Headline
CVE-2023-39562: A `heap-use-after-free` crash in bitstream.c:1225:19 in gf_bs_align · Issue #2537 · gpac/gpac
GPAC v2.3-DEV-rev449-g5948e4f70-master was discovered to contain a heap-use-after-free via the gf_bs_align function at bitstream.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.
Description
While fuzzing yasm, a “heap-use-after-free” crash occurs,which was positioned in /gpac/src/utils/bitstream.c:1225:19 in gf_bs_align.
This bug may allow attackers to cause remote malicious code execution and denial of service via crafted files.
Software version info
/AFLplusplus/my_test/fuzz_gpac # ./install/bin/MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev449-g5948e4f70-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
System version info
/AFLplusplus/my_test/fuzz_gpac # uname -a
Linux 1344a5115a85 5.15.0-76-generic #83~20.04.1-Ubuntu SMP Wed Jun 21 20:23:31 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Command to reproduce
./MP4Box -xmt poc
Result
[iso file] Unknown box type 0000bt in parent moov
[iso file] Read Box type 00000000 (0x00000000) at position 1484 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 0) has 16719 extra bytes
[iso file] Box "cmvd" (start 0) has 3 extra bytes
=================================================================
==102==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000001a4 at pc 0x7fc2471e90b9 bp 0x7ffd7e96f7b0 sp 0x7ffd7e96f7a8
READ of size 4 at 0x6110000001a4 thread T0
#0 0x7fc2471e90b8 in gf_bs_align /AFLplusplus/my_test/gpac/src/utils/bitstream.c:1225:19
#1 0x7fc2471f9825 in gf_bs_skip_bytes /AFLplusplus/my_test/gpac/src/utils/bitstream.c:1371:2
#2 0x7fc247e0c122 in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:381:3
#3 0x7fc247e1202e in gf_isom_box_array_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1891:7
#4 0x7fc247cbcc00 in moov_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_code_base.c:3920:9
#5 0x7fc247e0e2bc in gf_isom_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1998:9
#6 0x7fc247e0b57d in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:309:14
#7 0x7fc247e0870f in gf_isom_parse_root_box /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:38:8
#8 0x7fc247e4dd88 in gf_isom_parse_movie_boxes_internal /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:385:7
#9 0x7fc247e4d3f7 in gf_isom_parse_movie_boxes /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:897:6
#10 0x7fc247e5c426 in gf_isom_open_file /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:1023:19
#11 0x7fc247e6cf8e in gf_isom_open /AFLplusplus/my_test/gpac/src/isomedia/isom_read.c:531:11
#12 0x55fdd8167c04 in mp4box_main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6291:12
#13 0x55fdd818ca05 in main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6933:1
#14 0x7fc2466f6d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#15 0x7fc2466f6e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#16 0x55fdd8079be4 in _start (/AFLplusplus/my_test/fuzz_gpac/install/bin/MP4Box+0xebbe4) (BuildId: fc72159612509ffb)
0x6110000001a4 is located 36 bytes inside of 200-byte region [0x611000000180,0x611000000248)
freed by thread T0 here:
#0 0x55fdd80fc782 in free (/AFLplusplus/my_test/fuzz_gpac/install/bin/MP4Box+0x16e782) (BuildId: fc72159612509ffb)
#1 0x7fc2472250a8 in gf_free /AFLplusplus/my_test/gpac/src/utils/alloc.c:165:2
#2 0x7fc2471e46c6 in gf_bs_del /AFLplusplus/my_test/gpac/src/utils/bitstream.c:381:2
#3 0x7fc247e0b6ec in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:319:3
#4 0x7fc247e1202e in gf_isom_box_array_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1891:7
#5 0x7fc247cbcc00 in moov_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_code_base.c:3920:9
#6 0x7fc247e0e2bc in gf_isom_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1998:9
#7 0x7fc247e0b57d in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:309:14
#8 0x7fc247e0870f in gf_isom_parse_root_box /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:38:8
#9 0x7fc247e4dd88 in gf_isom_parse_movie_boxes_internal /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:385:7
#10 0x7fc247e4d3f7 in gf_isom_parse_movie_boxes /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:897:6
#11 0x7fc247e5c426 in gf_isom_open_file /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:1023:19
#12 0x7fc247e6cf8e in gf_isom_open /AFLplusplus/my_test/gpac/src/isomedia/isom_read.c:531:11
#13 0x55fdd8167c04 in mp4box_main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6291:12
#14 0x55fdd818ca05 in main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6933:1
#15 0x7fc2466f6d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
previously allocated by thread T0 here:
#0 0x55fdd80fca2e in malloc (/AFLplusplus/my_test/fuzz_gpac/install/bin/MP4Box+0x16ea2e) (BuildId: fc72159612509ffb)
#1 0x7fc247224fc8 in gf_malloc /AFLplusplus/my_test/gpac/src/utils/alloc.c:150:9
#2 0x7fc2471e0c1c in gf_bs_new /AFLplusplus/my_test/gpac/src/utils/bitstream.c:135:38
#3 0x7fc247e09f1c in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:207:17
#4 0x7fc247e1202e in gf_isom_box_array_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1891:7
#5 0x7fc247cbcc00 in moov_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_code_base.c:3920:9
#6 0x7fc247e0e2bc in gf_isom_box_read /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:1998:9
#7 0x7fc247e0b57d in gf_isom_box_parse_ex /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:309:14
#8 0x7fc247e0870f in gf_isom_parse_root_box /AFLplusplus/my_test/gpac/src/isomedia/box_funcs.c:38:8
#9 0x7fc247e4dd88 in gf_isom_parse_movie_boxes_internal /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:385:7
#10 0x7fc247e4d3f7 in gf_isom_parse_movie_boxes /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:897:6
#11 0x7fc247e5c426 in gf_isom_open_file /AFLplusplus/my_test/gpac/src/isomedia/isom_intern.c:1023:19
#12 0x7fc247e6cf8e in gf_isom_open /AFLplusplus/my_test/gpac/src/isomedia/isom_read.c:531:11
#13 0x55fdd8167c04 in mp4box_main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6291:12
#14 0x55fdd818ca05 in main /AFLplusplus/my_test/gpac/applications/mp4box/mp4box.c:6933:1
#15 0x7fc2466f6d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
SUMMARY: AddressSanitizer: heap-use-after-free /AFLplusplus/my_test/gpac/src/utils/bitstream.c:1225:19 in gf_bs_align
Shadow bytes around the buggy address:
0x0c227fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8020: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c227fff8030: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff8040: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c227fff8050: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c227fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff8070: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==102==ABORTING
Poc
Use the PoC in the attachment or in the following link.
poc.zip
https://github.com/ChanStormstout/Pocs/blob/master/gpac_POC/id%3A000000%2Csig%3A06%2Csrc%3A003771%2Ctime%3A328254%2Cexecs%3A120473%2Cop%3Ahavoc%2Crep%3A8