Headline
CVE-2019-20162: ERROR: AddressSanitizer: heap-buffer-overflow in gf_isom_box_parse_ex isomedia/box_funcs.c:189 · Issue #1327 · gpac/gpac
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function gf_isom_box_parse_ex() in isomedia/box_funcs.c.
System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)
Compile Command:
$ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
$ make
Run Command:
$ MP4Box -diso -out /dev/null $POC-new-gf_isom_box_parse_ex
POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf_isom_box_parse_ex
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf_isom_box_parse_ex-2
For POC-new-gf_isom_box_parse_ex
gdb info:
Program received signal SIGSEGV, Segmentation fault. __GI___libc_free (mem=0x6a06e81bf20d02) at malloc.c:2951 2951 malloc.c: No such file or directory. (gdb) bt #0 __GI___libc_free (mem=0x6a06e81bf20d02) at malloc.c:2951 #1 0x00000000006d4ab7 in reftype_del () #2 0x0000000000512a7d in gf_isom_box_del () #3 0x00000000005135fe in gf_isom_box_array_read_ex () #4 0x00000000005137e1 in gf_isom_box_parse_ex.constprop () #5 0x0000000000513e15 in gf_isom_parse_root_box () #6 0x000000000051b4fe in gf_isom_parse_movie_boxes.part () #7 0x000000000051c48c in gf_isom_open_file () #8 0x000000000041c082 in mp4boxMain () #9 0x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at …/csu/libc-start.c:291 #10 0x000000000040eba9 in _start ()
For POC-new-gf_isom_box_parse_ex-2
gdb info:
Program received signal SIGSEGV, Segmentation fault. __GI___libc_free (mem=0x1c1c1c1c1c1c1c1c) at malloc.c:2951 2951 malloc.c: No such file or directory. (gdb) bt #0 __GI___libc_free (mem=0x1c1c1c1c1c1c1c1c) at malloc.c:2951 #1 0x00000000006d4ab7 in reftype_del () #2 0x0000000000512a7d in gf_isom_box_del () #3 0x00000000005135fe in gf_isom_box_array_read_ex () #4 0x00000000005137e1 in gf_isom_box_parse_ex.constprop () #5 0x0000000000513e15 in gf_isom_parse_root_box () #6 0x000000000051b4fe in gf_isom_parse_movie_boxes.part () #7 0x000000000051c48c in gf_isom_open_file () #8 0x000000000041c082 in mp4boxMain () #9 0x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at …/csu/libc-start.c:291 #10 0x000000000040eba9 in _start ()
For POC-new-gf_isom_box_parse_ex
ASAN info:
==25783==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000df80 at pc 0x0000006c4392 bp 0x7fffffff8090 sp 0x7fffffff8080 WRITE of size 4 at 0x60400000df80 thread T0 #0 0x6c4391 in gf_isom_box_parse_ex isomedia/box_funcs.c:189 #1 0x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419 #2 0x6c5114 in gf_isom_box_read isomedia/box_funcs.c:1528 #3 0x6c5114 in gf_isom_box_parse_ex isomedia/box_funcs.c:208 #4 0x6c5974 in gf_isom_parse_root_box isomedia/box_funcs.c:42 #5 0x6da6a0 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206 #6 0x6dd2f3 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194 #7 0x6dd2f3 in gf_isom_open_file isomedia/isom_intern.c:615 #8 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/main.c:4767 #9 0x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #10 0x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)
0x60400000df80 is located 0 bytes to the right of 48-byte region [0x60400000df50,0x60400000df80) allocated by thread T0 here: #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0xaec17d in reftype_New isomedia/box_code_base.c:7521
SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box_funcs.c:189 gf_isom_box_parse_ex Shadow bytes around the buggy address: 0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00 =>0x0c087fff9bf0:[fa]fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==25783==ABORTING
For POC-new-gf_isom_box_parse_ex-2
ASAN info:
==25917==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e000 at pc 0x0000006c4392 bp 0x7fffffff8090 sp 0x7fffffff8080
WRITE of size 4 at 0x60400000e000 thread T0
#0 0x6c4391 in gf_isom_box_parse_ex isomedia/box_funcs.c:189
#1 0x6c47bc in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419
#2 0x6c5114 in gf_isom_box_read isomedia/box_funcs.c:1528
#3 0x6c5114 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#4 0x6c5974 in gf_isom_parse_root_box isomedia/box_funcs.c:42
#5 0x6da6a0 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
#6 0x6dd2f3 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194
#7 0x6dd2f3 in gf_isom_open_file isomedia/isom_intern.c:615
#8 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/main.c:4767
#9 0x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)
0x60400000e000 is located 0 bytes to the right of 48-byte region [0x60400000dfd0,0x60400000e000) allocated by thread T0 here: #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0xaec17d in reftype_New isomedia/box_code_base.c:7521
SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box_funcs.c:189 gf_isom_box_parse_ex Shadow bytes around the buggy address: 0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9bf0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00 =>0x0c087fff9c00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==25917==ABORTING
Edit
This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d
Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu([email protected]) 、Yanhao and Marsman1996([email protected])