Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-27147: There is a use-after-free detected by AddressSanitizer · Issue #2109 · gpac/gpac

GPAC mp4box 1.1.0-DEV-rev1727-g8be34973d-master has a use-after-free vulnerability in function gf_node_get_attribute_by_tag.

CVE
Open in Source
#vulnerability#ubuntu#linux

Description

There is a use-after-free detected by AddressSanitizer

System info

Ubuntu 20.04.2 LTS
clang version 12.0.0-++20210402082642+04ba60cfe598-1~exp1~20210402063359.71
MP4Box - GPAC version 1.1.0-DEV-rev1727-g8be34973d-master

Build command

./configure --static-mp4box --prefix=`realpath ./install` --enable-sanitizer --cc=clang --cxx=clang++

crash command

MP4Box -lsr -out /dev/null poc_file

Pocs

poc.zip

Crash output

==28733==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000002bc0 at pc 0x000000721f36 bp 0x7ffec8945940 sp 0x7ffec8945938
READ of size 2 at 0x603000002bc0 thread T0
    #0 0x721f35 in gf_node_get_attribute_by_tag/programs/mp4box/builds/build10/src/scenegraph/xml_ns.c:934:18
    #1 0x70ca13 in gf_dom_listener_del/programs/mp4box/builds/build10/src/scenegraph/dom_events.c:161:6
    #2 0x70ccaa in gf_dom_event_remove_all_listeners/programs/mp4box/builds/build10/src/scenegraph/dom_events.c:196:3
    #3 0x5c54f5 in gf_node_free/programs/mp4box/builds/build10/src/scenegraph/base_scenegraph.c:1601:4
    #4 0x6dac25 in gf_svg_node_del/programs/mp4box/builds/build10/src/scenegraph/svg_types.c:126:2
    #5 0x5bf0f1 in gf_node_unregister/programs/mp4box/builds/build10/src/scenegraph/base_scenegraph.c:761:3
    #6 0x5bfb17 in gf_sg_reset/programs/mp4box/builds/build10/src/scenegraph/base_scenegraph.c:479:3
    #7 0x5be86d in gf_sg_del/programs/mp4box/builds/build10/src/scenegraph/base_scenegraph.c:162:2
    #8 0x4eba5d in dump_isom_scene/programs/mp4box/builds/build10/applications/mp4box/filedump.c:221:2
    #9 0x4e0bda in mp4boxMain/programs/mp4box/builds/build10/applications/mp4box/main.c:6146:7
    #10 0x7f9d3ecb80b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #11 0x41ea6d in _start (/zhengjie/cmdline-fuzz/programs/mp4box/builds/build10/bin/gcc/MP4Box+0x41ea6d)

0x603000002bc0 is located 0 bytes inside of 24-byte region [0x603000002bc0,0x603000002bd8)
freed by thread T0 here:
    #0 0x499a62 in free (/zhengjie/cmdline-fuzz/programs/mp4box/builds/build10/bin/gcc/MP4Box+0x499a62)
    #1 0x7215a7 in gf_node_delete_attributes/programs/mp4box/builds/build10/src/scenegraph/xml_ns.c:728:3
    #2 0x6dac15 in gf_svg_node_del/programs/mp4box/builds/build10/src/scenegraph/svg_types.c:124:2
    #3 0x5bf0f1 in gf_node_unregister/programs/mp4box/builds/build10/src/scenegraph/base_scenegraph.c:761:3
    #4 0x5bfb17 in gf_sg_reset/programs/mp4box/builds/build10/src/scenegraph/base_scenegraph.c:479:3
    #5 0x5be86d in gf_sg_del/programs/mp4box/builds/build10/src/scenegraph/base_scenegraph.c:162:2
    #6 0x4eba5d in dump_isom_scene/programs/mp4box/builds/build10/applications/mp4box/filedump.c:221:2
    #7 0x4e0bda in mp4boxMain/programs/mp4box/builds/build10/applications/mp4box/main.c:6146:7
    #8 0x7f9d3ecb80b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    #0 0x499ccd in malloc (/zhengjie/cmdline-fuzz/programs/mp4box/builds/build10/bin/gcc/MP4Box+0x499ccd)
    #1 0x72217c in gf_node_create_attribute_from_datatype/programs/mp4box/builds/build10/src/scenegraph/xml_ns.c:737:2
    #2 0x72217c in gf_xml_create_attribute/programs/mp4box/builds/build10/src/scenegraph/xml_ns.c:541:9
    #3 0x72217c in gf_node_get_attribute_by_tag/programs/mp4box/builds/build10/src/scenegraph/xml_ns.c:946:9
    #4 0xaf1c3f in lsr_read_rare_full/programs/mp4box/builds/build10/src/laser/lsr_dec.c:1446:21
    #5 0xaf01c7 in lsr_read_listener/programs/mp4box/builds/build10/src/laser/lsr_dec.c:4355:2
    #6 0xb00747 in lsr_read_scene_content_model/programs/mp4box/builds/build10/src/laser/lsr_dec.c:4600:7
    #7 0xaff8a0 in lsr_read_group_content/programs/mp4box/builds/build10/src/laser/lsr_dec.c:4785:8
    #8 0xaeb4d9 in lsr_read_rectClip/programs/mp4box/builds/build10/src/laser/lsr_dec.c:3987:2
    #9 0xb00752 in lsr_read_scene_content_model/programs/mp4box/builds/build10/src/laser/lsr_dec.c:4519:7
    #10 0xaff8a0 in lsr_read_group_content/programs/mp4box/builds/build10/src/laser/lsr_dec.c:4785:8
    #11 0xae55a4 in lsr_read_svg/programs/mp4box/builds/build10/src/laser/lsr_dec.c:4192:2
    #12 0xadf7ae in lsr_read_command_list/programs/mp4box/builds/build10/src/laser/lsr_dec.c:5886:9
    #13 0xaddbfb in lsr_decode_laser_unit/programs/mp4box/builds/build10/src/laser/lsr_dec.c:6133:6
    #14 0xade67f in gf_laser_decode_command_list/programs/mp4box/builds/build10/src/laser/lsr_dec.c:230:6
    #15 0xa356af in gf_sm_load_run_isom/programs/mp4box/builds/build10/src/scene_manager/loader_isom.c:307:10
    #16 0x4eb9a1 in dump_isom_scene/programs/mp4box/builds/build10/applications/mp4box/filedump.c:203:14
    #17 0x4e0bda in mp4boxMain/programs/mp4box/builds/build10/applications/mp4box/main.c:6146:7
    #18 0x7f9d3ecb80b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free/programs/mp4box/builds/build10/src/scenegraph/xml_ns.c:934:18 in gf_node_get_attribute_by_tag
Shadow bytes around the buggy address:
  0x0c067fff8520: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fff8530: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c067fff8540: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8550: fd fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x0c067fff8560: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 fa
=>0x0c067fff8570: fa fa fd fd fd fd fa fa[fd]fd fd fa fa fa fd fd
  0x0c067fff8580: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fff8590: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c067fff85a0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff85b0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fff85c0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==28733==ABORTING

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE