Headline
CVE-2023-48013: double-free in gf_filterpacket_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:38:17 · Issue #2612 · gpac/gpac
GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a double free via the gf_filterpacket_del function at /gpac/src/filter_core/filter.c.
$ ./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master
$ uname -a
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep 7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
/home/user/vul/MP4Box_crash/id000037sig06src002502time27968081execs258947ophavocrep16
[32m[iso file] Unknown box type 00000000 in parent moov
[0m[32m[iso file] Unknown top-level box type 00000100
[0m[32m[Dasher] No template assigned, using $File$_dash$FS$$Number$
[0m[32m[Dasher] No bitrate property assigned to PID V1, computing from bitstream
[0m[31m[IsoMedia] Failed to fetch initial sample 1 for track 2
[0m[32m[iso file] Unknown box type 00000000 in parent moov
[0m[33m[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 18446744073709551615/12288
[0m[31m[IsoMedia] Failed to fetch initial sample 1 for track 2
[0m[31m[MuxIsom] Packet with no CTS assigned, cannot store to track, ignoring
[0m[31m[IsoMedia] File truncated, aborting read for track 1
[0m[31m[IsoMedia] Failed to fetch initial sample 1 for track 2
[0m[37mDashing P1 AS#1.1(V) done (1 segs)
[0m[31m[Dasher] Couldn't compute bitrate of PID V1 in time for manifest generation, please specify #Bitrate property
[0m[31m[Dasher] Couldn't compute bitrate of PID V1 in time for manifest generation, please specify #Bitrate property
[0m[32m[MPD] Generating MPD at time 2023-10-08T12:38:38.043Z
[0m[32m[Dasher] End of Period
[0m[32m[Dasher] End of MPD (no more active streams)
[0m=================================================================
==827317==ERROR: AddressSanitizer: attempting double-free on 0x619000015980 in thread T0:
#0 0x55e7797a5972 in free (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x105972) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
#1 0x7f525cd97945 in gf_filterpacket_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:38:17
#2 0x7f525cd6a022 in gf_fq_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter_queue.c:105:33
#3 0x7f525cda14e5 in gf_filter_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:664:3
#4 0x7f525cd6ede9 in gf_fs_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:782:4
#5 0x7f525c6283f6 in gf_dasher_clean_inputs /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:164:3
#6 0x7f525c6283f6 in gf_dasher_del /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:173:2
#7 0x55e779809d2d in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4894:2
#8 0x55e7797fab6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
#9 0x7f525b629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#10 0x7f525b629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#11 0x55e779722dd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
0x619000015980 is located 0 bytes inside of 1084-byte region [0x619000015980,0x619000015dbc)
freed by thread T0 here:
#0 0x55e7797a6046 in __interceptor_realloc (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x106046) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
#1 0x7f525c4f7ab6 in Media_GetSample /home/user/fuzzing_gpac/gpac/src/isomedia/media.c:619:30
#2 0x7f525c45d7b3 in gf_isom_get_sample_ex /home/user/fuzzing_gpac/gpac/src/isomedia/isom_read.c:1975:6
#3 0x7f525d05a156 in isor_reader_get_sample /home/user/fuzzing_gpac/gpac/src/filters/isoffin_read_ch.c:398:19
#4 0x7f525d04d2d5 in isoffin_process /home/user/fuzzing_gpac/gpac/src/filters/isoffin_read.c:1486:5
#5 0x7f525cdafa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7
previously allocated by thread T0 here:
LLVMSymbolizer: error reading file: No such file or directory
#0 0x55e7797a6046 in __interceptor_realloc (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x106046) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
#1 0x7f525cd00add in gf_filter_pck_expand /home/user/fuzzing_gpac/gpac/src/filter_core/filter_pck.c:1846:15
#2 0x7ffd05c3a8df ([stack]+0x328df)
SUMMARY: AddressSanitizer: double-free (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x105972) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9) in free
==827317==ABORTING