Headline
CVE-2023-37174: SEGV on unknown address 0x000000012c29 · Issue #2505 · gpac/gpac
GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a segmentation violation in the dump_isom_scene function at /mp4box/filedump.c.
Hello,I use the fuzzer(AFL) to fuzz binary gpac and got some crashes.
The following is the details.
Title: SEGV on unknown address 0x000000012c29
1. Description
A SEGV on unknown address 0x000000012c29 has occurred in function dump_isom_scene /root/gpac/applications/mp4box/filedump.c:226:2
when running program MP4Box, this can reproduce on the lattest commit.
2. Software version info
fuzz@ubuntu:~/gpac2.1/gpac/bin/gcc$ MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev381-g817a848f6-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
3. System version info
./uname -a
Linux ouc7 5.4.0-150-generic #167-Ubuntu SMP Mon May 15 17:35:05 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
4. Command
5. Result
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808424308
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808424308
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[MP4 Loading] decoding sample 1 from track ID 8 failed
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3702327==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000012c29 (pc 0x7f22677126f0 bp 0x7f226864c8a8 sp 0x7ffc03c79320 T3702327)
==3702327==The signal is caused by a READ memory access.
#0 0x7f22677126f0 in free (/lib/x86_64-linux-gnu/libc.so.6+0x9a6f0)
#1 0x7f2267c0106a in gf_svg_delete_attribute_value (/root/gpac/bin/gcc/libgpac.so.12+0x1eb06a)
#2 0x7f2267b60505 in gf_sg_command_del (/root/gpac/bin/gcc/libgpac.so.12+0x14a505)
#3 0x7f2267ea7fa3 in gf_sm_au_del (/root/gpac/bin/gcc/libgpac.so.12+0x491fa3)
#4 0x7f2267ea695f in gf_sm_del (/root/gpac/bin/gcc/libgpac.so.12+0x49095f)
#5 0x4504a0 in dump_isom_scene /root/gpac/applications/mp4box/filedump.c:226:2
#6 0x4478b0 in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6461:7
#7 0x7f226769c082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#8 0x41304d in _start (/root/gpac/bin/gcc/MP4Box+0x41304d)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x9a6f0) in free
==3702327==ABORTING
6. Impact
This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.
7. POC
POC file
poc1.zip
Report of the Information Security Laboratory of Ocean University of China @OUC_ISLOUC @OUC_Blue_Whale