dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-based buffer overflow.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

A crafted input will lead to crash in box\_code\_3gpp.c at gpac 0.8.0.

    ./MP4Box -diso 011-stack-dimC_Read1000 -out /dev/null 
    =================================================================
    ==3045==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff6e0d88d0 at pc 0x564b9b2d69fb bp 0x7fff6e0d8480 sp 0x7fff6e0d8470
    WRITE of size 1 at 0x7fff6e0d88d0 thread T0
        #0 0x564b9b2d69fa in dimC_Read isomedia/box_code_3gpp.c:1000
        #1 0x564b9ae5bb35 in gf_isom_box_read isomedia/box_funcs.c:1528
        #2 0x564b9ae5bb35 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
        #3 0x564b9ae5c1e4 in gf_isom_parse_root_box isomedia/box_funcs.c:42
        #4 0x564b9ae72f44 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
        #5 0x564b9ae75bca in gf_isom_open_file isomedia/isom_intern.c:615
        #6 0x564b9abbe852 in mp4boxMain /home/liuz/gpac-master/applications/mp4box/main.c:4767
        #7 0x7f4b5d817b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #8 0x564b9abafb19 in _start (/usr/local/gpac-asan3/bin/MP4Box+0x163b19)
    
    Address 0x7fff6e0d88d0 is located in stack of thread T0 at offset 1056 in frame
        #0 0x564b9b2d641f in dimC_Read isomedia/box_code_3gpp.c:983
    
      This frame has 1 object(s):
        [32, 1056) 'str' <== Memory access at offset 1056 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow isomedia/box_code_3gpp.c:1000 in dimC_Read
    Shadow bytes around the buggy address:
      0x10006dc130c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006dc130d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006dc130e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006dc130f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006dc13100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10006dc13110: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 00 00
      0x10006dc13120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006dc13130: 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 00 00 00 00
      0x10006dc13140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006dc13150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006dc13160: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==3045==ABORTING

CVE-2019-20208: There is a stack-buffer-overflow in the dimC_Read function of box_code_3gpp.c:1000 · Issue #1348 · gpac/gpac

An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is an invalid pointer dereference in the function GF_IPMPX_AUTH_Delete() in odf/ipmpx_code.c.

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-new-GF_IPMPX_AUTH_Delete
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-GF\_IPMPX\_AUTH\_Delete

gdb info:

Program received signal SIGSEGV, Segmentation fault.
0x000000000056907e in gf\_ipmpx\_data\_del ()
(gdb) bt
#0  0x000000000056907e in gf\_ipmpx\_data\_del ()
#1  0x000000000056aa7c in gf\_ipmpx\_data\_parse ()
#2  0x000000000056274a in gf\_odf\_read\_ipmp ()
#3  0x000000000055a076 in gf\_odf\_parse\_descriptor ()
#4  0x000000000056503b in gf\_odf\_desc\_read ()
#5  0x00000000006ca7b4 in esds\_Read ()
#6  0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#7  0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#8  0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#9  0x000000000051c48c in gf\_isom\_open\_file ()
#10 0x000000000041c082 in mp4boxMain ()
#11 0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#12 0x000000000040eba9 in \_start ()

ASAN info:

ASAN:SIGSEGV
=================================================================
==27770\==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000a (pc 0x0000007bacbf bp 0x00000000000a sp 0x7fffffff8020 T0)
    #0 0x7bacbe in GF\_IPMPX\_AUTH\_Delete odf/ipmpx\_code.c:115
    #1 0x7bacbe in delete\_algo\_list odf/ipmpx\_code.c:363
    #2 0x7bacbe in DelGF\_IPMPX\_MutualAuthentication odf/ipmpx\_code.c:371
    #3 0x7bacbe in gf\_ipmpx\_data\_del odf/ipmpx\_code.c:1853
    #4 0x7bec88 in gf\_ipmpx\_data\_parse odf/ipmpx\_code.c:295
    #5 0x7a9969 in gf\_odf\_read\_ipmp odf/odf\_code.c:2426
    #6 0x795ce3 in gf\_odf\_parse\_descriptor odf/descriptors.c:159
    #7 0x7afc16 in gf\_odf\_desc\_read odf/odf\_codec.c:302
    #8 0xad3fb3 in esds\_Read isomedia/box\_code\_base.c:1256
    #9 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #10 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #11 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #12 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #13 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #14 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #15 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #16 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV odf/ipmpx\_code.c:115 GF\_IPMPX\_AUTH\_Delete
==27770==ABORTING

**Edit**

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20170: AddressSanitizer: heap-use-after-free in GF_IPMPX_AUTH_Delete odf/ipmpx_code.c:115 · Issue #1328 · gpac/gpac

An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function ilst_item_Read() in isomedia/box_code_apple.c.

Hello, I found a similar issue but I am not sure they are the same.  
#1263

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-new-ilst_item_Read
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-ilst\_item\_Read

gdb info:

Program received signal SIGSEGV, Segmentation fault.
0x00000000006c499d in ilst\_item\_Read ()
(gdb) bt
#0  0x00000000006c499d in ilst\_item\_Read ()
#1  0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#2  0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#3  0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#4  0x000000000051c48c in gf\_isom\_open\_file ()
#5  0x000000000041c082 in mp4boxMain ()
#6  0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#7  0x000000000040eba9 in \_start ()

ASAN info:

ASAN:SIGSEGV
=================================================================
==27902\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000000ac4185 bp 0x7fffffff8230 sp 0x7fffffff8220 T0)
    #0 0xac4184 in ilst\_item\_Read isomedia/box\_code\_apple.c:119
    #1 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #2 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #3 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #4 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #5 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #6 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #7 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #8 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV isomedia/box\_code\_apple.c:119 ilst\_item\_Read
==27902==ABORTING

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20165: ERROR: AddressSanitizer: NULL pointer dereference in ilst_item_Read isomedia/box_code_apple.c:119 · Issue #1338 · gpac/gpac

An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function ReadGF_IPMPX_WatermarkingInit() in odf/ipmpx_code.c.

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (master 6ada10e)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-ReadGF_IPMPX_WatermarkingInit
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/POC-ReadGF\_IPMPX\_WatermarkingInit  
ASAN info:

\==26293\==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb1 at pc 0x7ffff6ef6904 bp 0x7fffffff7e90 sp 0x7fffffff7638
WRITE of size 40 at 0x60200000efb1 thread T0
    #0 0x7ffff6ef6903 in \_\_asan\_memcpy (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x8c903)
    #1 0x4709b5 in memcpy /usr/include/x86\_64-linux-gnu/bits/string3.h:53
    #2 0x4709b5 in gf\_bs\_read\_data utils/bitstream.c:461
    #3 0x7bc40d in ReadGF\_IPMPX\_WatermarkingInit odf/ipmpx\_code.c:1517
    #4 0x7bc40d in GF\_IPMPX\_ReadData odf/ipmpx\_code.c:2020
    #5 0x7beab7 in gf\_ipmpx\_data\_parse odf/ipmpx\_code.c:293
    #6 0x7a97c9 in gf\_odf\_read\_ipmp odf/odf\_code.c:2426
    #7 0x795b43 in gf\_odf\_parse\_descriptor odf/descriptors.c:159
    #8 0x7afa76 in gf\_odf\_desc\_read odf/odf\_codec.c:302
    #9 0xad3e13 in esds\_Read isomedia/box\_code\_base.c:1256
    #10 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #11 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #12 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #13 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #14 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #15 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #16 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan/applications/mp4box/main.c:4767
    #17 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #18 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

0x60200000efb1 is located 0 bytes to the right of 1-byte region \[0x60200000efb0,0x60200000efb1)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7bc3bf in ReadGF\_IPMPX\_WatermarkingInit odf/ipmpx\_code.c:1516
    #2 0x7bc3bf in GF\_IPMPX\_ReadData odf/ipmpx\_code.c:2020

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 \_\_asan\_memcpy
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa\[01\]fa fa fa 00 00 fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==26293==ABORTING

gdb info:

7ffff70cd000-7ffff72cc000 ---p 00016000 08:02 67633677                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7ffff72cc000-7ffff72cd000 rw-p 00015000 08:02 67633677                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7ffff72cd000-7ffff748d000 r-xp 00000000 08:02 67637542                   /lib/x86\_64-linux-gnu/libc-2.23.so
7ffff748d000-7ffff768d000 ---p 001c0000 08:02 67637542                   /lib/x86\_64-linux-gnu/libc-2.23.so
7ffff768d000-7ffff7691000 r--p 001c0000 08:02 67637542                   /lib/x86\_64-linux-gnu/libc-2.23.so
7ffff7691000-7ffff7693000 rw-p 001c4000 08:02 67637542                   /lib/x86\_64-linux-gnu/libc-2.23.so
7ffff7693000-7ffff7697000 rw-p 00000000 00:00 0
7ffff7697000-7ffff76b0000 r-xp 00000000 08:02 67633774                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7ffff76b0000-7ffff78af000 ---p 00019000 08:02 67633774                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7ffff78af000-7ffff78b0000 r--p 00018000 08:02 67633774                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7ffff78b0000-7ffff78b1000 rw-p 00019000 08:02 67633774                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7ffff78b1000-7ffff79b9000 r-xp 00000000 08:02 67637545                   /lib/x86\_64-linux-gnu/libm-2.23.so
7ffff79b9000-7ffff7bb8000 ---p 00108000 08:02 67637545                   /lib/x86\_64-linux-gnu/libm-2.23.so
7ffff7bb8000-7ffff7bb9000 r--p 00107000 08:02 67637545                   /lib/x86\_64-linux-gnu/libm-2.23.so
7ffff7bb9000-7ffff7bba000 rw-p 00108000 08:02 67637545                   /lib/x86\_64-linux-gnu/libm-2.23.so
7ffff7bba000-7ffff7bd2000 r-xp 00000000 08:02 67637529                   /lib/x86\_64-linux-gnu/libpthread-2.23.so
7ffff7bd2000-7ffff7dd1000 ---p 00018000 08:02 67637529                   /lib/x86\_64-linux-gnu/libpthread-2.23.so
7ffff7dd1000-7ffff7dd2000 r--p 00017000 08:02 67637529                   /lib/x86\_64-linux-gnu/libpthread-2.23.so
7ffff7dd2000-7ffff7dd3000 rw-p 00018000 08:02 67637529                   /lib/x86\_64-linux-gnu/libpthread-2.23.so
7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:02 67637528                   /lib/x86\_64-linux-gnu/ld-2.23.so
7ffff7fe3000-7ffff7fe8000 rw-p 00000000 00:00 0
7ffff7ff7000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          \[vvar\]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          \[vdso\]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:02 67637528                   /lib/x86\_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:02 67637528                   /lib/x86\_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          \[stack\]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  \[vsyscall\]

Program received signal SIGABRT, Aborted.
0x00007ffff7302428 in \_\_GI\_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7302428 in \_\_GI\_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff730402a in \_\_GI\_abort () at abort.c:89
#2  0x00007ffff73447ea in \_\_libc\_message (do\_abort=do\_abort@entry=2, fmt=fmt@entry=0x7ffff745ded8 "\*\*\* Error in \`%s': %s: 0x%s \*\*\*\\n") at ../sysdeps/posix/libc\_fatal.c:175
#3  0x00007ffff734d37a in malloc\_printerr (ar\_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff745df50 "free(): invalid next size (fast)", action=3) at malloc.c:5006
#4  \_int\_free (av=<optimized out>, p=<optimized out>, have\_lock=0) at malloc.c:3867
#5  0x00007ffff735153c in \_\_GI\_\_\_libc\_free (mem=<optimized out>) at malloc.c:2968
#6  0x0000000000568b82 in DelGF\_IPMPX\_OpaqueData (\_p=<optimized out>) at odf/ipmpx\_code.c:1205
#7  gf\_ipmpx\_data\_del (\_p=\_p@entry=0x9cc760) at odf/ipmpx\_code.c:1835
#8  0x00000000005624bd in gf\_odf\_del\_ipmp (ipmp=0x9cc670) at odf/odf\_code.c:2390
#9  0x000000000055a031 in gf\_odf\_parse\_descriptor (bs=bs@entry=0x9cc610, desc=desc@entry=0x9cc578, desc\_size=desc\_size@entry=0x7fffffff9694) at odf/descriptors.c:176
#10 0x0000000000564f7b in gf\_odf\_desc\_read (raw\_desc=raw\_desc@entry=0x9cc590 "\\v@\\377\\377\\377\\377", descSize=descSize@entry=108, outDesc=outDesc@entry=0x9cc578) at odf/odf\_codec.c:302
#11 0x00000000006ca6f4 in esds\_Read (s=0x9cc550, bs=0x9cb460) at isomedia/box\_code\_base.c:1256
#12 0x00000000005137e1 in gf\_isom\_box\_read (bs=0x9cb460, a=0x9cc550) at isomedia/box\_funcs.c:1528
#13 gf\_isom\_box\_parse\_ex (outBox=outBox@entry=0x7fffffff9800, bs=bs@entry=0x9cb460, is\_root\_box=is\_root\_box@entry=GF\_TRUE, parent\_type=0) at isomedia/box\_funcs.c:208
#14 0x0000000000513e15 in gf\_isom\_parse\_root\_box (outBox=outBox@entry=0x7fffffff9800, bs=0x9cb460, bytesExpected=bytesExpected@entry=0x7fffffff9850, progressive\_mode=progressive\_mode@entry=GF\_FALSE) at isomedia/box\_funcs.c:42
#15 0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes (mov=mov@entry=0x9cb010, bytesMissing=bytesMissing@entry=0x7fffffff9850, progressive\_mode=progressive\_mode@entry=GF\_FALSE) at isomedia/isom\_intern.c:206
#16 0x000000000051c48c in gf\_isom\_parse\_movie\_boxes (progressive\_mode=GF\_FALSE, bytesMissing=0x7fffffff9850, mov=0x9cb010) at isomedia/isom\_intern.c:194
#17 gf\_isom\_open\_file (fileName=0x7fffffffe627 "./real-crashs/POC-ReadGF\_IPMPX\_WatermarkingInit", OpenMode=0, tmp\_dir=0x0) at isomedia/isom\_intern.c:615
#18 0x000000000041c082 in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at main.c:4767
#19 0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe358, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe348) at ../csu/libc-start.c:291
#20 0x000000000040eba9 in \_start ()

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20161: AddressSanitizer: heap-buffer-overflow in ReadGF_IPMPX_WatermarkingInit at ipmpx_code.c:1517 · Issue #1320 · gpac/gpac

An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function gf_isom_box_parse_ex() in isomedia/box_funcs.c.

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-new-gf_isom_box_parse_ex
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf\_isom\_box\_parse\_ex  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf\_isom\_box\_parse\_ex-2  
For POC-new-gf\_isom\_box\_parse\_ex  
gdb info:

Program received signal SIGSEGV, Segmentation fault.
\_\_GI\_\_\_libc\_free (mem=0x6a06e81bf20d02) at malloc.c:2951
2951    malloc.c: No such file or directory.
(gdb) bt
#0  \_\_GI\_\_\_libc\_free (mem=0x6a06e81bf20d02) at malloc.c:2951
#1  0x00000000006d4ab7 in reftype\_del ()
#2  0x0000000000512a7d in gf\_isom\_box\_del ()
#3  0x00000000005135fe in gf\_isom\_box\_array\_read\_ex ()
#4  0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#5  0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#6  0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#7  0x000000000051c48c in gf\_isom\_open\_file ()
#8  0x000000000041c082 in mp4boxMain ()
#9  0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#10 0x000000000040eba9 in \_start ()

For POC-new-gf\_isom\_box\_parse\_ex-2  
gdb info:

Program received signal SIGSEGV, Segmentation fault.
\_\_GI\_\_\_libc\_free (mem=0x1c1c1c1c1c1c1c1c) at malloc.c:2951
2951    malloc.c: No such file or directory.
(gdb) bt
#0  \_\_GI\_\_\_libc\_free (mem=0x1c1c1c1c1c1c1c1c) at malloc.c:2951
#1  0x00000000006d4ab7 in reftype\_del ()
#2  0x0000000000512a7d in gf\_isom\_box\_del ()
#3  0x00000000005135fe in gf\_isom\_box\_array\_read\_ex ()
#4  0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#5  0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#6  0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#7  0x000000000051c48c in gf\_isom\_open\_file ()
#8  0x000000000041c082 in mp4boxMain ()
#9  0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#10 0x000000000040eba9 in \_start ()

For POC-new-gf\_isom\_box\_parse\_ex  
ASAN info:

\==25783\==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000df80 at pc 0x0000006c4392 bp 0x7fffffff8090 sp 0x7fffffff8080
WRITE of size 4 at 0x60400000df80 thread T0
    #0 0x6c4391 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:189
    #1 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #2 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #3 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #4 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #5 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #6 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #7 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #8 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #9 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

0x60400000df80 is located 0 bytes to the right of 48-byte region \[0x60400000df50,0x60400000df80)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xaec17d in reftype\_New isomedia/box\_code\_base.c:7521

SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box\_funcs.c:189 gf\_isom\_box\_parse\_ex
Shadow bytes around the buggy address:
  0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c087fff9bf0:\[fa\]fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25783==ABORTING

For POC-new-gf\_isom\_box\_parse\_ex-2

ASAN info：  
==25917\==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e000 at pc 0x0000006c4392 bp 0x7fffffff8090 sp 0x7fffffff8080
WRITE of size 4 at 0x60400000e000 thread T0
    #0 0x6c4391 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:189
    #1 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #2 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #3 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #4 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #5 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #6 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #7 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #8 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #9 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

0x60400000e000 is located 0 bytes to the right of 48-byte region \[0x60400000dfd0,0x60400000e000)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xaec17d in reftype\_New isomedia/box\_code\_base.c:7521

SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box\_funcs.c:189 gf\_isom\_box\_parse\_ex
Shadow bytes around the buggy address:
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bf0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c087fff9c00:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25917==ABORTING

Edit

**This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d**

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20162: ERROR: AddressSanitizer: heap-buffer-overflow in gf_isom_box_parse_ex isomedia/box_funcs.c:189 · Issue #1327 · gpac/gpac

An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function gf_odf_avc_cfg_write_bs() in odf/descriptors.c.

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-new-gf_odf_avc_cfg_write_bs
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf\_odf\_avc\_cfg\_write\_bs

gdb info:

Program received signal SIGSEGV, Segmentation fault.
0x000000000055aeee in gf\_odf\_avc\_cfg\_write\_bs ()
(gdb) bt
#0  0x000000000055aeee in gf\_odf\_avc\_cfg\_write\_bs ()
#1  0x000000000055b1ff in gf\_odf\_avc\_cfg\_write ()
#2  0x00000000004f9ba1 in AVC\_RewriteESDescriptorEx ()
#3  0x00000000006cf2a8 in video\_sample\_entry\_Read ()
#4  0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#5  0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#6  0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#7  0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#8  0x00000000006d09d0 in stbl\_Read ()
#9  0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#10 0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#11 0x00000000006ce02b in minf\_Read ()
#12 0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#13 0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#14 0x00000000006cd2f0 in mdia\_Read ()
#15 0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#16 0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#17 0x00000000006d351d in trak\_Read ()
#18 0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#19 0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#20 0x00000000006ce545 in moov\_Read ()
#21 0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#22 0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#23 0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#24 0x000000000051c48c in gf\_isom\_open\_file ()
#25 0x000000000041c082 in mp4boxMain ()
#26 0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#27 0x000000000040eba9 in \_start ()

ASAN info:

ASAN:SIGSEGV
=================================================================
==25871\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000000797a2b bp 0x60200000ed98 sp 0x7fffffff7230 T0)
    #0 0x797a2a in gf\_odf\_avc\_cfg\_write\_bs odf/descriptors.c:567
    #1 0x79821e in gf\_odf\_avc\_cfg\_write odf/descriptors.c:631
    #2 0x68b393 in AVC\_RewriteESDescriptorEx isomedia/avc\_ext.c:1063
    #3 0xaddd66 in video\_sample\_entry\_Read isomedia/box\_code\_base.c:4408
    #4 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #5 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #6 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #7 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #8 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #9 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #10 0xae19df in stbl\_Read isomedia/box\_code\_base.c:5381
    #11 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #12 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #13 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #14 0xadb4fe in minf\_Read isomedia/box\_code\_base.c:3500
    #15 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #16 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #17 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #18 0xad96ef in mdia\_Read isomedia/box\_code\_base.c:3021
    #19 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #20 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #21 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #22 0xae8ad8 in trak\_Read isomedia/box\_code\_base.c:7129
    #23 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #24 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #25 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #26 0xadc064 in moov\_Read isomedia/box\_code\_base.c:3745
    #27 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #28 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #29 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #30 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #31 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #32 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #33 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #34 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #35 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV odf/descriptors.c:567 gf\_odf\_avc\_cfg\_write\_bs
==25871==ABORTING

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20163: AddressSanitizer: NULL pointer dereference in gf_odf_avc_cfg_write_bs odf/descriptors.c:567 · Issue #1335 · gpac/gpac

In GraphicsMagick 1.4 snapshot-20190423 Q8, there is a heap-based buffer overflow in the function ImportRLEPixels of coders/miff.c.

There is a heap-buffer-overflow in function ImportRLEPixels of coders/miff.c whick can be reproduced as below.  
gm convert ./heap-buffer-overflow\_ImportRLEPixels /dev/null

\=================================================================
==27431==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000fed1 at pc 0x00000071ab86 bp 0x7ffcc60ecb20 sp 0x7ffcc60ecb10
WRITE of size 1 at 0x61500000fed1 thread T0
    #0 0x71ab85 in ImportRLEPixels coders/miff.c:428
    #1 0x729d09 in ReadMIFFImage coders/miff.c:1850
    #2 0x477730 in ReadImage magick/constitute.c:1607
    #3 0x421598 in ConvertImageCommand magick/command.c:4365
    #4 0x436b0d in MagickCommand magick/command.c:8889
    #5 0x45f2ca in GMCommandSingle magick/command.c:17434
    #6 0x45f516 in GMCommand magick/command.c:17487
    #7 0x40cc65 in main utilities/gm.c:61
    #8 0x7f5e4f4fe82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x40cb78 in \_start (/home/graphicsmagick-code/utilities/gm+0x40cb78)

0x61500000fed1 is located 0 bytes to the right of 465-byte region \[0x61500000fd00,0x61500000fed1)
allocated by thread T0 here:
    #0 0x7f5e5228b602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x4df677 in MagickRealloc magick/memory.c:494
    #2 0x501826 in OpenCache magick/pixel\_cache.c:2497
    #3 0x507f01 in ModifyCache magick/pixel\_cache.c:4584
    #4 0x4fb19e in SetCacheNexus magick/pixel\_cache.c:922
    #5 0x508d90 in SetCacheViewPixels magick/pixel\_cache.c:4881
    #6 0x508e6a in SetImagePixels magick/pixel\_cache.c:4947
    #7 0x7298da in ReadMIFFImage coders/miff.c:1831
    #8 0x477730 in ReadImage magick/constitute.c:1607
    #9 0x421598 in ConvertImageCommand magick/command.c:4365
    #10 0x436b0d in MagickCommand magick/command.c:8889
    #11 0x45f2ca in GMCommandSingle magick/command.c:17434
    #12 0x45f516 in GMCommand magick/command.c:17487
    #13 0x40cc65 in main utilities/gm.c:61
    #14 0x7f5e4f4fe82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/miff.c:428 ImportRLEPixels
Shadow bytes around the buggy address:
  0x0c2a7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff9fd0: 00 00 00 00 00 00 00 00 00 00\[01\]fa fa fa fa fa
  0x0c2a7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==27431==ABORTING

System Configuration:

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.1 LTS
Release:    16.04
Codename:   xenial

GraphicsMagick version:

GraphicsMagick 1.4 snapshot-20190423 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002-2019 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
  Native Thread Safe       yes
  Large Files (> 32 bit)   yes
  Large Memory (> 32 bit)  yes
  BZIP                     yes
  DPS                      no
  FlashPix                 no
  FreeType                 yes
  Ghostscript (Library)    no
  JBIG                     yes
  JPEG-2000                yes
  JPEG                     yes
  Little CMS               yes
  Loadable Modules         no
  Solaris mtmalloc         no
  OpenMP                   yes (201307 "4.0")
  PNG                      yes
  TIFF                     yes
  TRIO                     no
  Solaris umem             no
  WebP                     yes
  WMF                      yes
  X11                      yes
  XML                      yes
  ZLIB                     yes

Host type: x86\_64-pc-linux-gnu

Configured using the command:
  ./configure  'CC=gcc' 'CXX=g++' 'CFLAGS=-g -fsanitize=address -fno-omit-frame-pointer -fsanitize=leak' '--enable-shared=no'

Final Build Parameters:
  CC       = gcc
  CFLAGS   = -fopenmp -g -fsanitize=address -fno-omit-frame-pointer -fsanitize=leak -Wall -pthread
  CPPFLAGS = -I/usr/include/freetype2 -I/usr/include/libxml2
  CXX      = g++
  CXXFLAGS = -pthread
  LDFLAGS  = 
  LIBS     = -ljbig -lwebp -lwebpmux -llcms2 -ltiff -lfreetype -ljasper -ljpeg -lpng12 -lwmflite -lXext -lSM -lICE -lX11 -llzma -lbz2 -lxml2 -lz -lm -lpthread

CVE-2019-19951: GraphicsMagick / Bugs / #608 heap-buffer-overflow in ImportRLEPixels of coders/miff.c

In GraphicsMagick 1.4 snapshot-20191208 Q8, there is a heap-based buffer over-read in the function EncodeImage of coders/pict.c.

There is a heap buffer overflow in function EncodeImage of coders/pict.c whick can be reproduced as below.

/home/graphicsmagick/utilities/gm convert ./heap\-buffer\-overflow\-READ\-0x08417e7a.webp ./test.pct
\==9938\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0xf12147ff at pc 0x08417e7a bp 0xffa81578 sp 0xffa81568
READ of size 1 at 0xf12147ff thread T0
    #0 0x8417e79 in EncodeImage coders/pict.c:1067
    #1 0x8421228 in WritePICTImage coders/pict.c:2408
    #2 0x80c6919 in WriteImage magick/constitute.c:2245
    #3 0x80c728f in WriteImages magick/constitute.c:2404
    #4 0x8072623 in ConvertImageCommand magick/command.c:6135
    #5 0x807ea51 in MagickCommand magick/command.c:8880
    #6 0x80ab9c2 in GMCommandSingle magick/command.c:17412
    #7 0x80abc86 in GMCommand magick/command.c:17465
    #8 0x80511ea in main utilities/gm.c:61
    #9 0xf697c636 in \_\_libc\_start\_main (/lib/i386\-linux\-gnu/libc.so.6+0x18636)
    #10 0x80510f0  (/home/graphicsmagick/utilities/gm+0x80510f0)

0xf12147ff is located 1 bytes to the left of 65536\-byte region \[0xf1214800,0xf1224800)
allocated by thread T0 here:
    #0 0xf72bbdee in malloc (/usr/lib/i386\-linux\-gnu/libasan.so.2+0x96dee)
    #1 0x8132492 in MagickMalloc magick/memory.c:174
    #2 0x841f32a in WritePICTImage coders/pict.c:2126
    #3 0x80c6919 in WriteImage magick/constitute.c:2245
    #4 0x80c728f in WriteImages magick/constitute.c:2404
    #5 0x8072623 in ConvertImageCommand magick/command.c:6135
    #6 0x807ea51 in MagickCommand magick/command.c:8880
    #7 0x80ab9c2 in GMCommandSingle magick/command.c:17412
    #8 0x80abc86 in GMCommand magick/command.c:17465
    #9 0x80511ea in main utilities/gm.c:61
    #10 0xf697c636 in \_\_libc\_start\_main (/lib/i386\-linux\-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap\-buffer\-overflow coders/pict.c:1067 EncodeImage
Shadow bytes around the buggy address:
  0x3e2428a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e2428e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x3e2428f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]
  0x3e242900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3e242940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
\==9938\==ABORTING

System Configuration:

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.5 LTS
Release:    16.04
Codename:   xenial

GraphicsMagick version:

GraphicsMagick 1.4 snapshot\-20191208 Q8 http://www.GraphicsMagick.org/
Copyright (C) 2002\-2019 GraphicsMagick Group.
Additional copyrights and licenses apply to this software.
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:
  Native Thread Safe       yes
  Large Files (\> 32 bit)   yes
  Large Memory (\> 32 bit)  no
  BZIP                     yes
  DPS                      no
  FlashPix                 no
  FreeType                 yes
  Ghostscript (Library)    no
  JBIG                     yes
  JPEG\-2000                yes
  JPEG                     yes
  Little CMS               yes
  Loadable Modules         no
  Solaris mtmalloc         no
  OpenMP                   yes (201307 "4.0")
  PNG                      yes
  TIFF                     yes
  TRIO                     no
  Solaris umem             no
  WebP                     yes
  WMF                      yes
  X11                      yes
  XML                      yes
  ZLIB                     yes

Host type: x86\_64\-pc\-linux\-gnu

Configured using the command:
  ./configure  'CFLAGS=-g -fsanitize=address' '\--enable-shared=no'

Final Build Parameters:
  CC       \= gcc
  CFLAGS   \= \-fopenmp \-g \-fsanitize\=address \-Wall \-pthread
  CPPFLAGS \= \-I/usr/include/freetype2 \-I/usr/include/libxml2
  CXX      \= g++
  CXXFLAGS \= \-pthread
  LDFLAGS  \= 
  LIBS     \= \-ljbig \-lwebp \-lwebpmux \-llcms2 \-ltiff \-lfreetype \-ljasper \-ljpeg \-lpng12 \-lwmflite \-lXext \-lSM \-lICE \-lX11 \-llzma \-lbz2 \-lxml2 \-lz \-lm \-lpthread

CVE-2019-19953: GraphicsMagick / Bugs / #617 heap-buffer-overflow in function EncodeImage of coders/pict.c

HrAddFBBlock in libfreebusy/freebusyutil.cpp in Kopano Groupware Core before 8.7.7 allows out-of-bounds access, as demonstrated by mishandling of an array copy during parsing of ICal data.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Overview
*   Repositories
*   Packages
*   People

**Pinned**

1.  Read-only mirror of Kopano Core git repo
    
    C++ 50 29
    

3.  Read-only mirror of the Kopano WebApp git repo
    
    JavaScript 19 22
    
4.  Material from the Kopano workshop at the 2021 Univention Summit
    
    Shell 1
    

**Repositories**

Type

Select type

All Public Sources Forks Archived Mirrors Templates

Language

Select language

All C# C++ Go HTML JavaScript PHP Python Shell TypeScript

Sort

Select order

Last updated Name Stars

*   kcc-go Public
    
    This implements a minimal client interfacing with a couple of SOAP methods of a Kopano server.
    
    Go 0 Apache-2.0
    
    3 0 3
    
    Updated Mar 4, 2023
    
*   kopano-webapp Public
    
    Read-only mirror of the Kopano WebApp git repo
    
    JavaScript
    
    19 22 0 5
    
    Updated Mar 2, 2023
    
*   oidc-go Public
    
    Oidc-go is a Go package to provide common helpers to interface with OpenID Connect servers.
    
    Go
    
    2
    
    Apache-2.0
    
    1 0 1
    
    Updated Feb 25, 2023
    
*   kwmserver Public
    
    Kopano Web Meetings Server implements the signaling/channelling server for Kopano Web Meetings
    
    Go
    
    5 3 1 3
    
    Updated Feb 24, 2023
    
*   libkcoidc Public
    
    This project implements a C shared library with a public API to validate Kopano Konnect tokens (JSON Web Tokens).
    
    Go 0 0
    
    2 2
    
    Updated Feb 24, 2023
    
*   kapi Public
    
    Kopano API provides a web service with the endpoints to interface with Kopano via HTTP APIs.
    
    Go
    
    3
    
    0
    
    0 1
    
    Updated Feb 15, 2023
    
*   pubsjs Public
    
    Kopano API Pubs Client Library (pubsjs)
    
    TypeScript 0 MIT 0
    
    0 16
    
    Updated Jan 7, 2023
    
*   kwmjs Public
    
    Kopano Web Meetings Client Library (kwmjs)
    
    TypeScript
    
    1
    
    MIT 0
    
    0 11
    
    Updated Jan 7, 2023
    
*   kpop Public
    
    Kpop is a collection of React UI components and UI uitilites for Kopano Web apps
    
    JavaScript 0 Apache-2.0
    
    1 0 17
    
    Updated Dec 10, 2022
    
*   meet Public
    
    A PWA for doing video meetings
    

**Most used topics**

CVE-2019-19907: Kopano

ATasm 1.06 has a stack-based buffer overflow in the to_comma() function in asm.c via a crafted .m65 file.

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Tickets ▾
    *   Bugs
    *   Feature Requests
*   News
*   Code
*   Discussion

Menu ▾ ▴

**#8 Stack-based buffer overflow in the to\_comma() function**

Status: closed

Owner: nobody

Labels: None

Priority: 5

Updated: 2021-03-20

Created: 2019-12-13

Private: No

Hi,

While fuzzing ATasm 1.08 with Honggfuzz, I found a stack-based buffer overflow in the to\_comma() function, in asm.c.

Attaching a reproducer, issue can be reproduced by running:

\=================================================================
\==15033\==ERROR: AddressSanitizer: stack\-buffer\-overflow on address 0x7ffec9190ef0 at pc 0x0000004ce38e bp 0x7ffec9190e30 sp 0x7ffec9190e28
WRITE of size 1 at 0x7ffec9190ef0 thread T0
    #0 0x4ce38d in to\_comma /home/fcambus/atasm/src/asm.c:1126:11
    #1 0x4ce38d in do\_xbyte /home/fcambus/atasm/src/asm.c:1346:9
    #2 0x4cfe17 in proc\_sym /home/fcambus/atasm/src/asm.c:1553:7
    #3 0x4d5556 in do\_cmd /home/fcambus/atasm/src/asm.c:1941:5
    #4 0x4d5b46 in assemble /home/fcambus/atasm/src/asm.c:1980:9
    #5 0x4d8082 in main /home/fcambus/atasm/src/asm.c:2392:3
    #6 0x7f32f46441e2 in \_\_libc\_start\_main /build/glibc\-4WA41p/glibc\-2.30/csu/../csu/libc\-start.c:308:16
    #7 0x41b3fd in \_start (/home/fcambus/atasm/atasm+0x41b3fd)

Address 0x7ffec9190ef0 is located in stack of thread T0 at offset 176 in frame
    #0 0x4cc7af in do\_xbyte /home/fcambus/atasm/src/asm.c:1299

  This frame has 2 object(s):
    \[32, 64) 'buf.i' (line 736)
    \[96, 176) 'buf' (line 1301) <== Memory access at offset 176 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack\-buffer\-overflow /home/fcambus/atasm/src/asm.c:1126:11 in to\_comma
Shadow bytes around the buggy address:
  0x10005922a180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a1c0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8
\=>0x10005922a1d0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00\[f3\]f3
  0x10005922a1e0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005922a200: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8
  0x10005922a210: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10005922a220: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==15033\==ABORTING

**1 Attachments**

**Discussion**

Log in to post a comment.

Tag

#c++