-
Notifications
You must be signed in to change notification settings - Fork 525
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap-use-after-free scene_manager/loader_xmt.c:531 in xmt_resolve_od_links #2874
Comments
|
If you don't mind I'll reopen this one with further cases because our fuzzer also found this bug with lots of crash files. There are 4 main cases for this. The first one is the poc from the OP where the double free is in the od_links and is fixed by jean's commit. But the double free can also occur in the esd_links list as with this poc Or it can also occur in the ESDescriptors sub list of an od link as with this file Both these cases are fixed by the latest commit mentioned here. However I still have one related case with this file where the error is a bit different: it looks like a problem with the root_od but I haven't been able to figure it out yet. |
|
this should now be ok with the latest fixes |
version
./MP4Box -version MP4Box - GPAC version 2.5-DEV-rev228-g11067ea92-master (c) 2000-2024 Telecom Paris distributed under LGPL v2.1+ - https://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC Configuration: --enable-sanitizer Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3Dreproduce
Complie and run
Information
XMT: MPEG-4 (XMT) Scene Parsing [XMT Parsing] Warning: descriptor InitialObjectDescriptor defined outside scene scope - skipping (line 10) ================================================================= ==18912==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000032052 at pc 0x7f54fc2647ed bp 0x7ffce79c0f30 sp 0x7ffce79c0f20 READ of size 2 at 0x607000032052 thread T0 #0 0x7f54fc2647ec in xmt_resolve_od_links scene_manager/loader_xmt.c:531 #1 0x7f54fc2666f0 in load_xmt_run scene_manager/loader_xmt.c:3148 #2 0x7f54fc93db85 in ctxload_process filters/load_bt_xmt.c:522 #3 0x7f54fc67ed9d in gf_filter_process_task filter_core/filter.c:3164 #4 0x7f54fc64a599 in gf_fs_thread_proc filter_core/filter_session.c:2145 #5 0x7f54fc64e903 in gf_fs_run filter_core/filter_session.c:2452 #6 0x7f54fc0cc145 in gf_media_import media_tools/media_import.c:1239 #7 0x5647e6b54da4 in convert_file_info /home/ubuntu/gpac_testt/gpac/applications/mp4box/fileimport.c:130 #8 0x5647e6b2212d in mp4box_main /home/ubuntu/gpac_testt/gpac/applications/mp4box/mp4box.c:6398 #9 0x7f54f989fc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #10 0x5647e6b01579 in _start (/home/ubuntu/gpac_testt/gpac/bin/gcc/MP4Box+0x87579) 0x607000032052 is located 2 bytes inside of 80-byte region [0x607000032050,0x6070000320a0) freed by thread T0 here: #0 0x7f54fe7b17a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x7f54fbfbab49 in gf_odf_del_iod odf/odf_code.c:442 #2 0x7f54fb94c1ff in xml_sax_node_end utils/xml_parser.c:265 #3 0x7f54fb94f965 in xml_sax_parse utils/xml_parser.c:867 #4 0x7f54fb951cce in gf_xml_sax_parse_intern utils/xml_parser.c:1104 #5 0x7f54fb952507 in gf_xml_sax_parse utils/xml_parser.c:1132 #6 0x7f54fb952818 in xml_sax_read_file utils/xml_parser.c:1219 #7 0x7f54fb9539aa in gf_xml_sax_parse_file utils/xml_parser.c:1331 #8 0x7f54fc2666ba in load_xmt_run scene_manager/loader_xmt.c:3144 #9 0x7f54fc93db85 in ctxload_process filters/load_bt_xmt.c:522 #10 0x7f54fc67ed9d in gf_filter_process_task filter_core/filter.c:3164 #11 0x7f54fc64a599 in gf_fs_thread_proc filter_core/filter_session.c:2145 #12 0x7f54fc64e903 in gf_fs_run filter_core/filter_session.c:2452 #13 0x7f54fc0cc145 in gf_media_import media_tools/media_import.c:1239 #14 0x5647e6b54da4 in convert_file_info /home/ubuntu/gpac_testt/gpac/applications/mp4box/fileimport.c:130 #15 0x5647e6b2212d in mp4box_main /home/ubuntu/gpac_testt/gpac/applications/mp4box/mp4box.c:6398 #16 0x7f54f989fc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) previously allocated by thread T0 here: #0 0x7f54fe7b1b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f54fbfba932 in gf_odf_new_iod odf/odf_code.c:415 #2 0x7f54fbfc3fe3 in gf_odf_desc_new odf/odf_codec.c:244 #3 0x7f54fc278e6f in xmt_parse_descriptor scene_manager/loader_xmt.c:1951 #4 0x7f54fc27bf5d in xmt_node_start scene_manager/loader_xmt.c:2578 #5 0x7f54fb94cd55 in xml_sax_node_start utils/xml_parser.c:308 #6 0x7f54fb94fe5d in xml_sax_parse_attribute utils/xml_parser.c:397 #7 0x7f54fb94fe5d in xml_sax_parse utils/xml_parser.c:940 #8 0x7f54fb951cce in gf_xml_sax_parse_intern utils/xml_parser.c:1104 #9 0x7f54fb952507 in gf_xml_sax_parse utils/xml_parser.c:1132 #10 0x7f54fb952818 in xml_sax_read_file utils/xml_parser.c:1219 #11 0x7f54fb9539aa in gf_xml_sax_parse_file utils/xml_parser.c:1331 #12 0x7f54fc2666ba in load_xmt_run scene_manager/loader_xmt.c:3144 #13 0x7f54fc93db85 in ctxload_process filters/load_bt_xmt.c:522 #14 0x7f54fc67ed9d in gf_filter_process_task filter_core/filter.c:3164 #15 0x7f54fc64a599 in gf_fs_thread_proc filter_core/filter_session.c:2145 #16 0x7f54fc64e903 in gf_fs_run filter_core/filter_session.c:2452 #17 0x7f54fc0cc145 in gf_media_import media_tools/media_import.c:1239 #18 0x5647e6b54da4 in convert_file_info /home/ubuntu/gpac_testt/gpac/applications/mp4box/fileimport.c:130 #19 0x5647e6b2212d in mp4box_main /home/ubuntu/gpac_testt/gpac/applications/mp4box/mp4box.c:6398 #20 0x7f54f989fc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: heap-use-after-free scene_manager/loader_xmt.c:531 in xmt_resolve_od_links Shadow bytes around the buggy address: 0x0c0e7fffe3b0: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x0c0e7fffe3c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa 0x0c0e7fffe3d0: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c0e7fffe3e0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 0x0c0e7fffe3f0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd =>0x0c0e7fffe400: fd fd fd fd fd fd fa fa fa fa[fd]fd fd fd fd fd 0x0c0e7fffe410: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00 0x0c0e7fffe420: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x0c0e7fffe430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fffe440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fffe450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==18912==ABORTINGpoc
poc.zip
The text was updated successfully, but these errors were encountered: