Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-use-after-free scene_manager/loader_xmt.c:531 in xmt_resolve_od_links #2874

Closed
caoxs999 opened this issue Jun 12, 2024 · 2 comments
Closed

Comments

@caoxs999
Copy link

version

./MP4Box -version                                                                              
MP4Box - GPAC version 2.5-DEV-rev228-g11067ea92-master
(c) 2000-2024 Telecom Paris distributed under LGPL v2.1+ - https://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

reproduce

Complie and run

./configure --enable-sanitizer
make
./MP4Box -info poc4 

Information

XMT: MPEG-4 (XMT) Scene Parsing
[XMT Parsing] Warning: descriptor InitialObjectDescriptor defined outside scene scope - skipping (line 10)
=================================================================
==18912==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000032052 at pc 0x7f54fc2647ed bp 0x7ffce79c0f30 sp 0x7ffce79c0f20
READ of size 2 at 0x607000032052 thread T0
    #0 0x7f54fc2647ec in xmt_resolve_od_links scene_manager/loader_xmt.c:531
    #1 0x7f54fc2666f0 in load_xmt_run scene_manager/loader_xmt.c:3148
    #2 0x7f54fc93db85 in ctxload_process filters/load_bt_xmt.c:522
    #3 0x7f54fc67ed9d in gf_filter_process_task filter_core/filter.c:3164
    #4 0x7f54fc64a599 in gf_fs_thread_proc filter_core/filter_session.c:2145
    #5 0x7f54fc64e903 in gf_fs_run filter_core/filter_session.c:2452
    #6 0x7f54fc0cc145 in gf_media_import media_tools/media_import.c:1239
    #7 0x5647e6b54da4 in convert_file_info /home/ubuntu/gpac_testt/gpac/applications/mp4box/fileimport.c:130
    #8 0x5647e6b2212d in mp4box_main /home/ubuntu/gpac_testt/gpac/applications/mp4box/mp4box.c:6398
    #9 0x7f54f989fc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #10 0x5647e6b01579 in _start (/home/ubuntu/gpac_testt/gpac/bin/gcc/MP4Box+0x87579)

0x607000032052 is located 2 bytes inside of 80-byte region [0x607000032050,0x6070000320a0)
freed by thread T0 here:
    #0 0x7f54fe7b17a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x7f54fbfbab49 in gf_odf_del_iod odf/odf_code.c:442
    #2 0x7f54fb94c1ff in xml_sax_node_end utils/xml_parser.c:265
    #3 0x7f54fb94f965 in xml_sax_parse utils/xml_parser.c:867
    #4 0x7f54fb951cce in gf_xml_sax_parse_intern utils/xml_parser.c:1104
    #5 0x7f54fb952507 in gf_xml_sax_parse utils/xml_parser.c:1132
    #6 0x7f54fb952818 in xml_sax_read_file utils/xml_parser.c:1219
    #7 0x7f54fb9539aa in gf_xml_sax_parse_file utils/xml_parser.c:1331
    #8 0x7f54fc2666ba in load_xmt_run scene_manager/loader_xmt.c:3144
    #9 0x7f54fc93db85 in ctxload_process filters/load_bt_xmt.c:522
    #10 0x7f54fc67ed9d in gf_filter_process_task filter_core/filter.c:3164
    #11 0x7f54fc64a599 in gf_fs_thread_proc filter_core/filter_session.c:2145
    #12 0x7f54fc64e903 in gf_fs_run filter_core/filter_session.c:2452
    #13 0x7f54fc0cc145 in gf_media_import media_tools/media_import.c:1239
    #14 0x5647e6b54da4 in convert_file_info /home/ubuntu/gpac_testt/gpac/applications/mp4box/fileimport.c:130
    #15 0x5647e6b2212d in mp4box_main /home/ubuntu/gpac_testt/gpac/applications/mp4box/mp4box.c:6398
    #16 0x7f54f989fc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

previously allocated by thread T0 here:
    #0 0x7f54fe7b1b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x7f54fbfba932 in gf_odf_new_iod odf/odf_code.c:415
    #2 0x7f54fbfc3fe3 in gf_odf_desc_new odf/odf_codec.c:244
    #3 0x7f54fc278e6f in xmt_parse_descriptor scene_manager/loader_xmt.c:1951
    #4 0x7f54fc27bf5d in xmt_node_start scene_manager/loader_xmt.c:2578
    #5 0x7f54fb94cd55 in xml_sax_node_start utils/xml_parser.c:308
    #6 0x7f54fb94fe5d in xml_sax_parse_attribute utils/xml_parser.c:397
    #7 0x7f54fb94fe5d in xml_sax_parse utils/xml_parser.c:940
    #8 0x7f54fb951cce in gf_xml_sax_parse_intern utils/xml_parser.c:1104
    #9 0x7f54fb952507 in gf_xml_sax_parse utils/xml_parser.c:1132
    #10 0x7f54fb952818 in xml_sax_read_file utils/xml_parser.c:1219
    #11 0x7f54fb9539aa in gf_xml_sax_parse_file utils/xml_parser.c:1331
    #12 0x7f54fc2666ba in load_xmt_run scene_manager/loader_xmt.c:3144
    #13 0x7f54fc93db85 in ctxload_process filters/load_bt_xmt.c:522
    #14 0x7f54fc67ed9d in gf_filter_process_task filter_core/filter.c:3164
    #15 0x7f54fc64a599 in gf_fs_thread_proc filter_core/filter_session.c:2145
    #16 0x7f54fc64e903 in gf_fs_run filter_core/filter_session.c:2452
    #17 0x7f54fc0cc145 in gf_media_import media_tools/media_import.c:1239
    #18 0x5647e6b54da4 in convert_file_info /home/ubuntu/gpac_testt/gpac/applications/mp4box/fileimport.c:130
    #19 0x5647e6b2212d in mp4box_main /home/ubuntu/gpac_testt/gpac/applications/mp4box/mp4box.c:6398
    #20 0x7f54f989fc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

SUMMARY: AddressSanitizer: heap-use-after-free scene_manager/loader_xmt.c:531 in xmt_resolve_od_links
Shadow bytes around the buggy address:
  0x0c0e7fffe3b0: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fffe3c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
  0x0c0e7fffe3d0: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0e7fffe3e0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
  0x0c0e7fffe3f0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
=>0x0c0e7fffe400: fd fd fd fd fd fd fa fa fa fa[fd]fd fd fd fd fd
  0x0c0e7fffe410: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fffe420: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fffe430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffe440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffe450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18912==ABORTING

poc

poc.zip

@jeanlf jeanlf closed this as completed in f4b3e4d Jun 12, 2024
aureliendavid added a commit that referenced this issue Jun 13, 2024
@aureliendavid
Copy link
Member

If you don't mind I'll reopen this one with further cases because our fuzzer also found this bug with lots of crash files.

There are 4 main cases for this.

The first one is the poc from the OP where the double free is in the od_links and is fixed by jean's commit.

But the double free can also occur in the esd_links list as with this poc

Or it can also occur in the ESDescriptors sub list of an od link as with this file

Both these cases are fixed by the latest commit mentioned here.

However I still have one related case with this file where the error is a bit different:

utils/list.c:664:12: runtime error: member access within misaligned address 0x000000000001 for type 'const struct GF_List', which requires 8 byte alignment
0x000000000001: note: pointer points here
<memory cannot be printed>
    #0 0x7fdb3ae05ea8 in gf_list_count utils/list.c:664
    #1 0x7fdb3c17edca in CTXLoad_StreamInRootOD filters/load_bt_xmt.c:313
    #2 0x7fdb3c17edca in CTXLoad_StreamInRootOD filters/load_bt_xmt.c:308
    #3 0x7fdb3c17edca in CTXLoad_CheckStreams filters/load_bt_xmt.c:345
    #4 0x7fdb3c181ec7 in ctxload_process filters/load_bt_xmt.c:541
    #5 0x7fdb3be6b3da in gf_filter_process_task filter_core/filter.c:3164
    #6 0x7fdb3be3240b in gf_fs_thread_proc filter_core/filter_session.c:2145
    #7 0x7fdb3be3731e in gf_fs_run filter_core/filter_session.c:2452
    #8 0x7fdb3b721e31 in gf_media_import media_tools/media_import.c:1593
    #9 0x5616b85232bc in import_file /home/enstdevs/gpac/gpac_public/applications/mp4box/fileimport.c:1598
    #10 0x5616b84d7c2e in do_add_cat /home/enstdevs/gpac/gpac_public/applications/mp4box/mp4box.c:4544
    #11 0x5616b84d7c2e in mp4box_main /home/enstdevs/gpac/gpac_public/applications/mp4box/mp4box.c:6218
    #12 0x7fdb388f9d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #13 0x7fdb388f9e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #14 0x5616b84b2f04 in _start (/home/enstdevs/gpac/gpac_public/bin/gcc/MP4Box+0xadf04)

DEDUP_TOKEN: gf_list_count--CTXLoad_StreamInRootOD--CTXLoad_StreamInRootOD

it looks like a problem with the root_od but I haven't been able to figure it out yet.

@aureliendavid aureliendavid reopened this Jun 13, 2024
aureliendavid added a commit that referenced this issue Jun 17, 2024
@aureliendavid
Copy link
Member

this should now be ok with the latest fixes

soheibthriber pushed a commit to soheibthriber/gpac that referenced this issue Jun 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants