Headline
CVE-2020-23931: A heap-buffer-overflow in box_code_adobe.c:155 · Issue #1567 · gpac/gpac
An issue was discovered in gpac before 1.0.1. The abst_box_read function in box_code_adobe.c has a heap-based buffer over-read.
CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure --static-mp4box
=================================================================
==38343==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000ec94 at pc 0x7f6ebd7a53d5 bp 0x7ffd9261d2c0 sp 0x7ffd9261ca68
READ of size 53 at 0x60600000ec94 thread T0
#0 0x7f6ebd7a53d4 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x623d4)
#1 0x562152c228bf in abst_box_read isomedia/box_code_adobe.c:155
#2 0x562152a11b64 in gf_isom_box_read isomedia/box_funcs.c:1681
#3 0x562152a11b64 in gf_isom_box_parse_ex isomedia/box_funcs.c:259
#4 0x562152a13041 in gf_isom_parse_root_box isomedia/box_funcs.c:38
#5 0x562152a4a6f5 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:259
#6 0x562152a55951 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:247
#7 0x562152a55951 in gf_isom_open_file isomedia/isom_intern.c:740
#8 0x56215237f7e3 in mp4boxMain /home/seviezhou/gpac/applications/mp4box/main.c:5331
#9 0x7f6ebc76fb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#10 0x562152350f09 in _start (/home/seviezhou/gpac/bin/gcc/MP4Box+0x27ff09)
0x60600000ec94 is located 0 bytes to the right of 52-byte region [0x60600000ec60,0x60600000ec94)
allocated by thread T0 here:
#0 0x7f6ebd7db612 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98612)
#1 0x562152c203a9 in abst_box_read isomedia/box_code_adobe.c:97
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 strdup
Shadow bytes around the buggy address:
0x0c0c7fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x0c0c7fff9d90: 00 00[04]fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7fff9da0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c7fff9db0: 00 00 00 00 00 00 00 03 fa fa fa fa 00 00 00 00
0x0c0c7fff9dc0: 00 00 02 fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff9dd0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c7fff9de0: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==38343==ABORTING