter_session.c:2105:3
    #6 0x7ffff6e6193d in gf_fs_run /afltest/gpac2/src/filter_core/filter_session.c:2405:3
    #7 0x7ffff67a625c in gf_dasher_process /afltest/gpac2/src/media_tools/dash_segmenter.c:1236:6
    #8 0x50dfc7 in do_dash /afltest/gpac2/applications/mp4box/mp4box.c:4831:15
    #9 0x50dfc7 in mp4box_main /afltest/gpac2/applications/mp4box/mp4box.c:6245:7
    #10 0x7ffff58cb082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x42adad in _start (/afltest/gpac2/bin/gcc/MP4Box+0x42adad)

0x62100001a330 is located 0 bytes to the right of 4656-byte region [0x621000019100,0x62100001a330)
allocated by thread T0 here:
    #0 0x4a34ed in malloc (/afltest/gpac2/bin/gcc/MP4Box+0x4a34ed)
    #1 0x7ffff6942aae in avi_parse_input_file /afltest/gpac2/src/media_tools/avilib.c:1944:35
    #2 0x7ffff694220a in AVI_open_input_file /afltest/gpac2/src/media_tools/avilib.c:1840:2

SUMMARY: AddressSanitizer: heap-buffer-overflow /afltest/gpac2/src/media_tools/avilib.c:137:16 in str2ulong
Shadow bytes around the buggy address:
  0x0c427fffb410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb460: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
  0x0c427fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1173259==ABORTING

Reproduction

git clone https://github.com/gpac/gpac.git
cd gpac
./configure --enable-sanitizer
make -j24

./bin/gcc/MP4Box -dash 500 -check-xml -dm2ts -bin -out /dev/null poc6gpac

Thanks for your time!

PoC

poc6gpac: poc6gpac.zip

Impact

This vulnerability is capable of causing crashes, or possible code execution.

Reference

https://github.com/gpac/gpac

Environment

ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09

Credit

Zeng Yunxiang

Song Jiaxuan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant