Headline

CVE-2019-20161: AddressSanitizer: heap-buffer-overflow in ReadGF_IPMPX_WatermarkingInit at ipmpx_code.c:1517 · Issue #1320 · gpac/gpac

An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function ReadGF_IPMPX_WatermarkingInit() in odf/ipmpx_code.c.

4 years ago

CVE

Open in Source

#ubuntu #linux #git #c++#buffer_overflow #ibm

System info:
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (master 6ada10e)
Compile Command:

$ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
$ make

Run Command:

$ MP4Box -diso -out /dev/null $POC-ReadGF_IPMPX_WatermarkingInit

POC file:
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/POC-ReadGF_IPMPX_WatermarkingInit
ASAN info:

==26293==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb1 at pc 0x7ffff6ef6904 bp 0x7fffffff7e90 sp 0x7fffffff7638 WRITE of size 40 at 0x60200000efb1 thread T0 #0 0x7ffff6ef6903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903) #1 0x4709b5 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53 #2 0x4709b5 in gf_bs_read_data utils/bitstream.c:461 #3 0x7bc40d in ReadGF_IPMPX_WatermarkingInit odf/ipmpx_code.c:1517 #4 0x7bc40d in GF_IPMPX_ReadData odf/ipmpx_code.c:2020 #5 0x7beab7 in gf_ipmpx_data_parse odf/ipmpx_code.c:293 #6 0x7a97c9 in gf_odf_read_ipmp odf/odf_code.c:2426 #7 0x795b43 in gf_odf_parse_descriptor odf/descriptors.c:159 #8 0x7afa76 in gf_odf_desc_read odf/odf_codec.c:302 #9 0xad3e13 in esds_Read isomedia/box_code_base.c:1256 #10 0x6c5114 in gf_isom_box_read isomedia/box_funcs.c:1528 #11 0x6c5114 in gf_isom_box_parse_ex isomedia/box_funcs.c:208 #12 0x6c5974 in gf_isom_parse_root_box isomedia/box_funcs.c:42 #13 0x6da6a0 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206 #14 0x6dd2f3 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:194 #15 0x6dd2f3 in gf_isom_open_file isomedia/isom_intern.c:615 #16 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build_asan/applications/mp4box/main.c:4767 #17 0x7ffff638082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #18 0x41e228 in _start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin_asan/bin/MP4Box+0x41e228)

0x60200000efb1 is located 0 bytes to the right of 1-byte region [0x60200000efb0,0x60200000efb1) allocated by thread T0 here: #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x7bc3bf in ReadGF_IPMPX_WatermarkingInit odf/ipmpx_code.c:1516 #2 0x7bc3bf in GF_IPMPX_ReadData odf/ipmpx_code.c:2020

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy Shadow bytes around the buggy address: 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9df0: fa fa fa fa fa fa[01]fa fa fa 00 00 fa fa 00 00 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==26293==ABORTING

gdb info:

7ffff70cd000-7ffff72cc000 —p 00016000 08:02 67633677 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff72cc000-7ffff72cd000 rw-p 00015000 08:02 67633677 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff72cd000-7ffff748d000 r-xp 00000000 08:02 67637542 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff748d000-7ffff768d000 —p 001c0000 08:02 67637542 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff768d000-7ffff7691000 r–p 001c0000 08:02 67637542 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7691000-7ffff7693000 rw-p 001c4000 08:02 67637542 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7693000-7ffff7697000 rw-p 00000000 00:00 0 7ffff7697000-7ffff76b0000 r-xp 00000000 08:02 67633774 /lib/x86_64-linux-gnu/libz.so.1.2.8 7ffff76b0000-7ffff78af000 —p 00019000 08:02 67633774 /lib/x86_64-linux-gnu/libz.so.1.2.8 7ffff78af000-7ffff78b0000 r–p 00018000 08:02 67633774 /lib/x86_64-linux-gnu/libz.so.1.2.8 7ffff78b0000-7ffff78b1000 rw-p 00019000 08:02 67633774 /lib/x86_64-linux-gnu/libz.so.1.2.8 7ffff78b1000-7ffff79b9000 r-xp 00000000 08:02 67637545 /lib/x86_64-linux-gnu/libm-2.23.so 7ffff79b9000-7ffff7bb8000 —p 00108000 08:02 67637545 /lib/x86_64-linux-gnu/libm-2.23.so 7ffff7bb8000-7ffff7bb9000 r–p 00107000 08:02 67637545 /lib/x86_64-linux-gnu/libm-2.23.so 7ffff7bb9000-7ffff7bba000 rw-p 00108000 08:02 67637545 /lib/x86_64-linux-gnu/libm-2.23.so 7ffff7bba000-7ffff7bd2000 r-xp 00000000 08:02 67637529 /lib/x86_64-linux-gnu/libpthread-2.23.so 7ffff7bd2000-7ffff7dd1000 —p 00018000 08:02 67637529 /lib/x86_64-linux-gnu/libpthread-2.23.so 7ffff7dd1000-7ffff7dd2000 r–p 00017000 08:02 67637529 /lib/x86_64-linux-gnu/libpthread-2.23.so 7ffff7dd2000-7ffff7dd3000 rw-p 00018000 08:02 67637529 /lib/x86_64-linux-gnu/libpthread-2.23.so 7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0 7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:02 67637528 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7fe3000-7ffff7fe8000 rw-p 00000000 00:00 0 7ffff7ff7000-7ffff7ff8000 rw-p 00000000 00:00 0 7ffff7ff8000-7ffff7ffa000 r–p 00000000 00:00 0 [vvar] 7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso] 7ffff7ffc000-7ffff7ffd000 r–p 00025000 08:02 67637528 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:02 67637528 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

Program received signal SIGABRT, Aborted. 0x00007ffff7302428 in __GI_raise (sig=sig@entry=6) at …/sysdeps/unix/sysv/linux/raise.c:54 54 …/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007ffff7302428 in __GI_raise (sig=sig@entry=6) at …/sysdeps/unix/sysv/linux/raise.c:54 #1 0x00007ffff730402a in __GI_abort () at abort.c:89 #2 0x00007ffff73447ea in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff745ded8 “*** Error in `%s’: %s: 0x%s ***\n”) at …/sysdeps/posix/libc_fatal.c:175 #3 0x00007ffff734d37a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff745df50 "free(): invalid next size (fast)", action=3) at malloc.c:5006 #4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3867 #5 0x00007ffff735153c in __GI___libc_free (mem=<optimized out>) at malloc.c:2968 #6 0x0000000000568b82 in DelGF_IPMPX_OpaqueData (_p=<optimized out>) at odf/ipmpx_code.c:1205 #7 gf_ipmpx_data_del (_p=_p@entry=0x9cc760) at odf/ipmpx_code.c:1835 #8 0x00000000005624bd in gf_odf_del_ipmp (ipmp=0x9cc670) at odf/odf_code.c:2390 #9 0x000000000055a031 in gf_odf_parse_descriptor (bs=bs@entry=0x9cc610, desc=desc@entry=0x9cc578, desc_size=desc_size@entry=0x7fffffff9694) at odf/descriptors.c:176 #10 0x0000000000564f7b in gf_odf_desc_read (raw_desc=raw_desc@entry=0x9cc590 "\v@\377\377\377\377", descSize=descSize@entry=108, outDesc=outDesc@entry=0x9cc578) at odf/odf_codec.c:302 #11 0x00000000006ca6f4 in esds_Read (s=0x9cc550, bs=0x9cb460) at isomedia/box_code_base.c:1256 #12 0x00000000005137e1 in gf_isom_box_read (bs=0x9cb460, a=0x9cc550) at isomedia/box_funcs.c:1528 #13 gf_isom_box_parse_ex (outBox=outBox@entry=0x7fffffff9800, bs=bs@entry=0x9cb460, is_root_box=is_root_box@entry=GF_TRUE, parent_type=0) at isomedia/box_funcs.c:208 #14 0x0000000000513e15 in gf_isom_parse_root_box (outBox=outBox@entry=0x7fffffff9800, bs=0x9cb460, bytesExpected=bytesExpected@entry=0x7fffffff9850, progressive_mode=progressive_mode@entry=GF_FALSE) at isomedia/box_funcs.c:42 #15 0x000000000051b4fe in gf_isom_parse_movie_boxes (mov=mov@entry=0x9cb010, bytesMissing=bytesMissing@entry=0x7fffffff9850, progressive_mode=progressive_mode@entry=GF_FALSE) at isomedia/isom_intern.c:206 #16 0x000000000051c48c in gf_isom_parse_movie_boxes (progressive_mode=GF_FALSE, bytesMissing=0x7fffffff9850, mov=0x9cb010) at isomedia/isom_intern.c:194 #17 gf_isom_open_file (fileName=0x7fffffffe627 "./real-crashs/POC-ReadGF_IPMPX_WatermarkingInit", OpenMode=0, tmp_dir=0x0) at isomedia/isom_intern.c:615 #18 0x000000000041c082 in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at main.c:4767 #19 0x00007ffff72ed830 in __libc_start_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe358, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe348) at …/csu/libc-start.c:291 #20 0x000000000040eba9 in _start ()

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu([email protected]) 、Yanhao and Marsman1996([email protected])

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

9 months ago

9 months ago

9 months ago

9 months ago

9 months ago