slim has NULL pointer dereference when using crypt() method from glibc 2.17

**Name**

CVE-2013-4412

**Description**

slim has NULL pointer dereference when using crypt() method from glibc 2.17

**Source**

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

**Debian Bugs**

725902

**Vulnerable and fixed packages**

The table below lists information on source packages.

Source Package

Release

Version

Status

slim (PTS)

buster

1.3.6-5.1

fixed

bullseye

1.3.6-5.2

fixed

sid, trixie, bookworm

1.3.6-5.3

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

slim

source

squeeze

(not affected)

slim

source

wheezy

(not affected)

slim

source

(unstable)

1.3.6-0.1

725902

**Notes**

\[wheezy\] - slim <not-affected> (Only exploitable with eglibc 2.17 and later)  
\[squeeze\] - slim <not-affected> (Only exploitable with eglibc 2.17 and later)  
Upstream fix: http://git.berlios.de/cgi-bin/cgit.cgi/slim/commit/?id=fbdfae3b406b1bb6f4e5e440e79b9b8bb8f071f

CVE-2013-4412: CVE-2013-4412

Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size.

We found vulnerability in exiv2 binary and exiv2 is complied with clang enabling ASAN.

    Machine : Ubuntu 16.04.3 LTS
    gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
    Commit : 401e658
    exiv2 : 0.27.99.0
    Command : exiv2 -pv $POC
    

    fuzzer@fuzzer:~/victim/exiv2/build/bin$ ./exiv2 -pv POC
    =================================================================
    ==16699==ERROR: AddressSanitizer: unknown-crash on address 0x7f9a857b7143 at pc 0x7f9a84dcc1db bp 0x7ffcb8c7b650 sp 0x7ffcb8c7b648
    READ of size 1 at 0x7f9a857b7143 thread T0
        #0 0x7f9a84dcc1da in Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/types.cpp:289:28
        #1 0x7f9a84ebd4c4 in Exiv2::Internal::CiffDirectory::readDirectory(unsigned char const*, unsigned int, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/crwimage_int.cpp:285:22
        #2 0x7f9a84ebd84e in Exiv2::Internal::CiffComponent::read(unsigned char const*, unsigned int, unsigned int, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/crwimage_int.cpp:231:9
        #3 0x7f9a84ebd84e in Exiv2::Internal::CiffDirectory::readDirectory(unsigned char const*, unsigned int, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/crwimage_int.cpp:305
        #4 0x7f9a84c5c29d in Exiv2::CrwParser::decode(Exiv2::CrwImage*, unsigned char const*, unsigned int) /home/fuzzer/victim/exiv2/src/crwimage.cpp:150:9
        #5 0x7f9a84c5afa0 in Exiv2::CrwImage::readMetadata() /home/fuzzer/victim/exiv2/src/crwimage.cpp:107:9
        #6 0x589421 in Action::Print::printList() /home/fuzzer/victim/exiv2/src/actions.cpp:483:9
        #7 0x57c1df in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/fuzzer/victim/exiv2/src/actions.cpp:218:26
        #8 0x4f4c5f in main /home/fuzzer/victim/exiv2/src/exiv2.cpp:77:23
        #9 0x7f9a836be82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
        #10 0x41ff38 in _start (/home/fuzzer/victim/exiv2/build/bin/exiv2+0x41ff38)
    
    AddressSanitizer can not describe address in more detail (wild memory access suspected).
    SUMMARY: AddressSanitizer: unknown-crash /home/fuzzer/victim/exiv2/src/types.cpp:289:28 in Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder)
    Shadow bytes around the buggy address:
      0x0ff3d0aeedd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff3d0aeede0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff3d0aeedf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff3d0aeee00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
      0x0ff3d0aeee10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
    =>0x0ff3d0aeee20: fe fe fe fe fe fe fe fe[fe]fe fe fe fe fe fe fe
      0x0ff3d0aeee30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
      0x0ff3d0aeee40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
      0x0ff3d0aeee50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
      0x0ff3d0aeee60: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
      0x0ff3d0aeee70: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==16699==ABORTING
    fuzzer@fuzzer:~/victim/exiv2/build/bin$

CVE-2019-17402: Overflow in exiv2 · Issue #1019 · Exiv2/exiv2

gif2png 2.5.13 has a memory leak in the writefile function.

@zer0yu Hi, I had some tests on gif2png. But I need your help.

I used valgrind to check the memory leakage by executing `valgrind --leak-check=full ./gif2png -r poc`, and here is the output message.

    ==25395==
    ==25395== HEAP SUMMARY:
    ==25395==     in use at exit: 91,120 bytes in 136 blocks
    ==25395==   total heap usage: 602 allocs, 466 frees, 1,177,468 bytes allocated
    ==25395==
    ==25395== 8,704 bytes in 34 blocks are definitely lost in loss record 1 of 3
    ==25395==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==25395==    by 0x10CC48: xalloc (memory.c:17)
    ==25395==    by 0x10BEF3: ReadImage (gifread.c:662)
    ==25395==    by 0x10C646: ReadGIF (gifread.c:218)
    ==25395==    by 0x10B0A1: processfile.part.0 (gif2png.c:707)
    ==25395==    by 0x109A2B: processfile (stdio2.h:97)
    ==25395==    by 0x109A2B: main (gif2png.c:987)
    ==25395==
    ==25395== 18,360 bytes in 51 blocks are definitely lost in loss record 2 of 3
    ==25395==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==25395==    by 0x4E40F32: png_create_info_struct (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0)
    ==25395==    by 0x109F9C: writefile (gif2png.c:157)
    ==25395==    by 0x10B29D: processfile.part.0 (gif2png.c:788)
    ==25395==    by 0x109A2B: processfile (stdio2.h:97)
    ==25395==    by 0x109A2B: main (gif2png.c:987)
    ==25395==
    ==25395== 64,056 bytes in 51 blocks are definitely lost in loss record 3 of 3
    ==25395==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==25395==    by 0x4E46E81: png_malloc_warn (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0)
    ==25395==    by 0x4E40E8F: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0)
    ==25395==    by 0x4E4A40C: png_create_read_struct_2 (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0)
    ==25395==    by 0x4E4A460: png_create_read_struct (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0)
    ==25395==    by 0x109F86: writefile (gif2png.c:151)
    ==25395==    by 0x10B29D: processfile.part.0 (gif2png.c:788)
    ==25395==    by 0x109A2B: processfile (stdio2.h:97)
    ==25395==    by 0x109A2B: main (gif2png.c:987)
    ==25395==
    ==25395== LEAK SUMMARY:
    ==25395==    definitely lost: 91,120 bytes in 136 blocks
    ==25395==    indirectly lost: 0 bytes in 0 blocks
    ==25395==      possibly lost: 0 bytes in 0 blocks
    ==25395==    still reachable: 0 bytes in 0 blocks
    ==25395==         suppressed: 0 bytes in 0 blocks
    ==25395==
    ==25395== For counts of detected and suppressed errors, rerun with: -v
    ==25395== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
    

We can see the key function `png_malloc_warn` and `png_create_info_struct`. Although the program did not crash, the output message was similar to the error information offered by @zer0yu .

So I reviewed the gif2png source code, whose git-tag was 2.5.9 and commit id was `b6c6bb`. The function `wirtefile` of gif2png calls `png_create_read_struct` and `png_create_info_struct`. That will cause libpng to allocate memory. But `png_destroy_read_struct` is not called to free the memory after that.

Here is my patch to fixed it.

    diff --git a/gif2png.c b/gif2png.c
    index 8a3d1c1..25537a5
    --- a/gif2png.c
    +++ b/gif2png.c
    @@ -311,6 +311,7 @@ static int writefile(struct GIFelement *s, struct GIFelement *e,
             (void)free(info_ptr);
             return 1;
         }
    +    png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
    
         /* Create and initialize the png_struct with the desired error handler
          * functions.  If you want to use the default stderr and longjump method,
    diff --git a/gifread.c b/gifread.c
    index 6995c3a..f48ab65
    --- a/gifread.c
    +++ b/gifread.c
    @@ -727,9 +727,11 @@ ReadImage(FILE *fd, int x_off, int y_off, int width, int height,
                             goto fini;
                         } else {
                             (void)check_recover(true);
    +                        (void)free(image);
                             return(true);
                         }
                     } else {
    +                    (void)free(image);
                         return(true);
                     }
                 }
    

And here is the new output message

    ==27072== HEAP SUMMARY:
    ==27072==     in use at exit: 0 bytes in 0 blocks
    ==27072==   total heap usage: 602 allocs, 602 frees, 1,177,468 bytes allocated
    ==27072==
    ==27072== All heap blocks were freed -- no leaks are possible
    ==27072==
    ==27072== For counts of detected and suppressed errors, rerun with: -v
    ==27072== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
    

0 error!

So my conclusion is that: the memory leakage is caused by **gif2png** but **NOT libpng**.  
But I need some more information from @zer0yu to further confirm it.  
My env:

    Ubuntu 18.04 x86_64
    valgrind-3.13.0
    gcc 7.4
    libpng-dev 1.6.34

CVE-2019-17371: memory leak in png_malloc_warn and png_create_info_struct · Issue #307 · glennrp/libpng

In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv.c allows attackers to obtain sensitive information from kernel stack memory because tos and flags fields are not initialized.

CVE-2019-16714

ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load() at jfif.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Marsman1996 opened this issue

Aug 18, 2019

· 10 comments

**Comments**

**Test Environment**

Ubuntu 14.04, 64bit, ffjpeg(master 627c8a9)

**How to trigger**

1.  compile ffjpeg with cmake file from CMake Support && FPE on unknown address #6
2.  $ ./ffjpeg -d $POC

**POC file**

https://github.com/Marsman1996/pocs/blob/master/ffjpeg/poc22-jfif\_load-heapoverflow

**Details****Asan report**

    =================================================================
    ==17308== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60340000fef8 at pc 0x402fec bp 0x7ffc051db980 sp 0x7ffc051db978
    WRITE of size 4 at 0x60340000fef8 thread T0
        #0 0x402feb in jfif_load /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:187
        #1 0x401a59 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
        #2 0x7f5291e9bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
        #3 0x401858 in _start (/home/aota10/MARS_fuzzcompare/test/ffjpeg/bin_asan/bin/ffjpeg+0x401858)
    0x60340000fef8 is located 0 bytes to the right of 504-byte region [0x60340000fd00,0x60340000fef8)
    allocated by thread T0 here:
        #0 0x7f52922584e5 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x154e5)
        #1 0x40293b in jfif_load /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:154
        #2 0x401a59 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
        #3 0x7f5291e9bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:187 jfif_load
    Shadow bytes around the buggy address:
      0x0c06ffff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c06ffff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c06ffff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c06ffff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
      0x0c06ffff9fe0:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:     fa
      Heap righ redzone:     fb
      Freed Heap region:     fd
      Stack left redzone:    f1
      Stack mid redzone:     f2
      Stack right redzone:   f3
      Stack partial redzone: f4
      Stack after return:    f5
      Stack use after scope: f8
      Global redzone:        f9
      Global init order:     f6
      Poisoned by user:      f7
      ASan internal:         fe
    ==17308== ABORTING
    

**GDB report**

    Starting program: /home/aota10/MARS_fuzzcompare/test/ffjpeg/build_normal/ffjpeg -d poc22-jfif_load-heapoverflow 
    file eof !
    *** Error in `/home/aota10/MARS_fuzzcompare/test/ffjpeg/build_normal/ffjpeg': munmap_chunk(): invalid pointer: 0x000000000060a210 ***
    
    Program received signal SIGABRT, Aborted.
    0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
    #0  0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    #1  0x00007ffff7a4b028 in __GI_abort () at abort.c:89
    #2  0x00007ffff7a842a4 in __libc_message (do_abort=do_abort@entry=1, 
        fmt=fmt@entry=0x7ffff7b96350 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
    #3  0x00007ffff7a8f007 in malloc_printerr (action=<optimized out>, 
        str=0x7ffff7b966d0 "munmap_chunk(): invalid pointer", ptr=<optimized out>) at malloc.c:4998
    #4  0x0000000000402416 in jfif_load (file=0x7fffffffe58c "poc22-jfif_load-heapoverflow")
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:257
    #5  0x000000000040165b in main (argc=3, argv=0x7fffffffe298)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
    (gdb) 
    

rockcarry added a commit that referenced this issue

Aug 19, 2019

i make a new commit

commit b3039ae

which fix issue #10 #11 and #12

can you test again ?

This was referenced

Aug 19, 2019

Copy link

Contributor Author

Hi, I tested it with commit b3039ae

but there still exists some buffer overflows in jfif.c:195; jfif.c:216, jfif.c:228 and jfif.c:231

here are the POCs and asan log  
asan.log  
ffjpeg\_poc.zip

rockcarry added a commit that referenced this issue

Aug 19, 2019

Copy link

Contributor Author

Hi,

I tested it with commit 6bc54ed

and AddressSanitizer still reports heap-buffer-overflow in jfif.c:216 and jfif.c:231, which is caused by  
id:000026 & id:000029 in the ffjpeg\_poc.zip above.

to use AddressSanitizer you can compile program with cmd

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g"  cmake .
    $ make
    

Cheers

are the test case 16 & 25 pass your testing ?  
and the case 26 & 29 still failed ?

I don't have the test enviroment, can you tell me how to install the AddressSanitizer?

Copy link

Contributor Author

Hi,

> are the test case 16 & 25 pass your testing ?  
> and the case 26 & 29 still failed ?

Yes, 26 & 29 still fail while 16 & 25 pass.

> I don't have the test enviroment, can you tell me how to install the AddressSanitizer?

AddressSanitizer is part of gcc since gcc-4.8, not sure whether it can be installed separately. Here (ASANwiki) is the guide to build the ASAN from source, though I think use ASAN in gcc cost less effort

Cheers

rockcarry added a commit that referenced this issue

Aug 21, 2019

rockcarry added a commit that referenced this issue

Aug 21, 2019

Copy link

Contributor Author

Hi,

I tested commit 2ad299a and ASAN reports heap buffer overflow in

for (i\=1; i<1+16; i++) len += dht\[i\];

Maybe it should be changed to

for (i\=1; i<1+16 && dht+i<end; i++) len += dht\[i\];

This would fix the overflow problem but I'm not sure if this logic is right.

Best wishes

rockcarry added a commit that referenced this issue

Aug 21, 2019

pls test commit 58b6f94  
i think it‘s ok now.

Copy link

Contributor Author

Hi,

I tested commit 58b6f94. Since no more ASAN reports, I think this series of heap-overflow problems are fixed now.

Cheers!

2 participants

CVE-2019-16352: AddressSanitizer: heap-buffer-overflow in jfif_load() at jfif.c:187 · Issue #12 · rockcarry/ffjpeg

ffjpeg before 2019-08-18 has a NULL pointer dereference in huffman_decode_step() at huffman.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Marsman1996 opened this issue

Aug 18, 2019

· 2 comments

**Comments**

**Test Environment**

Ubuntu 14.04, 64bit, ffjpeg(master 627c8a9)

**How to trigger**

1.  compile ffjpeg with cmake file from CMake Support && FPE on unknown address #6
2.  $ ./ffjpeg -d $POC

**POC file**

https://github.com/Marsman1996/pocs/blob/master/ffjpeg/poc21-huffman\_decode\_step-SEGV

**Details****Asan report**

    ASAN:SIGSEGV
    =================================================================
    ==19241== ERROR: AddressSanitizer: SEGV on unknown address 0x000000001590 (pc 0x000000410e8b sp 0x7fff54e12780 bp 0x7fff54e127a0 T0)
    AddressSanitizer can not provide additional info.
        #0 0x410e8a in huffman_decode_step /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/huffman.c:371
        #1 0x405f04 in jfif_decode /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:493
        #2 0x401a70 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:25
        #3 0x7f8d44273f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
        #4 0x401858 in _start (/home/aota10/MARS_fuzzcompare/test/ffjpeg/bin_asan/bin/ffjpeg+0x401858)
    SUMMARY: AddressSanitizer: SEGV /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/huffman.c:371 huffman_decode_step
    ==19241== ABORTING
    

**GDB report**

    Program received signal SIGSEGV, Segmentation fault.
    0x000000000040775f in huffman_decode_step (phc=0x0)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/huffman.c:371
    371         if (!phc->input) return EOF;
    (gdb) bt
    #0  0x000000000040775f in huffman_decode_step (phc=0x0)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/huffman.c:371
    #1  0x0000000000403357 in jfif_decode (ctxt=0x60a010, pb=0x7fffffffe190)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:493
    #2  0x0000000000401672 in main (argc=3, argv=0x7fffffffe298)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:25
    

rockcarry added a commit that referenced this issue

Aug 19, 2019

This was referenced

Aug 19, 2019

i make a new commit

commit b3039ae

which fix issue #10 #11 and #12

can you test again ?

Copy link

Contributor Author

I tested it with commit b3039ae  
and I think it has been fixed

2 participants

CVE-2019-16351: SEGV in huffman_decode_step() at huffman.c:371 · Issue #11 · rockcarry/ffjpeg

ffjpeg before 2019-08-18 has a NULL pointer dereference in idct2d8x8() at dct.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Marsman1996 opened this issue

Aug 18, 2019

· 2 comments

**Comments**

**Test Environment**

Ubuntu 14.04, 64bit, ffjpeg(master 627c8a9)

**How to trigger**

1.  compile ffjpeg with cmake file from CMake Support && FPE on unknown address #6
2.  $ ./ffjpeg -d $POC

**POC file**

https://github.com/Marsman1996/pocs/blob/master/ffjpeg/poc20-idct2d8x8-SEGV

**Details****Asan report**

    ASAN:SIGSEGV
    =================================================================
    ==21545== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000040db78 sp 0x7ffd4681f2e0 bp 0x7ffd4681f340 T0)
    AddressSanitizer can not provide additional info.
        #0 0x40db77 in idct2d8x8 /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/dct.c:201
        #1 0x40605b in jfif_decode /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:508
        #2 0x401a70 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:25
        #3 0x7f8448218f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
        #4 0x401858 in _start (/home/aota10/MARS_fuzzcompare/test/ffjpeg/bin_asan/bin/ffjpeg+0x401858)
    SUMMARY: AddressSanitizer: SEGV /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/dct.c:201 idct2d8x8
    ==21545== ABORTING
    

**GDB report**

    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000406402 in idct2d8x8 (data=0x7fffffffe070, ftab=0xffffffff)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/dct.c:201
    201             data[ctr] *= ftab[ctr];
    (gdb) bt
    #0  0x0000000000406402 in idct2d8x8 (data=0x7fffffffe070, ftab=0xffffffff)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/dct.c:201
    #1  0x0000000000403435 in jfif_decode (ctxt=0x60a010, pb=0x7fffffffe1a0)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:508
    #2  0x0000000000401672 in main (argc=3, argv=0x7fffffffe2a8)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:25
    

rockcarry added a commit that referenced this issue

Aug 19, 2019

i make a new commit

commit b3039ae

which fix issue #10 #11 and #12

can you test again ?

Copy link

Contributor Author

I tested it with commit b3039ae  
and I think it has been fixed

2 participants

CVE-2019-16350: NULL Pointer Dereference in idct2d8x8() at dct.c:201 · Issue #10 · rockcarry/ffjpeg

audio_sample_entry_AddBox() at isomedia/box_code_base.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.

Tested in Ubuntu 18.04, 64bit, gcc 7.3.0, gpac (master 94ad872)

Compile cmd:  
$ ./configure --extra-cflags="-fsanitize=address,undefined -g" --extra-ldflags="-fsanitize=address,undefined -ldl -g"  
$ make

Triggered by  
$ MP4Box -diso $POC

POC file:  
https://github.com/Marsman1996/pocs/blob/master/gpac/poc14-heapoverflow

ASAN info:

    ==71438==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000591 at pc 0x7ffa85321aff bp 0x7ffc13f5e4b0 sp 0x7ffc13f5e4a0
    READ of size 1 at 0x603000000591 thread T0
        #0 0x7ffa85321afe in audio_sample_entry_AddBox /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3934
        #1 0x7ffa853f002c in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1327
        #2 0x7ffa8533c83b in audio_sample_entry_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3999
        #3 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #4 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #5 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #6 0x7ffa85329db7 in unkn_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:762
        #7 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #8 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #9 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #10 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #11 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #12 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #13 0x7ffa8533a0fc in minf_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3513
        #14 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #15 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #16 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #17 0x7ffa853367f3 in mdia_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3034
        #18 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #19 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #20 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #21 0x7ffa85354187 in trak_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:6905
        #22 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #23 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #24 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #25 0x7ffa85329db7 in unkn_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:762
        #26 0x7ffa853f1363 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #27 0x7ffa853f1363 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #28 0x7ffa853f20c5 in gf_isom_parse_root_box /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:42
        #29 0x7ffa8541e398 in gf_isom_parse_movie_boxes /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:206
        #30 0x7ffa854237a4 in gf_isom_open_file /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:615
        #31 0x55e7b46eb046 in mp4boxMain /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/applications/mp4box/main.c:4539
        #32 0x7ffa822c6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #33 0x55e7b46ca199 in _start (/home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/build_asan/bin/gcc/MP4Box+0xac199)
    
    0x603000000591 is located 0 bytes to the right of 17-byte region [0x603000000580,0x603000000591)
    allocated by thread T0 here:
        #0 0x7ffa887fcb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
        #1 0x7ffa85329a80 in unkn_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:742
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3934 in audio_sample_entry_AddBox
    Shadow bytes around the buggy address:
      0x0c067fff8060: fa fa 00 00 02 fa fa fa 00 00 05 fa fa fa 00 00
      0x0c067fff8070: 04 fa fa fa 00 00 00 01 fa fa 00 00 06 fa fa fa
      0x0c067fff8080: 00 00 01 fa fa fa 00 00 02 fa fa fa 00 00 00 01
      0x0c067fff8090: fa fa 00 00 05 fa fa fa 00 00 04 fa fa fa 00 00
      0x0c067fff80a0: 02 fa fa fa 00 00 04 fa fa fa 00 00 00 00 fa fa
    =>0x0c067fff80b0: 00 00[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==71438==ABORTING
    

GDB info:

    malloc_consolidate(): invalid chunk size
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    #1  0x00007ffff7350801 in __GI_abort () at abort.c:79
    #2  0x00007ffff7399897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff74c6b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
    #3  0x00007ffff73a090a in malloc_printerr (str=str@entry=0x7ffff74c83f0 "malloc_consolidate(): invalid chunk size") at malloc.c:5350
    #4  0x00007ffff73a0bae in malloc_consolidate (av=av@entry=0x7ffff76fbc40 <main_arena>) at malloc.c:4441
    #5  0x00007ffff73a47d8 in _int_malloc (av=av@entry=0x7ffff76fbc40 <main_arena>, bytes=bytes@entry=4096) at malloc.c:3703
    #6  0x00007ffff73a70fc in __GI___libc_malloc (bytes=4096) at malloc.c:3057
    #7  0x00007ffff738e18c in __GI__IO_file_doallocate (fp=0x5555557a6260) at filedoalloc.c:101
    #8  0x00007ffff739e379 in __GI__IO_doallocbuf (fp=fp@entry=0x5555557a6260) at genops.c:365
    #9  0x00007ffff739ad23 in _IO_new_file_seekoff (fp=0x5555557a6260, offset=0, dir=2, mode=<optimized out>) at fileops.c:960
    #10 0x00007ffff7398dd9 in fseeko (fp=fp@entry=0x5555557a6260, offset=offset@entry=0, whence=whence@entry=2) at fseeko.c:36
    #11 0x00007ffff77527c9 in gf_fseek (fp=fp@entry=0x5555557a6260, offset=offset@entry=0, whence=whence@entry=2)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/utils/os_file.c:756
    #12 0x00007ffff7753323 in gf_bs_from_file (f=0x5555557a6260, mode=mode@entry=0) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/utils/bitstream.c:179
    #13 0x00007ffff7894173 in gf_isom_fdm_new (sPath=<optimized out>, mode=<optimized out>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/data_map.c:453
    #14 0x00007ffff7894400 in gf_isom_datamap_new (location=<optimized out>, location@entry=0x7fffffffe197 "../../poc14-heapoverflow", parentPath=parentPath@entry=0x0, 
        mode=mode@entry=1 '\001', outDataMap=outDataMap@entry=0x5555557a68b0) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/data_map.c:185
    #15 0x00007ffff789cf66 in gf_isom_open_progressive (fileName=<optimized out>, start_range=0, end_range=0, the_file=0x5555557a5738 <file>, BytesMissing=0x7fffffff9390)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_read.c:367
    #16 0x000055555556f48b in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/applications/mp4box/main.c:4542
    #17 0x00007ffff7331b97 in __libc_start_main (main=0x555555561e30 <main>, argc=3, argv=0x7fffffffdd98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
        stack_end=0x7fffffffdd88) at ../csu/libc-start.c:310
    #18 0x0000555555561e6a in _start ()

CVE-2018-21016: AddressSanitizer: heap-buffer-overflow in audio_sample_entry_AddBox() at box_code_base.c:3934 · Issue #1180 · gpac/gpac

marc-q libwav through 2017-04-20 has a NULL pointer dereference in gain_file() at wav_gain.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

Marsman1996 opened this issue

Aug 15, 2019

· 0 comments

**Comments**

Tested in Ubuntu 14.04, 64bit, libwav (master 5cc8746)

Triggered by  
$ ./wav_gain $POC /dev/null

POC file:  
https://github.com/Marsman1996/pocs/blob/master/libwav/poc18-gain\_file-SEGV

ASAN info:

    ASAN:SIGSEGV
    =================================================================
    ==21704== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7faf08a8ce02 sp 0x7ffc93c70b50 bp 0xac4400020001 T0)
    AddressSanitizer can not provide additional info.
        #0 0x7faf08a8ce01 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x7e01)
        #1 0x7faf08a9a367 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x15367)
        #2 0x400d80 in gain_file /home/aota10/MARS_fuzzcompare/test/wav_gain/build_asan/wav_gain.c:33
        #3 0x400d80 in main /home/aota10/MARS_fuzzcompare/test/wav_gain/build_asan/wav_gain.c:43
        #4 0x7faf086ddf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
        #5 0x400e24 in _start (/home/aota10/MARS_fuzzcompare/test/wav_gain/bin_asan/bin/wav_gain+0x400e24)
    SUMMARY: AddressSanitizer: SEGV ??:0 ??
    ==21704== ABORTING
    

 Marsman1996 changed the title NULL Pointer Dereference in gain\_file at wav\_gain.c:33 NULL Pointer Dereference in gain\_file() at wav\_gain.c:33

Aug 15, 2019

1 participant

CVE-2019-16348: NULL Pointer Dereference in gain_file() at wav_gain.c:33 · Issue #24 · marc-q/libwav

AVC_DuplicateConfig() at isomedia/avc_ext.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. There is "cfg_new->AVCLevelIndication = cfg->AVCLevelIndication;" but cfg could be NULL.

Tested in Ubuntu 18.04, 64bit, gcc 7.3.0, gpac (master 94ad872)

Compile cmd  
$ ./configure --extra-cflags=-g"  
$ make

Triggered by  
$ MP4Box -diso $POC

POC file:  
https://github.com/Marsman1996/pocs/blob/master/gpac/poc12-SEGV

gdb info:

    Program received signal SIGSEGV, Segmentation fault.
    AVC_DuplicateConfig (cfg=0x0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:847
    847		cfg_new->AVCLevelIndication = cfg->AVCLevelIndication;
    (gdb) bt
    #0  AVC_DuplicateConfig (cfg=0x0) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:847
    #1  0x00007ffff7856a5f in merge_avc_config (dst_cfg=dst_cfg@entry=0x5555557a8e00, src_cfg=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:897
    #2  0x00007ffff7859ae9 in AVC_RewriteESDescriptorEx (avc=avc@entry=0x5555557a8850, mdia=mdia@entry=0x0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:1039
    #3  0x00007ffff785a037 in AVC_RewriteESDescriptor (avc=avc@entry=0x5555557a8850)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:1067
    #4  0x00007ffff786bd1c in video_sample_entry_Read (s=0x5555557a8850, bs=0x5555557a7f70)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:4291
    #5  0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8850)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #6  gf_isom_box_parse_ex (outBox=0x7fffffff8af8, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #7  0x00007ffff789254d in gf_isom_box_array_read_ex (parent=0x5555557a8800, bs=0x5555557a7f70, add_box=0x7ffff7865140 <stsd_AddBox>, 
        parent_type=1937011556) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #8  0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8800)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #9  gf_isom_box_parse_ex (outBox=0x7fffffff8bf8, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #10 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a8730, bs=0x5555557a7f70, 
        add_box=add_box@entry=0x7ffff7863750 <stbl_AddBox>, parent_type=parent_type@entry=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #11 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a8730, bs=<optimized out>, 
        add_box=add_box@entry=0x7ffff7863750 <stbl_AddBox>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
    #12 0x00007ffff786d255 in stbl_Read (s=0x5555557a8730, bs=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:5183
    #13 0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8730)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #14 gf_isom_box_parse_ex (outBox=0x7fffffff8d18, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #15 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a8470, bs=0x5555557a7f70, 
        add_box=add_box@entry=0x7ffff7863450 <minf_AddBox>, parent_type=parent_type@entry=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #16 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a8470, bs=<optimized out>, 
        add_box=add_box@entry=0x7ffff7863450 <minf_AddBox>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
    #17 0x00007ffff786acfb in minf_Read (s=0x5555557a8470, bs=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3513
    #18 0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8470)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #19 gf_isom_box_parse_ex (outBox=0x7fffffff8e58, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #20 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a82c0, bs=0x5555557a7f70, 
        add_box=add_box@entry=0x7ffff7863330 <mdia_AddBox>, parent_type=parent_type@entry=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #21 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a82c0, bs=<optimized out>, 
        add_box=add_box@entry=0x7ffff7863330 <mdia_AddBox>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
    #22 0x00007ffff786a090 in mdia_Read (s=0x5555557a82c0, bs=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3034
    #23 0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a82c0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #24 gf_isom_box_parse_ex (outBox=0x7fffffff8f68, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
    ---Type <return> to continue, or q <return> to quit---
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #25 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a8100, bs=0x5555557a7f70, 
        add_box=add_box@entry=0x7ffff7863ec0 <trak_AddBox>, parent_type=parent_type@entry=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #26 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a8100, bs=<optimized out>, 
        add_box=add_box@entry=0x7ffff7863ec0 <trak_AddBox>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
    #27 0x00007ffff786fd1d in trak_Read (s=0x5555557a8100, bs=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:6905
    #28 0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8100)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #29 gf_isom_box_parse_ex (outBox=0x7fffffff90c8, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #30 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a7bf0, bs=bs@entry=0x5555557a7f70, 
        add_box=0x7ffff7891be0 <gf_isom_box_add_default>, parent_type=parent_type@entry=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #31 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a7bf0, bs=bs@entry=0x5555557a7f70, add_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
    #32 0x00007ffff7866a8a in unkn_Read (s=0x5555557a7bf0, bs=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:762
    #33 0x00007ffff7892bc9 in gf_isom_box_read (bs=0x5555557a6a60, a=0x5555557a7bf0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #34 gf_isom_box_parse_ex (outBox=outBox@entry=0x7fffffff9280, bs=bs@entry=0x5555557a6a60, is_root_box=is_root_box@entry=GF_TRUE, parent_type=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #35 0x00007ffff7892fc5 in gf_isom_parse_root_box (outBox=outBox@entry=0x7fffffff9280, bs=0x5555557a6a60, 
        bytesExpected=bytesExpected@entry=0x7fffffff92d0, progressive_mode=progressive_mode@entry=GF_FALSE)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:42
    #36 0x00007ffff789a20b in gf_isom_parse_movie_boxes (mov=mov@entry=0x5555557a68a0, bytesMissing=bytesMissing@entry=0x7fffffff92d0, 
        progressive_mode=progressive_mode@entry=GF_FALSE) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:206
    #37 0x00007ffff789b048 in gf_isom_parse_movie_boxes (progressive_mode=GF_FALSE, bytesMissing=0x7fffffff92d0, mov=0x5555557a68a0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:194
    #38 gf_isom_open_file (fileName=0x7fffffffe1a0 "../../poc12-SEGV", OpenMode=0, tmp_dir=0x0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:615
    #39 0x000055555556f3bd in mp4boxMain (argc=<optimized out>, argv=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/applications/mp4box/main.c:4539
    #40 0x00007ffff7331b97 in __libc_start_main (main=0x555555561e30 <main>, argc=3, argv=0x7fffffffdd98, init=<optimized out>, fini=<optimized out>, 
        rtld_fini=<optimized out>, stack_end=0x7fffffffdd88) at ../csu/libc-start.c:310
    #41 0x0000555555561e6a in _start ()

Tag

#ubuntu