Headline
CVE-2019-20170: AddressSanitizer: heap-use-after-free in GF_IPMPX_AUTH_Delete odf/ipmpx_code.c:115 · Issue #1328 · gpac/gpac
An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is an invalid pointer dereference in the function GF_IPMPX_AUTH_Delete() in odf/ipmpx_code.c.
System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)
Compile Command:
$ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
$ make
Run Command:
$ MP4Box -diso -out /dev/null $POC-new-GF_IPMPX_AUTH_Delete
POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-GF_IPMPX_AUTH_Delete
gdb info:
Program received signal SIGSEGV, Segmentation fault. 0x000000000056907e in gf_ipmpx_data_del () (gdb) bt #0 0x000000000056907e in gf_ipmpx_data_del () #1 0x000000000056aa7c in gf_ipmpx_data_parse () #2 0x000000000056274a in gf_odf_read_ipmp () #3 0x000000000055a076 in gf_odf_parse_descriptor () #4 0x000000000056503b in gf_odf_desc_read () #5 0x00000000006ca7b4 in esds_Read () #6 0x00000000005137e1 in gf_isom_box_parse_ex.constprop () #7 0x0000000000513e15 in gf_isom_parse_root_box () #8 0x000000000051b4fe in gf_isom_parse_movie_boxes.part () #9 0x000000000051c48c in gf_isom_open_file () #10 0x000000000041c082 in mp4boxMain () #11 0x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at …/csu/libc-start.c:291 #12 0x000000000040eba9 in _start ()
ASAN info:
ASAN:SIGSEGV
==27770==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000a (pc 0x0000007bacbf bp 0x00000000000a sp 0x7fffffff8020 T0) #0 0x7bacbe in GF_IPMPX_AUTH_Delete odf/ipmpx_code.c:115 #1 0x7bacbe in delete_algo_list odf/ipmpx_code.c:363 #2 0x7bacbe in DelGF_IPMPX_MutualAuthentication odf/ipmpx_code.c:371 #3 0x7bacbe in gf_ipmpx_data_del odf/ipmpx_code.c:1853 #4 0x7bec88 in gf_ipmpx_data_parse odf/ipmpx_code.c:295 #5 0x7a9969 in gf_odf_read_ipmp odf/odf_code.c:2426 #6 0x795ce3 in gf_odf_parse_descriptor odf/descriptors.c:159 #7 0x7afc16 in gf_odf_desc_read odf/odf_codec.c:302 #8 0xad3fb3 in esds_Read isomedia/box_code_base.c:1256 #9 0x6c5114 in gf_isom_box_read isomedia/box_funcs.c:1528 #10 0x6c5114 in gf_isom_box_parse_ex isomedia/box_funcs.c:208 #11 0x6c5974 in gf_isom_parse_root_box isomedia/box_funcs.c:42 #12 0x6da6a0 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206 #13 0x6dd2f3 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194 #14 0x6dd2f3 in gf_isom_open_file isomedia/isom_intern.c:615 #15 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan_00dfc93/applications/mp4box/main.c:4767 #16 0x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #17 0x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV odf/ipmpx_code.c:115 GF_IPMPX_AUTH_Delete ==27770==ABORTING
Edit
This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d
Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu([email protected]) 、Yanhao and Marsman1996([email protected])