Headline
CVE-2019-20165: ERROR: AddressSanitizer: NULL pointer dereference in ilst_item_Read isomedia/box_code_apple.c:119 · Issue #1338 · gpac/gpac
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function ilst_item_Read() in isomedia/box_code_apple.c.
Hello, I found a similar issue but I am not sure they are the same.
#1263
System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)
Compile Command:
$ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
$ make
Run Command:
$ MP4Box -diso -out /dev/null $POC-new-ilst_item_Read
POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-ilst_item_Read
gdb info:
Program received signal SIGSEGV, Segmentation fault. 0x00000000006c499d in ilst_item_Read () (gdb) bt #0 0x00000000006c499d in ilst_item_Read () #1 0x00000000005137e1 in gf_isom_box_parse_ex.constprop () #2 0x0000000000513e15 in gf_isom_parse_root_box () #3 0x000000000051b4fe in gf_isom_parse_movie_boxes.part () #4 0x000000000051c48c in gf_isom_open_file () #5 0x000000000041c082 in mp4boxMain () #6 0x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at …/csu/libc-start.c:291 #7 0x000000000040eba9 in _start ()
ASAN info:
ASAN:SIGSEGV
==27902==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000000ac4185 bp 0x7fffffff8230 sp 0x7fffffff8220 T0) #0 0xac4184 in ilst_item_Read isomedia/box_code_apple.c:119 #1 0x6c5114 in gf_isom_box_read isomedia/box_funcs.c:1528 #2 0x6c5114 in gf_isom_box_parse_ex isomedia/box_funcs.c:208 #3 0x6c5974 in gf_isom_parse_root_box isomedia/box_funcs.c:42 #4 0x6da6a0 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206 #5 0x6dd2f3 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194 #6 0x6dd2f3 in gf_isom_open_file isomedia/isom_intern.c:615 #7 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/main.c:4767 #8 0x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #9 0x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV isomedia/box_code_apple.c:119 ilst_item_Read ==27902==ABORTING
Edit
This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d
Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu([email protected]) 、Yanhao and Marsman1996([email protected])