jhead through 3.04 has a heap-based buffer over-read in Get32s when called from ProcessGpsInfo in gpsinfo.c.

Bug #1858746 reported by Binbin Li on 2020-01-08

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

jhead (Ubuntu)

New

Undecided

Unassigned

**Bug Description**

heap-buffer-overflow on jhead-3.04/exif.c:336 Get32s when we run ./jhead ./input/poc.

lbb@lbb ./jhead ./input/id\_043  
Nonfatal Error : './input/id\_043' Suspicious offset of first Exif IFD value  
Nonfatal Error : './input/id\_043' Maximum Exif directory nesting exceeded (corrupt Exif header)  
Nonfatal Error : './input/id\_043' Illegal number format 32768 for tag 1000 in Exif  
Nonfatal Error : './input/id\_043' Maximum Exif directory nesting exceeded (corrupt Exif header)  
Nonfatal Error : './input/id\_043' Illegal number format 95 for Exif gps tag 002a  
Nonfatal Error : './input/id\_043' Illegal number format 62152 for Exif gps tag 91bf  
Nonfatal Error : './input/id\_043' Illegal number format 65529 for Exif gps tag ffff  
Nonfatal Error : './input/id\_043' Illegal number format 0 for Exif gps tag 00ff  
Nonfatal Error : './input/id\_043' Illegal number format 0 for Exif gps tag 7c00  
Nonfatal Error : './input/id\_043' Inappropriate format (4) for Exif GPS coordinates!  
Nonfatal Error : './input/id\_043' Illegal number format 65535 for Exif gps tag 1f00  
Nonfatal Error : './input/id\_043' Illegal number format 128 for Exif gps tag 0010  
Nonfatal Error : './input/id\_043' Illegal number format 0 for Exif gps tag 0087  
Nonfatal Error : './input/id\_043' Illegal number format 128 for Exif gps tag 0010  
Nonfatal Error : './input/id\_043' Illegal number format 0 for Exif gps tag 0087  
Nonfatal Error : './input/id\_043' Illegal number format 0 for Exif gps tag 0092  
Nonfatal Error : './input/id\_043' Illegal number format 0 for Exif gps tag 0088  
Nonfatal Error : './input/id\_043' Illegal number format 257 for Exif gps tag 2d00  
Nonfatal Error : './input/id\_043' Illegal number format 23110 for Exif gps tag 4146  
Nonfatal Error : './input/id\_043' Inappropriate format (12) for Exif GPS coordinates!  
\=======\=======\=======\=======\=======\=======\=======\=======\=======\==  
\==25863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009fdd at pc 0x00000040aeff bp 0x7ffe1a579f50 sp 0x7ffe1a579f40  
READ of size 1 at 0x611000009fdd thread T0  
    #0 0x40aefe in Get32s /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/exif.c:336  
    #1 0x4115dc in ProcessGpsInfo /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/gpsinfo.c:138  
    #2 0x40d9a3 in ProcessExifDir /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/exif.c:866  
    #3 0x40d91c in ProcessExifDir /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/exif.c:852  
    #4 0x40d91c in ProcessExifDir /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/exif.c:852  
    #5 0x40d91c in ProcessExifDir /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/exif.c:852  
    #6 0x40d91c in ProcessExifDir /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/exif.c:852  
    #7 0x40e09a in process\_EXIF /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/exif.c:1041  
    #8 0x408318 in ReadJpegSections /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:287  
    #9 0x408581 in ReadJpegFile /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:379  
    #10 0x405039 in ProcessFile /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead.c:905  
    #11 0x40267d in main /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead.c:1756  
    #12 0x7ff18ec8a82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)  
    #13 0x403c38 in \_start (/home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead+0x403c38)

0x611000009fdd is located 3 bytes to the right of 218-byte region \[0x611000009f00,0x611000009fda)  
allocated by thread T0 here:  
    #0 0x7ff18f3d5602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)  
    #1 0x40798b in ReadJpegSections /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:173  
    #2 0x408581 in ReadJpegFile /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jpgfile.c:379  
    #3 0x405039 in ProcessFile /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead.c:905  
    #4 0x40267d in main /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/jhead.c:1756  
    #5 0x7ff18ec8a82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lbb/afl-experient/Tests/ASAN/jhead-3.04/exif.c:336 Get32s  
Shadow bytes around the buggy address:  
  0x0c227fff93a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c227fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c227fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c227fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c227fff93e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c227fff93f0: 00 00 00 00 00 00 00 00 00 00 00\[02\]fa fa fa fa  
  0x0c227fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c227fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c227fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c227fff9430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c227fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
  Addressable: 00  
  Partially addressable: 01 02 03 04 05 06 07  
  Heap left redzone: fa  
  Heap right redzone: fb  
  Freed heap region: fd  
  Stack left redzone: f1  
  Stack mid redzone: f2  
  Stack right redzone: f3  
  Stack partial redzone: f4  
  Stack after return: f5  
  Stack use after scope: f8  
  Global redzone: f9  
  Global init order: f6  
  Poisoned by user: f7  
  Container overflow: fc  
  Array cookie: ac  
  Intra object redzone: bb  
  ASan internal: fe  
\==25863==ABORTING

CVE-2020-6625: Bug #1858746 “heap-buffer-overflow on jhead-3.04/exif.c:336 Get3...” : Bugs : jhead package : Ubuntu

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

**Name**

CVE-2016-1000027

**Description**

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

**Source**

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

**Vulnerable and fixed packages**

The table below lists information on source packages.

Source Package

Release

Version

Status

libspring-java (PTS)

stretch

4.3.5-1

fixed

stretch (security)

4.3.5-1+deb9u1

fixed

buster

4.3.22-4

fixed

bookworm, sid, bullseye

4.3.30-1

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

libspring-java

source

(unstable)

4.2.7-1

unimportant

**Notes**

https://www.tenable.com/security/research/tra-2016-20  
This is not a vulnerability in Spring itself, just how applications are using it

CVE-2016-1000027: CVE-2016-1000027

**Name**

CVE-2016-1000027

**Description**

Pivotal Spring Framework 4.1.4 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

**Source**

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

**NVD severity**

high

**Vulnerable and fixed packages**

The table below lists information on source packages.

Source Package

Release

Version

Status

libspring-java (PTS)

stretch

4.3.5-1

fixed

stretch (security)

4.3.5-1+deb9u1

fixed

buster

4.3.22-4

fixed

bookworm, sid, bullseye

4.3.30-1

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

libspring-java

source

(unstable)

4.2.7-1

unimportant

**Notes**

https://www.tenable.com/security/research/tra-2016-20  
This is not a vulnerability in Spring itself, just how applications are using it

An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is an invalid pointer dereference in the function GF_IPMPX_AUTH_Delete() in odf/ipmpx_code.c.

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-new-GF_IPMPX_AUTH_Delete
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-GF\_IPMPX\_AUTH\_Delete

gdb info:

Program received signal SIGSEGV, Segmentation fault.
0x000000000056907e in gf\_ipmpx\_data\_del ()
(gdb) bt
#0  0x000000000056907e in gf\_ipmpx\_data\_del ()
#1  0x000000000056aa7c in gf\_ipmpx\_data\_parse ()
#2  0x000000000056274a in gf\_odf\_read\_ipmp ()
#3  0x000000000055a076 in gf\_odf\_parse\_descriptor ()
#4  0x000000000056503b in gf\_odf\_desc\_read ()
#5  0x00000000006ca7b4 in esds\_Read ()
#6  0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#7  0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#8  0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#9  0x000000000051c48c in gf\_isom\_open\_file ()
#10 0x000000000041c082 in mp4boxMain ()
#11 0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#12 0x000000000040eba9 in \_start ()

ASAN info:

ASAN:SIGSEGV
=================================================================
==27770\==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000a (pc 0x0000007bacbf bp 0x00000000000a sp 0x7fffffff8020 T0)
    #0 0x7bacbe in GF\_IPMPX\_AUTH\_Delete odf/ipmpx\_code.c:115
    #1 0x7bacbe in delete\_algo\_list odf/ipmpx\_code.c:363
    #2 0x7bacbe in DelGF\_IPMPX\_MutualAuthentication odf/ipmpx\_code.c:371
    #3 0x7bacbe in gf\_ipmpx\_data\_del odf/ipmpx\_code.c:1853
    #4 0x7bec88 in gf\_ipmpx\_data\_parse odf/ipmpx\_code.c:295
    #5 0x7a9969 in gf\_odf\_read\_ipmp odf/odf\_code.c:2426
    #6 0x795ce3 in gf\_odf\_parse\_descriptor odf/descriptors.c:159
    #7 0x7afc16 in gf\_odf\_desc\_read odf/odf\_codec.c:302
    #8 0xad3fb3 in esds\_Read isomedia/box\_code\_base.c:1256
    #9 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #10 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #11 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #12 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #13 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #14 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #15 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #16 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV odf/ipmpx\_code.c:115 GF\_IPMPX\_AUTH\_Delete
==27770==ABORTING

**Edit**

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20170: AddressSanitizer: heap-use-after-free in GF_IPMPX_AUTH_Delete odf/ipmpx_code.c:115 · Issue #1328 · gpac/gpac

An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function ilst_item_Read() in isomedia/box_code_apple.c.

Hello, I found a similar issue but I am not sure they are the same.  
#1263

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-new-ilst_item_Read
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-ilst\_item\_Read

gdb info:

Program received signal SIGSEGV, Segmentation fault.
0x00000000006c499d in ilst\_item\_Read ()
(gdb) bt
#0  0x00000000006c499d in ilst\_item\_Read ()
#1  0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#2  0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#3  0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#4  0x000000000051c48c in gf\_isom\_open\_file ()
#5  0x000000000041c082 in mp4boxMain ()
#6  0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#7  0x000000000040eba9 in \_start ()

ASAN info:

ASAN:SIGSEGV
=================================================================
==27902\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000000ac4185 bp 0x7fffffff8230 sp 0x7fffffff8220 T0)
    #0 0xac4184 in ilst\_item\_Read isomedia/box\_code\_apple.c:119
    #1 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #2 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #3 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #4 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #5 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #6 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #7 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #8 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV isomedia/box\_code\_apple.c:119 ilst\_item\_Read
==27902==ABORTING

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20165: ERROR: AddressSanitizer: NULL pointer dereference in ilst_item_Read isomedia/box_code_apple.c:119 · Issue #1338 · gpac/gpac

An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function ReadGF_IPMPX_WatermarkingInit() in odf/ipmpx_code.c.

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (master 6ada10e)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-ReadGF_IPMPX_WatermarkingInit
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/POC-ReadGF\_IPMPX\_WatermarkingInit  
ASAN info:

\==26293\==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb1 at pc 0x7ffff6ef6904 bp 0x7fffffff7e90 sp 0x7fffffff7638
WRITE of size 40 at 0x60200000efb1 thread T0
    #0 0x7ffff6ef6903 in \_\_asan\_memcpy (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x8c903)
    #1 0x4709b5 in memcpy /usr/include/x86\_64-linux-gnu/bits/string3.h:53
    #2 0x4709b5 in gf\_bs\_read\_data utils/bitstream.c:461
    #3 0x7bc40d in ReadGF\_IPMPX\_WatermarkingInit odf/ipmpx\_code.c:1517
    #4 0x7bc40d in GF\_IPMPX\_ReadData odf/ipmpx\_code.c:2020
    #5 0x7beab7 in gf\_ipmpx\_data\_parse odf/ipmpx\_code.c:293
    #6 0x7a97c9 in gf\_odf\_read\_ipmp odf/odf\_code.c:2426
    #7 0x795b43 in gf\_odf\_parse\_descriptor odf/descriptors.c:159
    #8 0x7afa76 in gf\_odf\_desc\_read odf/odf\_codec.c:302
    #9 0xad3e13 in esds\_Read isomedia/box\_code\_base.c:1256
    #10 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #11 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #12 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #13 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #14 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #15 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #16 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan/applications/mp4box/main.c:4767
    #17 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #18 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

0x60200000efb1 is located 0 bytes to the right of 1-byte region \[0x60200000efb0,0x60200000efb1)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7bc3bf in ReadGF\_IPMPX\_WatermarkingInit odf/ipmpx\_code.c:1516
    #2 0x7bc3bf in GF\_IPMPX\_ReadData odf/ipmpx\_code.c:2020

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 \_\_asan\_memcpy
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa\[01\]fa fa fa 00 00 fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==26293==ABORTING

gdb info:

7ffff70cd000-7ffff72cc000 ---p 00016000 08:02 67633677                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7ffff72cc000-7ffff72cd000 rw-p 00015000 08:02 67633677                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7ffff72cd000-7ffff748d000 r-xp 00000000 08:02 67637542                   /lib/x86\_64-linux-gnu/libc-2.23.so
7ffff748d000-7ffff768d000 ---p 001c0000 08:02 67637542                   /lib/x86\_64-linux-gnu/libc-2.23.so
7ffff768d000-7ffff7691000 r--p 001c0000 08:02 67637542                   /lib/x86\_64-linux-gnu/libc-2.23.so
7ffff7691000-7ffff7693000 rw-p 001c4000 08:02 67637542                   /lib/x86\_64-linux-gnu/libc-2.23.so
7ffff7693000-7ffff7697000 rw-p 00000000 00:00 0
7ffff7697000-7ffff76b0000 r-xp 00000000 08:02 67633774                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7ffff76b0000-7ffff78af000 ---p 00019000 08:02 67633774                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7ffff78af000-7ffff78b0000 r--p 00018000 08:02 67633774                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7ffff78b0000-7ffff78b1000 rw-p 00019000 08:02 67633774                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7ffff78b1000-7ffff79b9000 r-xp 00000000 08:02 67637545                   /lib/x86\_64-linux-gnu/libm-2.23.so
7ffff79b9000-7ffff7bb8000 ---p 00108000 08:02 67637545                   /lib/x86\_64-linux-gnu/libm-2.23.so
7ffff7bb8000-7ffff7bb9000 r--p 00107000 08:02 67637545                   /lib/x86\_64-linux-gnu/libm-2.23.so
7ffff7bb9000-7ffff7bba000 rw-p 00108000 08:02 67637545                   /lib/x86\_64-linux-gnu/libm-2.23.so
7ffff7bba000-7ffff7bd2000 r-xp 00000000 08:02 67637529                   /lib/x86\_64-linux-gnu/libpthread-2.23.so
7ffff7bd2000-7ffff7dd1000 ---p 00018000 08:02 67637529                   /lib/x86\_64-linux-gnu/libpthread-2.23.so
7ffff7dd1000-7ffff7dd2000 r--p 00017000 08:02 67637529                   /lib/x86\_64-linux-gnu/libpthread-2.23.so
7ffff7dd2000-7ffff7dd3000 rw-p 00018000 08:02 67637529                   /lib/x86\_64-linux-gnu/libpthread-2.23.so
7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:02 67637528                   /lib/x86\_64-linux-gnu/ld-2.23.so
7ffff7fe3000-7ffff7fe8000 rw-p 00000000 00:00 0
7ffff7ff7000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          \[vvar\]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          \[vdso\]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:02 67637528                   /lib/x86\_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:02 67637528                   /lib/x86\_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          \[stack\]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  \[vsyscall\]

Program received signal SIGABRT, Aborted.
0x00007ffff7302428 in \_\_GI\_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7302428 in \_\_GI\_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff730402a in \_\_GI\_abort () at abort.c:89
#2  0x00007ffff73447ea in \_\_libc\_message (do\_abort=do\_abort@entry=2, fmt=fmt@entry=0x7ffff745ded8 "\*\*\* Error in \`%s': %s: 0x%s \*\*\*\\n") at ../sysdeps/posix/libc\_fatal.c:175
#3  0x00007ffff734d37a in malloc\_printerr (ar\_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff745df50 "free(): invalid next size (fast)", action=3) at malloc.c:5006
#4  \_int\_free (av=<optimized out>, p=<optimized out>, have\_lock=0) at malloc.c:3867
#5  0x00007ffff735153c in \_\_GI\_\_\_libc\_free (mem=<optimized out>) at malloc.c:2968
#6  0x0000000000568b82 in DelGF\_IPMPX\_OpaqueData (\_p=<optimized out>) at odf/ipmpx\_code.c:1205
#7  gf\_ipmpx\_data\_del (\_p=\_p@entry=0x9cc760) at odf/ipmpx\_code.c:1835
#8  0x00000000005624bd in gf\_odf\_del\_ipmp (ipmp=0x9cc670) at odf/odf\_code.c:2390
#9  0x000000000055a031 in gf\_odf\_parse\_descriptor (bs=bs@entry=0x9cc610, desc=desc@entry=0x9cc578, desc\_size=desc\_size@entry=0x7fffffff9694) at odf/descriptors.c:176
#10 0x0000000000564f7b in gf\_odf\_desc\_read (raw\_desc=raw\_desc@entry=0x9cc590 "\\v@\\377\\377\\377\\377", descSize=descSize@entry=108, outDesc=outDesc@entry=0x9cc578) at odf/odf\_codec.c:302
#11 0x00000000006ca6f4 in esds\_Read (s=0x9cc550, bs=0x9cb460) at isomedia/box\_code\_base.c:1256
#12 0x00000000005137e1 in gf\_isom\_box\_read (bs=0x9cb460, a=0x9cc550) at isomedia/box\_funcs.c:1528
#13 gf\_isom\_box\_parse\_ex (outBox=outBox@entry=0x7fffffff9800, bs=bs@entry=0x9cb460, is\_root\_box=is\_root\_box@entry=GF\_TRUE, parent\_type=0) at isomedia/box\_funcs.c:208
#14 0x0000000000513e15 in gf\_isom\_parse\_root\_box (outBox=outBox@entry=0x7fffffff9800, bs=0x9cb460, bytesExpected=bytesExpected@entry=0x7fffffff9850, progressive\_mode=progressive\_mode@entry=GF\_FALSE) at isomedia/box\_funcs.c:42
#15 0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes (mov=mov@entry=0x9cb010, bytesMissing=bytesMissing@entry=0x7fffffff9850, progressive\_mode=progressive\_mode@entry=GF\_FALSE) at isomedia/isom\_intern.c:206
#16 0x000000000051c48c in gf\_isom\_parse\_movie\_boxes (progressive\_mode=GF\_FALSE, bytesMissing=0x7fffffff9850, mov=0x9cb010) at isomedia/isom\_intern.c:194
#17 gf\_isom\_open\_file (fileName=0x7fffffffe627 "./real-crashs/POC-ReadGF\_IPMPX\_WatermarkingInit", OpenMode=0, tmp\_dir=0x0) at isomedia/isom\_intern.c:615
#18 0x000000000041c082 in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at main.c:4767
#19 0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe358, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe348) at ../csu/libc-start.c:291
#20 0x000000000040eba9 in \_start ()

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20161: AddressSanitizer: heap-buffer-overflow in ReadGF_IPMPX_WatermarkingInit at ipmpx_code.c:1517 · Issue #1320 · gpac/gpac

An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function gf_isom_box_parse_ex() in isomedia/box_funcs.c.

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-new-gf_isom_box_parse_ex
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf\_isom\_box\_parse\_ex  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf\_isom\_box\_parse\_ex-2  
For POC-new-gf\_isom\_box\_parse\_ex  
gdb info:

Program received signal SIGSEGV, Segmentation fault.
\_\_GI\_\_\_libc\_free (mem=0x6a06e81bf20d02) at malloc.c:2951
2951    malloc.c: No such file or directory.
(gdb) bt
#0  \_\_GI\_\_\_libc\_free (mem=0x6a06e81bf20d02) at malloc.c:2951
#1  0x00000000006d4ab7 in reftype\_del ()
#2  0x0000000000512a7d in gf\_isom\_box\_del ()
#3  0x00000000005135fe in gf\_isom\_box\_array\_read\_ex ()
#4  0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#5  0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#6  0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#7  0x000000000051c48c in gf\_isom\_open\_file ()
#8  0x000000000041c082 in mp4boxMain ()
#9  0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#10 0x000000000040eba9 in \_start ()

For POC-new-gf\_isom\_box\_parse\_ex-2  
gdb info:

Program received signal SIGSEGV, Segmentation fault.
\_\_GI\_\_\_libc\_free (mem=0x1c1c1c1c1c1c1c1c) at malloc.c:2951
2951    malloc.c: No such file or directory.
(gdb) bt
#0  \_\_GI\_\_\_libc\_free (mem=0x1c1c1c1c1c1c1c1c) at malloc.c:2951
#1  0x00000000006d4ab7 in reftype\_del ()
#2  0x0000000000512a7d in gf\_isom\_box\_del ()
#3  0x00000000005135fe in gf\_isom\_box\_array\_read\_ex ()
#4  0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#5  0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#6  0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#7  0x000000000051c48c in gf\_isom\_open\_file ()
#8  0x000000000041c082 in mp4boxMain ()
#9  0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#10 0x000000000040eba9 in \_start ()

For POC-new-gf\_isom\_box\_parse\_ex  
ASAN info:

\==25783\==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000df80 at pc 0x0000006c4392 bp 0x7fffffff8090 sp 0x7fffffff8080
WRITE of size 4 at 0x60400000df80 thread T0
    #0 0x6c4391 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:189
    #1 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #2 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #3 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #4 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #5 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #6 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #7 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #8 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #9 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

0x60400000df80 is located 0 bytes to the right of 48-byte region \[0x60400000df50,0x60400000df80)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xaec17d in reftype\_New isomedia/box\_code\_base.c:7521

SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box\_funcs.c:189 gf\_isom\_box\_parse\_ex
Shadow bytes around the buggy address:
  0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c087fff9bf0:\[fa\]fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25783==ABORTING

For POC-new-gf\_isom\_box\_parse\_ex-2

ASAN info：  
==25917\==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e000 at pc 0x0000006c4392 bp 0x7fffffff8090 sp 0x7fffffff8080
WRITE of size 4 at 0x60400000e000 thread T0
    #0 0x6c4391 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:189
    #1 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #2 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #3 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #4 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #5 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #6 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #7 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #8 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #9 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

0x60400000e000 is located 0 bytes to the right of 48-byte region \[0x60400000dfd0,0x60400000e000)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xaec17d in reftype\_New isomedia/box\_code\_base.c:7521

SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box\_funcs.c:189 gf\_isom\_box\_parse\_ex
Shadow bytes around the buggy address:
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bf0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c087fff9c00:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25917==ABORTING

Edit

**This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d**

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20162: ERROR: AddressSanitizer: heap-buffer-overflow in gf_isom_box_parse_ex isomedia/box_funcs.c:189 · Issue #1327 · gpac/gpac

An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function gf_odf_avc_cfg_write_bs() in odf/descriptors.c.

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, gpac (latest master 00dfc93)  
Compile Command:

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
    $ make
    

Run Command:

    $ MP4Box -diso -out /dev/null $POC-new-gf_odf_avc_cfg_write_bs
    

POC file:  
https://github.com/Clingto/POC/blob/master/gpac-MP4Box/gpac-00dfc93-crashes/POC-new-gf\_odf\_avc\_cfg\_write\_bs

gdb info:

Program received signal SIGSEGV, Segmentation fault.
0x000000000055aeee in gf\_odf\_avc\_cfg\_write\_bs ()
(gdb) bt
#0  0x000000000055aeee in gf\_odf\_avc\_cfg\_write\_bs ()
#1  0x000000000055b1ff in gf\_odf\_avc\_cfg\_write ()
#2  0x00000000004f9ba1 in AVC\_RewriteESDescriptorEx ()
#3  0x00000000006cf2a8 in video\_sample\_entry\_Read ()
#4  0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#5  0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#6  0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#7  0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#8  0x00000000006d09d0 in stbl\_Read ()
#9  0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#10 0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#11 0x00000000006ce02b in minf\_Read ()
#12 0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#13 0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#14 0x00000000006cd2f0 in mdia\_Read ()
#15 0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#16 0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#17 0x00000000006d351d in trak\_Read ()
#18 0x0000000000512ce5 in gf\_isom\_box\_parse\_ex ()
#19 0x000000000051333b in gf\_isom\_box\_array\_read\_ex ()
#20 0x00000000006ce545 in moov\_Read ()
#21 0x00000000005137e1 in gf\_isom\_box\_parse\_ex.constprop ()
#22 0x0000000000513e15 in gf\_isom\_parse\_root\_box ()
#23 0x000000000051b4fe in gf\_isom\_parse\_movie\_boxes.part ()
#24 0x000000000051c48c in gf\_isom\_open\_file ()
#25 0x000000000041c082 in mp4boxMain ()
#26 0x00007ffff72ed830 in \_\_libc\_start\_main (main=0x40eb70 <main>, argc=5, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe308) at ../csu/libc-start.c:291
#27 0x000000000040eba9 in \_start ()

ASAN info:

ASAN:SIGSEGV
=================================================================
==25871\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000000797a2b bp 0x60200000ed98 sp 0x7fffffff7230 T0)
    #0 0x797a2a in gf\_odf\_avc\_cfg\_write\_bs odf/descriptors.c:567
    #1 0x79821e in gf\_odf\_avc\_cfg\_write odf/descriptors.c:631
    #2 0x68b393 in AVC\_RewriteESDescriptorEx isomedia/avc\_ext.c:1063
    #3 0xaddd66 in video\_sample\_entry\_Read isomedia/box\_code\_base.c:4408
    #4 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #5 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #6 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #7 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #8 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #9 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #10 0xae19df in stbl\_Read isomedia/box\_code\_base.c:5381
    #11 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #12 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #13 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #14 0xadb4fe in minf\_Read isomedia/box\_code\_base.c:3500
    #15 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #16 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #17 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #18 0xad96ef in mdia\_Read isomedia/box\_code\_base.c:3021
    #19 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #20 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #21 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #22 0xae8ad8 in trak\_Read isomedia/box\_code\_base.c:7129
    #23 0x6c3d6e in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #24 0x6c3d6e in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #25 0x6c47bc in gf\_isom\_box\_array\_read\_ex isomedia/box\_funcs.c:1419
    #26 0xadc064 in moov\_Read isomedia/box\_code\_base.c:3745
    #27 0x6c5114 in gf\_isom\_box\_read isomedia/box\_funcs.c:1528
    #28 0x6c5114 in gf\_isom\_box\_parse\_ex isomedia/box\_funcs.c:208
    #29 0x6c5974 in gf\_isom\_parse\_root\_box isomedia/box\_funcs.c:42
    #30 0x6da6a0 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:206
    #31 0x6dd2f3 in gf\_isom\_parse\_movie\_boxes isomedia/isom\_intern.c:194
    #32 0x6dd2f3 in gf\_isom\_open\_file isomedia/isom\_intern.c:615
    #33 0x42f88a in mp4boxMain /home/aota09/yyp/fuzzcompare/test/gpac/test-crash/build\_asan\_00dfc93/applications/mp4box/main.c:4767
    #34 0x7ffff638082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #35 0x41e228 in \_start (/home/aota09/yyp/fuzzcompare/test/gpac/test-crash/bin\_asan/bin/MP4Box+0x41e228)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV odf/descriptors.c:567 gf\_odf\_avc\_cfg\_write\_bs
==25871==ABORTING

Edit

This bug issue still exists in latest version 0.8.0: 4c19ae5 and 0.9.0: 1de1f8d

Addition: This bug was found with our fuzzer, which is based on AFL. Our fuzzer is developed by Yuanpingyu(cfenicey@gmail.com) 、Yanhao and Marsman1996(lqliuyuwei@outlook.com)

CVE-2019-20163: AddressSanitizer: NULL pointer dereference in gf_odf_avc_cfg_write_bs odf/descriptors.c:567 · Issue #1335 · gpac/gpac

A heap-based buffer over-read was discovered in canUnpack in p_mach.cpp in UPX 3.95 via a crafted Mach-O file.

A crafted input will lead to crash in p\_mach.cpp at UPX 3.95(latest version,git clone from branch devel)

Triggered by  
./upx.out -d -f POC

OS: Ubuntu 18.04.3 LTS

CPU architecture: x86\_64

Poc  
002

The ASAN information is as follows:

    ./upx.out -d -f 002
                           Ultimate Packer for eXecutables
                              Copyright (C) 1996 - 2019
    UPX git-75a2cc  Markus Oberhumer, Laszlo Molnar & John Reiser   Feb 24th 2019
    
            File size         Ratio      Format      Name
       --------------------   ------   -----------   -----------
    =================================================================
    ==24764==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000010 at pc 0x56476d2e5ab3 bp 0x7ffc2f050250 sp 0x7ffc2f050240
    READ of size 4 at 0x602000000010 thread T0
        #0 0x56476d2e5ab2 in get_le32(void const*) /home/liuz/upx-asan/upx_new/upx/src/bele.h:164
        #1 0x56476d2e5ab2 in LE32::operator unsigned int() const /home/liuz/upx-asan/upx_new/upx/src/bele.h:416
        #2 0x56476d2e5ab2 in PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::canUnpack() /home/liuz/upx-asan/upx_new/upx/src/p_mach.cpp:1539
        #3 0x56476d3555a6 in try_unpack /home/liuz/upx-asan/upx_new/upx/src/packmast.cpp:114
        #4 0x56476d356ad5 in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /home/liuz/upx-asan/upx_new/upx/src/packmast.cpp:225
        #5 0x56476d3582b0 in PackMaster::getUnpacker(InputFile*) /home/liuz/upx-asan/upx_new/upx/src/packmast.cpp:248
        #6 0x56476d3583cf in PackMaster::unpack(OutputFile*) /home/liuz/upx-asan/upx_new/upx/src/packmast.cpp:266
        #7 0x56476d3944ee in do_one_file(char const*, char*) /home/liuz/upx-asan/upx_new/upx/src/work.cpp:160
        #8 0x56476d39499f in do_files(int, int, char**) /home/liuz/upx-asan/upx_new/upx/src/work.cpp:271
        #9 0x56476d2253e6 in main /home/liuz/upx-asan/upx_new/upx/src/main.cpp:1543
        #10 0x7ff90c80eb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #11 0x56476d226549 in _start (/home/liuz/upx-asan/upx_new/upx/src/upx.out+0x5c549)
    
    0x602000000011 is located 0 bytes to the right of 1-byte region [0x602000000010,0x602000000011)
    allocated by thread T0 here:
        #0 0x7ff90d68c618 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0618)
        #1 0x56476d2e3bc9 in PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::canUnpack() /home/liuz/upx-asan/upx_new/upx/src/p_mach.cpp:1525
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/liuz/upx-asan/upx_new/upx/src/bele.h:164 in get_le32(void const*)
    Shadow bytes around the buggy address:
      0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c047fff8000: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==24764==ABORTING

CVE-2019-20021: There is a heap-buffer-overflow in the canUnpack function of p_mach.cpp:1539 · Issue #315 · upx/upx

In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer overflow in the function WriteSGIImage of coders/sgi.c.

**Prerequisites**

*   I have written a descriptive issue title
*   I have verified that I am using the latest version of ImageMagick
*   I have searched open and closed issues to ensure it has not already been reported

**Description**

There is a heap buffer overflow vulnerability in function WriteSGIImage of coders/sgi.c.

**Steps to Reproduce**

poc  
magick convert $poc ./test.sgi  
=================================================================  
==41720==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f70c67db7f8 at pc 0x0000006c216f bp 0x7ffea64ddb50 sp 0x7ffea64ddb40  
WRITE of size 1 at 0x7f70c67db7f8 thread T0  
    #0 0x6c216e in WriteSGIImage coders/sgi.c:1051  
    #1 0x849036 in WriteImage MagickCore/constitute.c:1159  
    #2 0x849d5b in WriteImages MagickCore/constitute.c:1376  
    #3 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305  
    #4 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185  
    #5 0x4100a1 in MagickMain utilities/magick.c:149  
    #6 0x410282 in main utilities/magick.c:180  
    #7 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)  
    #8 0x40fbb8 in _start (/home/test/temp/ImageMagick/utilities/magick+0x40fbb8)

0x7f70c67db7f8 is located 8 bytes to the left of 524288-byte region [0x7f70c67db800,0x7f70c685b800)  
allocated by thread T0 here:  
    #0 0x7f70c5868076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)  
    #1 0x4408c7 in AcquireAlignedMemory MagickCore/memory.c:265  
    #2 0x440beb in AcquireVirtualMemory MagickCore/memory.c:621  
    #3 0x6c1ead in WriteSGIImage coders/sgi.c:1030  
    #4 0x849036 in WriteImage MagickCore/constitute.c:1159  
    #5 0x849d5b in WriteImages MagickCore/constitute.c:1376  
    #6 0xbf16d0 in ConvertImageCommand MagickWand/convert.c:3305  
    #7 0xcdf180 in MagickCommandGenesis MagickWand/mogrify.c:185  
    #8 0x4100a1 in MagickMain utilities/magick.c:149  
    #9 0x410282 in main utilities/magick.c:180  
    #10 0x7f70c10c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow coders/sgi.c:1051 WriteSGIImage  
Shadow bytes around the buggy address:  
  0x0fee98cf36a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0fee98cf36e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
=>0x0fee98cf36f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]  
  0x0fee98cf3700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0fee98cf3740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
Shadow byte legend (one shadow byte represents 8 application bytes):  
  Addressable:           00  
 Partially addressable: 01 02 03 04 05 06 07  
  Heap left redzone:       fa  
  Heap right redzone:      fb  
  Freed heap region:       fd  
  Stack left redzone:      f1  
  Stack mid redzone:       f2  
  Stack right redzone:     f3  
  Stack partial redzone:   f4  
  Stack after return:      f5  
  Stack use after scope:   f8  
  Global redzone:          f9  
  Global init order:       f6  
  Poisoned by user:        f7  
  Container overflow:      fc  
  Array cookie:            ac  
  Intra object redzone:    bb  
  ASan internal:           fe  
==41720==ABORTING

**System Configuration**

*   ImageMagick version:  
    Version: ImageMagick 7.0.8-43 Q16 x86_64 2019-04-29 https://imagemagick.org  
    Copyright: ? 1999-2019 ImageMagick Studio LLC  
    License: https://imagemagick.org/script/license.php  
    Features: Cipher DPC HDRI OpenMP(4.0)   
    Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr lzma openexr pangocairo png tiff wmf x xml zlib
*   Environment (Operating system, version and so on):  
    Distributor ID:	Ubuntu  
    Description:	Ubuntu 16.04.1 LTS  
    Release:	16.04  
    Codename:	xenial
*   Additional information:

Tag

#ubuntu