Headline
CVE-2023-48011: heap-use-after-free in ./gpac/src/isomedia/movie_fragments.c:936:37 in flush_ref_samples · Issue #2611 · gpac/gpac
GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a heap-use-after-free via the flush_ref_samples function at /gpac/src/isomedia/movie_fragments.c.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
gandalf4a opened this issue
Oct 8, 2023
· 0 comments
Comments
Version
$ ./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master
Platform
$ uname -a
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep 7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Asan
[33m[iso file] extra box maxr found in hinf, deleting
[0m[32m[iso file] Unknown box type traI in parent moov
[0m[33m[iso file] Box "stss" (start 9939) has 32 extra bytes
[0m[33m[iso file] extra box maxr found in hinf, deleting
[0m[33m[iso file] Track with no sample description box !
[0m[33m[IsoMedia] Track 4 type MPEG not natively handled
[0m[32m[Dasher] No template assigned, using $File$_dash$FS$$Number$
[0m[32m[iso file] Unknown box type traI in parent moov
[0m[33m[MP4Mux] muxing unknown codec ID Codec Not Supported, using generic sample entry with 4CC "MPEG"
[0m[31m[IsoMedia] File truncated, aborting read for track 1
[0m[37mDashing P1 AS#1.1(V) done (1 segs)
[0m[31m[MP4Mux] Failed to add sample DTS 0 from O7 - prev DTS 18446744073709551615: Out Of Memory
[0m=================================================================
==836900==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000001d88 at pc 0x7f57c0120bf1 bp 0x7ffeac405a70 sp 0x7ffeac405a68
READ of size 8 at 0x60b000001d88 thread T0
#0 0x7f57c0120bf0 in flush_ref_samples /home/user/fuzzing_gpac/gpac/src/isomedia/movie_fragments.c:936:37
#1 0x7f57c0128df2 in gf_isom_close_segment /home/user/fuzzing_gpac/gpac/src/isomedia/movie_fragments.c:2331:4
#2 0x7f57c0cfd198 in mp4_mux_process_fragmented /home/user/fuzzing_gpac/gpac/src/filters/mux_isom.c:6734:8
#3 0x7f57c0cf46f3 in mp4_mux_process /home/user/fuzzing_gpac/gpac/src/filters/mux_isom.c:7273:14
#4 0x7f57c09afa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7
#5 0x7f57c097d47b in gf_fs_thread_proc /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2105:3
#6 0x7f57c097b5cf in gf_fs_run /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2405:3
#7 0x7f57c022ac6a in gf_dasher_process /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:1236:6
#8 0x55ff536546dc in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4831:15
#9 0x55ff53645b6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
#10 0x7f57bf229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#11 0x7f57bf229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#12 0x55ff5356ddd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
0x60b000001d88 is located 104 bytes inside of 112-byte region [0x60b000001d20,0x60b000001d90)
freed by thread T0 here:
#0 0x55ff535f0972 in free (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x105972) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
#1 0x7f57c001e6f5 in gf_isom_box_del /home/user/fuzzing_gpac/gpac/src/isomedia/box_funcs.c:2005:3
previously allocated by thread T0 here:
#0 0x55ff535f0c1e in malloc (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x105c1e) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
#1 0x7f57bff95c5a in trun_box_new /home/user/fuzzing_gpac/gpac/src/isomedia/box_code_base.c:7805:2
#2 0x7f57c0026335 in gf_isom_box_new /home/user/fuzzing_gpac/gpac/src/isomedia/box_funcs.c:1896:9
#3 0x7f57c0026335 in gf_isom_box_new_parent /home/user/fuzzing_gpac/gpac/src/isomedia/box_funcs.c:2351:14
#4 0x7f57c0d06f05 in mp4_mux_process_sample /home/user/fuzzing_gpac/gpac/src/filters/mux_isom.c:4915:9
#5 0x7f57c0cf85a4 in mp4_mux_process_fragmented /home/user/fuzzing_gpac/gpac/src/filters/mux_isom.c:6653:8
#6 0x7f57c0cf46f3 in mp4_mux_process /home/user/fuzzing_gpac/gpac/src/filters/mux_isom.c:7273:14
#7 0x7f57c09afa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7
SUMMARY: AddressSanitizer: heap-use-after-free /home/user/fuzzing_gpac/gpac/src/isomedia/movie_fragments.c:936:37 in flush_ref_samples
Shadow bytes around the buggy address:
0x0c167fff8360: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c167fff8370: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c167fff8380: 00 00 00 00 05 fa fa fa fa fa fa fa fa fa 00 00
0x0c167fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c167fff83a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c167fff83b0: fd[fd]fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c167fff83c0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c167fff83d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
0x0c167fff83e0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x0c167fff83f0: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
0x0c167fff8400: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==836900==ABORTING
Reproduce****POC File
https://github.com/gandalf4a/crash_report/blob/main/gpac/MP4Box/huaf_936
Credit
1 participant