Headline
CVE-2019-20163: AddressSanitizer: NULL pointer dereference in gf_odf_avc_cfg_write_bs odf/descriptors.c:567 · Issue #1335 · gpac/gpac
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function gf_odf_avc_cfg_write_bs() in odf/descriptors.c.
System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)
Compile Command:
$ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
$ make
Run Command:
$ MP4Box -diso -out /dev/null $POC-new-gf_odf_avc_cfg_write_bs
POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf_odf_avc_cfg_write_bs
gdb info:
Program received signal SIGSEGV, Segmentation fault. 0x000000000055aeee in gf_odf_avc_cfg_write_bs () (gdb) bt #0 0x000000000055aeee in gf_odf_avc_cfg_write_bs () #1 0x000000000055b1ff in gf_odf_avc_cfg_write () #2 0x00000000004f9ba1 in AVC_RewriteESDescriptorEx () #3 0x00000000006cf2a8 in video_sample_entry_Read () #4 0x0000000000512ce5 in gf_isom_box_parse_ex () #5 0x000000000051333b in gf_isom_box_array_read_ex () #6 0x0000000000512ce5 in gf_isom_box_parse_ex () #7 0x000000000051333b in gf_isom_box_array_read_ex () #8 0x00000000006d09d0 in stbl_Read () #9 0x0000000000512ce5 in gf_isom_box_parse_ex () #10 0x000000000051333b in gf_isom_box_array_read_ex () #11 0x00000000006ce02b in minf_Read () #12 0x0000000000512ce5 in gf_isom_box_parse_ex () #13 0x000000000051333b in gf_isom_box_array_read_ex () #14 0x00000000006cd2f0 in mdia_Read () #15 0x0000000000512ce5 in gf_isom_box_parse_ex () #16 0x000000000051333b in gf_isom_box_array_read_ex () #17 0x00000000006d351d in trak_Read () #18 0x0000000000512ce5 in gf_isom_box_parse_ex () #19 0x000000000051333b in gf_isom_box_array_read_ex () #20 0x00000000006ce545 in moov_Read () #21 0x00000000005137e1 in gf_isom_box_parse_ex.constprop () #22 0x0000000000513e15 in gf_isom_parse_root_box () #23 0x000000000051b4fe in gf_isom_parse_movie_boxes.part () #24 0x000000000051c48c in gf_isom_open_file () #25 0x000000000041c082 in mp4boxMain () #26 0x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at …/csu/libc-start.c:291 #27 0x000000000040eba9 in _start ()
ASAN info:
ASAN:SIGSEGV
==25871==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000000797a2b bp 0x60200000ed98 sp 0x7fffffff7230 T0) #0 0x797a2a in gf_odf_avc_cfg_write_bs odf/descriptors.c:567 #1 0x79821e in gf_odf_avc_cfg_write odf/descriptors.c:631 #2 0x68b393 in AVC_RewriteESDescriptorEx isomedia/avc_ext.c:1063 #3 0xaddd66 in video_sample_entry_Read isomedia/box_code_base.c:4408 #4 0x6c3d6e in gf_isom_box_read isomedia/box_funcs.c:1528 #5 0x6c3d6e in gf_isom_box_parse_ex isomedia/box_funcs.c:208 #6 0x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419 #7 0x6c3d6e in gf_isom_box_read isomedia/box_funcs.c:1528 #8 0x6c3d6e in gf_isom_box_parse_ex isomedia/box_funcs.c:208 #9 0x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419 #10 0xae19df in stbl_Read isomedia/box_code_base.c:5381 #11 0x6c3d6e in gf_isom_box_read isomedia/box_funcs.c:1528 #12 0x6c3d6e in gf_isom_box_parse_ex isomedia/box_funcs.c:208 #13 0x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419 #14 0xadb4fe in minf_Read isomedia/box_code_base.c:3500 #15 0x6c3d6e in gf_isom_box_read isomedia/box_funcs.c:1528 #16 0x6c3d6e in gf_isom_box_parse_ex isomedia/box_funcs.c:208 #17 0x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419 #18 0xad96ef in mdia_Read isomedia/box_code_base.c:3021 #19 0x6c3d6e in gf_isom_box_read isomedia/box_funcs.c:1528 #20 0x6c3d6e in gf_isom_box_parse_ex isomedia/box_funcs.c:208 #21 0x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419 #22 0xae8ad8 in trak_Read isomedia/box_code_base.c:7129 #23 0x6c3d6e in gf_isom_box_read isomedia/box_funcs.c:1528 #24 0x6c3d6e in gf_isom_box_parse_ex isomedia/box_funcs.c:208 #25 0x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419 #26 0xadc064 in moov_Read isomedia/box_code_base.c:3745 #27 0x6c5114 in gf_isom_box_read isomedia/box_funcs.c:1528 #28 0x6c5114 in gf_isom_box_parse_ex isomedia/box_funcs.c:208 #29 0x6c5974 in gf_isom_parse_root_box isomedia/box_funcs.c:42 #30 0x6da6a0 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206 #31 0x6dd2f3 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194 #32 0x6dd2f3 in gf_isom_open_file isomedia/isom_intern.c:615 #33 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/main.c:4767 #34 0x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #35 0x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV odf/descriptors.c:567 gf_odf_avc_cfg_write_bs ==25871==ABORTING
Edit
This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d
Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu([email protected]) 、Yanhao and Marsman1996([email protected])