You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
=================================================================
==1173259==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001a330 at pc 0x7ffff694c442 bp 0x7ffffffeea70 sp 0x7ffffffeea68
READ of size 1 at 0x62100001a330 thread T0
#0 0x7ffff694c441 in str2ulong /afltest/gpac2/src/media_tools/avilib.c:137:16#1 0x7ffff694c441 in avi_parse_input_file /afltest/gpac2/src/media_tools/avilib.c:2004:9#2 0x7ffff694220a in AVI_open_input_file /afltest/gpac2/src/media_tools/avilib.c:1840:2#3 0x7ffff6f9d3f3 in avidmx_process /afltest/gpac2/src/filters/dmx_avi.c:492:14#4 0x7ffff6e8f502 in gf_filter_process_task /afltest/gpac2/src/filter_core/filter.c:2971:7#5 0x7ffff6e62ee9 in gf_fs_thread_proc /afltest/gpac2/src/filter_core/filter_session.c:2105:3#6 0x7ffff6e6193d in gf_fs_run /afltest/gpac2/src/filter_core/filter_session.c:2405:3#7 0x7ffff67a625c in gf_dasher_process /afltest/gpac2/src/media_tools/dash_segmenter.c:1236:6#8 0x50dfc7 in do_dash /afltest/gpac2/applications/mp4box/mp4box.c:4831:15#9 0x50dfc7 in mp4box_main /afltest/gpac2/applications/mp4box/mp4box.c:6245:7#10 0x7ffff58cb082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16#11 0x42adad in _start (/afltest/gpac2/bin/gcc/MP4Box+0x42adad)
0x62100001a330 is located 0 bytes to the right of 4656-byte region [0x621000019100,0x62100001a330)
allocated by thread T0 here:
#0 0x4a34ed in malloc (/afltest/gpac2/bin/gcc/MP4Box+0x4a34ed)#1 0x7ffff6942aae in avi_parse_input_file /afltest/gpac2/src/media_tools/avilib.c:1944:35#2 0x7ffff694220a in AVI_open_input_file /afltest/gpac2/src/media_tools/avilib.c:1840:2
SUMMARY: AddressSanitizer: heap-buffer-overflow /afltest/gpac2/src/media_tools/avilib.c:137:16 in str2ulong
Shadow bytes around the buggy address:
0x0c427fffb410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb460: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
0x0c427fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1173259==ABORTING
Reproduction
git clone https://github.com/gpac/gpac.git
cd gpac
./configure --enable-sanitizer
make -j24
./bin/gcc/MP4Box -dash 500 -check-xml -dm2ts -bin -out /dev/null poc6gpac
heap-buffer-overflow in str2ulong src/media_tools/avilib.c:137:16 in gpac/MP4Box
Description
Heap-buffer-overflow in MP4Box.
#0 0x7ffff694c441 in str2ulong /afltest/gpac2/src/media_tools/avilib.c:137:16
Version
MP4Box - GPAC version 2.3-DEV-rev617-g671976fcc-master (c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC Configuration: Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_FFMPEG GPAC_HAS_VORBIS GPAC_HAS_LINUX_DVBASAN Log
./MP4Box -dash 500 -check-xml -dm2ts -bin -out /dev/null poc6gpac
================================================================= ==1173259==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001a330 at pc 0x7ffff694c442 bp 0x7ffffffeea70 sp 0x7ffffffeea68 READ of size 1 at 0x62100001a330 thread T0 #0 0x7ffff694c441 in str2ulong /afltest/gpac2/src/media_tools/avilib.c:137:16 #1 0x7ffff694c441 in avi_parse_input_file /afltest/gpac2/src/media_tools/avilib.c:2004:9 #2 0x7ffff694220a in AVI_open_input_file /afltest/gpac2/src/media_tools/avilib.c:1840:2 #3 0x7ffff6f9d3f3 in avidmx_process /afltest/gpac2/src/filters/dmx_avi.c:492:14 #4 0x7ffff6e8f502 in gf_filter_process_task /afltest/gpac2/src/filter_core/filter.c:2971:7 #5 0x7ffff6e62ee9 in gf_fs_thread_proc /afltest/gpac2/src/filter_core/filter_session.c:2105:3 #6 0x7ffff6e6193d in gf_fs_run /afltest/gpac2/src/filter_core/filter_session.c:2405:3 #7 0x7ffff67a625c in gf_dasher_process /afltest/gpac2/src/media_tools/dash_segmenter.c:1236:6 #8 0x50dfc7 in do_dash /afltest/gpac2/applications/mp4box/mp4box.c:4831:15 #9 0x50dfc7 in mp4box_main /afltest/gpac2/applications/mp4box/mp4box.c:6245:7 #10 0x7ffff58cb082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16 #11 0x42adad in _start (/afltest/gpac2/bin/gcc/MP4Box+0x42adad) 0x62100001a330 is located 0 bytes to the right of 4656-byte region [0x621000019100,0x62100001a330) allocated by thread T0 here: #0 0x4a34ed in malloc (/afltest/gpac2/bin/gcc/MP4Box+0x4a34ed) #1 0x7ffff6942aae in avi_parse_input_file /afltest/gpac2/src/media_tools/avilib.c:1944:35 #2 0x7ffff694220a in AVI_open_input_file /afltest/gpac2/src/media_tools/avilib.c:1840:2 SUMMARY: AddressSanitizer: heap-buffer-overflow /afltest/gpac2/src/media_tools/avilib.c:137:16 in str2ulong Shadow bytes around the buggy address: 0x0c427fffb410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c427fffb460: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa 0x0c427fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1173259==ABORTINGReproduction
git clone https://github.com/gpac/gpac.git cd gpac ./configure --enable-sanitizer make -j24 ./bin/gcc/MP4Box -dash 500 -check-xml -dm2ts -bin -out /dev/null poc6gpacThanks for your time!
PoC
poc6gpac: poc6gpac.zip
Impact
This vulnerability is capable of causing crashes, or possible code execution.
Reference
https://github.com/gpac/gpac
Environment
Credit
Zeng Yunxiang
Song Jiaxuan
The text was updated successfully, but these errors were encountered: