Heap Use-After-Free in GPAC MP4Box's ogg_stream_clear Function When Processing OGG Files in gpac/gpac
Reported on
Mar 22nd 2023
A heap use-after-free vulnerability has been discovered in GPAC MP4Box's ogg_stream_clear function when processing OGG files. The vulnerability occurs due to improper handling of memory allocations and deallocations while processing OGG files. This leads to the use of previously freed memory, causing a potential risk of memory corruption, crashes, or other undefined behaviors.
Reproduce : ./bin/gcc/MP4Box -dash 1000 POC
LINK : https://drive.google.com/file/d/1PO-c2WJnWqjUsG5dB0terCddup9-CL28/view?usp=share_link
Impact
An attacker who can successfully exploit this vulnerability could potentially execute arbitrary code in the context of the application, leading to a compromise of the system where the vulnerable software is installed. Additionally, the attacker could use this vulnerability to cause a denial of service (DoS) by crashing the application or making it unresponsive. This vulnerability poses a significant risk to the confidentiality, integrity, and availability of systems running the affected software.
Team,
I have found another heap buffer overflow vulnerability, as indicated by the following description:
POC: ./MP4Box -dash 1000 POC5 LINK :https://drive.google.com/file/d/1NLI9NcY1k3XCYP61lfSvgMg4u1luvPYi/view?usp=share_link
[H263Dmx] garbage before first frame! [Dasher] No template assigned, using $File$_dash$FS$$Number$ ================================================================= ==2451487==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000000dfd at pc 0x7f34308e4397 bp 0x7ffd0fb1c690 sp 0x7ffd0fb1be38 READ of size 3 at 0x60e000000dfd thread T0 #0 0x7f34308e4396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 #1 0x7f342e027817 in h263dmx_process (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2f5b817) #2 0x7f342dc0a97c in gf_filter_process_task (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2b3e97c) #3 0x7f342dbc600a in gf_fs_thread_proc (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2afa00a) #4 0x7f342dbd392e in gf_fs_run (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2b0792e) #5 0x7f342d4440ce in gf_dasher_process (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x23780ce) #6 0x561a9f343338 in do_dash /root/gpac2/gpac/applications/mp4box/mp4box.c:4807 #7 0x561a9f343338 in mp4box_main /root/gpac2/gpac/applications/mp4box/mp4box.c:6184 #8 0x7f342a898d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #9 0x7f342a898e3f in __libc_start_main_impl ../csu/libc-start.c:392 #10 0x561a9f319cb4 in _start (/root/gpac2/gpac/bin/gcc/MP4Box+0xabcb4)
0x60e000000dfd is located 5 bytes to the right of 152-byte region [0x60e000000d60,0x60e000000df8) allocated by thread T0 here: #0 0x7f343095e867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7f342db29c99 in gf_filter_pck_new_shared_internal (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2a5dc99) #2 0x7f342db29ffa in gf_filter_pck_new_ref (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2a5dffa) #3 0x7f342dcb8c89 in dasher_process (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2becc89) #4 0x7f342dc0a97c in gf_filter_process_task (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2b3e97c) #5 0x7f342dbc600a in gf_fs_thread_proc (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2afa00a) #6 0x7f342dbd392e in gf_fs_run (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2b0792e) #7 0x7f342d4440ce in gf_dasher_process (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x23780ce) #8 0x561a9f343338 in do_dash /root/gpac2/gpac/applications/mp4box/mp4box.c:4807 #9 0x561a9f343338 in mp4box_main /root/gpac2/gpac/applications/mp4box/mp4box.c:6184 #10 0x7f342a898d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy Shadow bytes around the buggy address: 0x0c1c7fff8160: 00 00 00 00 00 00 00 00 00 00 07 fa fa fa fa fa 0x0c1c7fff8170: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1c7fff8180: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c1c7fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1c7fff81a0: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 =>0x0c1c7fff81b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa] 0x0c1c7fff81c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c1c7fff81d0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c1c7fff81e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1c7fff81f0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 0x0c1c7fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2451487==ABORTING
Team,
I've discovered another heap overflow issue in the libgpac library. The error description is as follows:
A heap buffer overflow vulnerability has been detected in the GPAC multimedia framework. The issue occurs during the processing of AVI input files, leading to a potential compromise of the application's memory and possible remote code execution.
The vulnerability is caused by an incorrect boundary check when copying memory using the memcpy function (__interceptor_memcpy). This results in a read operation of size 352,321,536 bytes at address 0x625000018bc6, which is located at the edge of the allocated memory region.
The overflow occurs within the following GPAC library functions:
avi_parse_input_file
AVI_open_input_file
avidmx_process
gf_filter_process_task
gf_fs_thread_proc
gf_fs_run
gf_dasher_process
Additionally, the MP4Box application is also affected, as it relies on the vulnerable GPAC library functions.
POC: ./MP4Box -dash 1000 POC6 LINK: https://drive.google.com/file/d/1_bgcSCPG1Wcft9ZcY6xlbeIyUW40SOJ3/view?usp=share_link
================================================================= ==2451508==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000018bc6 at pc 0x7f6d287b3397 bp 0x7ffffa4cad80 sp 0x7ffffa4ca528 READ of size 352321536 at 0x625000018bc6 thread T0 #0 0x7f6d287b3396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 #1 0x7f6d254d3e44 in avi_parse_input_file (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2538e44) #2 0x7f6d254e049d in AVI_open_input_file (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x254549d) #3 0x7f6d25bdd260 in avidmx_process (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2c42260) #4 0x7f6d25ad997c in gf_filter_process_task (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2b3e97c) #5 0x7f6d25a9500a in gf_fs_thread_proc (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2afa00a) #6 0x7f6d25aa292e in gf_fs_run (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2b0792e) #7 0x7f6d253130ce in gf_dasher_process (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x23780ce) #8 0x556b6c48a338 in do_dash /root/gpac2/gpac/applications/mp4box/mp4box.c:4807 #9 0x556b6c48a338 in mp4box_main /root/gpac2/gpac/applications/mp4box/mp4box.c:6184 #10 0x7f6d22767d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #11 0x7f6d22767e3f in __libc_start_main_impl ../csu/libc-start.c:392 #12 0x556b6c460cb4 in _start (/root/gpac2/gpac/bin/gcc/MP4Box+0xabcb4)
0x625000018bc6 is located 0 bytes to the right of 8902-byte region [0x625000016900,0x625000018bc6) allocated by thread T0 here: #0 0x7f6d2882d867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7f6d254d2716 in avi_parse_input_file (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2537716) #2 0x7f6d254e049d in AVI_open_input_file (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x254549d) #3 0x7f6d25bdd260 in avidmx_process (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2c42260) #4 0x7f6d25ad997c in gf_filter_process_task (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2b3e97c) #5 0x7f6d25a9500a in gf_fs_thread_proc (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2afa00a) #6 0x7f6d25aa292e in gf_fs_run (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2b0792e) #7 0x7f6d253130ce in gf_dasher_process (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x23780ce) #8 0x556b6c48a338 in do_dash /root/gpac2/gpac/applications/mp4box/mp4box.c:4807 #9 0x556b6c48a338 in mp4box_main /root/gpac2/gpac/applications/mp4box/mp4box.c:6184 #10 0x7f6d22767d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy Shadow bytes around the buggy address: 0x0c4a7fffb120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fffb130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fffb140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fffb150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fffb160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c4a7fffb170: 00 00 00 00 00 00 00 00[06]fa fa fa fa fa fa fa 0x0c4a7fffb180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fffb190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fffb1a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fffb1b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fffb1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2451508==ABORTING
I have discovered another issue in the codebase. The vulnerability seems to be located in the gf_swf_read_header function, as indicated by the AddressSanitizer report showing a heap-buffer-overflow error.
Here are the details:
POC: ./MP4Box -dash 1000 POC8 LINK: https://drive.google.com/file/d/1hEKZtbUJi2V4euDl3oWbIAX-amnG29H9/view?usp=share_link
==2451549==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000004e51 at pc 0x7f7dd3979c23 bp 0x7ffe4fe10840 sp 0x7ffe4fe0ffe8 WRITE of size 8 at 0x602000004e51 thread T0 #0 0x7f7dd3979c22 in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799 #1 0x7f7dd07731d2 in gf_swf_read_header (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x26111d2) #2 0x7f7dd0f72a10 in gf_text_process_swf (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2e10a10) #3 0x7f7dd0f637ef in txtin_process (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2e017ef) #4 0x7f7dd0ca097c in gf_filter_process_task (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2b3e97c) #5 0x7f7dd0c5c00a in gf_fs_thread_proc (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2afa00a) #6 0x7f7dd0c6992e in gf_fs_run (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2b0792e) #7 0x7f7dd04da0ce in gf_dasher_process (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x23780ce) #8 0x5572a9ad2338 in do_dash /root/gpac2/gpac/applications/mp4box/mp4box.c:4807 #9 0x5572a9ad2338 in mp4box_main /root/gpac2/gpac/applications/mp4box/mp4box.c:6184 #10 0x7f7dcd92ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #11 0x7f7dcd92ee3f in __libc_start_main_impl ../csu/libc-start.c:392 #12 0x5572a9aa8cb4 in _start (/root/gpac2/gpac/bin/gcc/MP4Box+0xabcb4)
0x602000004e51 is located 0 bytes to the right of 1-byte region [0x602000004e50,0x602000004e51) allocated by thread T0 here: #0 0x7f7dd39f4867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7f7dd07731ba in gf_swf_read_header (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x26111ba) #2 0x7f7dd0f72a10 in gf_text_process_swf (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2e10a10) #3 0x7f7dd0f637ef in txtin_process (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2e017ef) #4 0x7f7dd0ca097c in gf_filter_process_task (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2b3e97c) #5 0x7f7dd0c5c00a in gf_fs_thread_proc (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2afa00a) #6 0x7f7dd0c6992e in gf_fs_run (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2b0792e) #7 0x7f7dd04da0ce in gf_dasher_process (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x23780ce) #8 0x5572a9ad2338 in do_dash /root/gpac2/gpac/applications/mp4box/mp4box.c:4807 #9 0x5572a9ad2338 in mp4box_main /root/gpac2/gpac/applications/mp4box/mp4box.c:6184 #10 0x7f7dcd92ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799 in __interceptor_memset Shadow bytes around the buggy address: 0x0c047fff8970: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8980: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa 06 fa 0x0c047fff8990: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff89a0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff89b0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 =>0x0c047fff89c0: fa fa 00 00 fa fa 00 00 fa fa[01]fa fa fa fa fa 0x0c047fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff89e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2451549==ABORTING
I've discovered another heap overflow issue in the code, as highlighted by the AddressSanitizer report. This time, the heap-buffer-overflow error occurs during a READ operation within the __interceptor_memcpy function, involving the pcmreframe_process function.
LINK: https://drive.google.com/file/d/1kRcfKGIAySBhMLzQhbNhfDeHt6gJI6wC/view?usp=share_link POC: ./MP4Box -dash 1000 POC9
==2451562==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62200000c374 at pc 0x7f71a09b4397 bp 0x7fff7f7ebda0 sp 0x7fff7f7eb548 READ of size 2048 at 0x62200000c374 thread T0 #0 0x7f71a09b4396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 #1 0x7f719e154f00 in pcmreframe_process (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2fb8f00) #2 0x7f719dcda97c in gf_filter_process_task (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2b3e97c) #3 0x7f719dc9600a in gf_fs_thread_proc (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2afa00a) #4 0x7f719dca392e in gf_fs_run (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x2b0792e) #5 0x7f719d5140ce in gf_dasher_process (/root/gpac2/gpac/bin/gcc/libgpac.so.12+0x23780ce) #6 0x55bf76c63338 in do_dash /root/gpac2/gpac/applications/mp4box/mp4box.c:4807 #7 0x55bf76c63338 in mp4box_main /root/gpac2/gpac/applications/mp4box/mp4box.c:6184 #8 0x7f719a968d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #9 0x7f719a968e3f in __libc_start_main_impl ../csu/libc-start.c:392 #10 0x55bf76c39cb4 in _start (/root/gpac2/gpac/bin/gcc/MP4Box+0xabcb4)
Address 0x62200000c374 is a wild pointer. SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy Shadow bytes around the buggy address: 0x0c447fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c447fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa 0x0c447fff9870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fff9880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fff9890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fff98a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2451562==ABORTING
https://github.com/gpac/gpac/issues/2421 https://github.com/gpac/gpac/issues/2422 https://github.com/gpac/gpac/issues/2423 https://github.com/gpac/gpac/issues/2424 https://github.com/gpac/gpac/issues/2425
https://github.com/gpac/gpac/issues/2421 https://github.com/gpac/gpac/issues/2422 https://github.com/gpac/gpac/issues/2423 are fixed
I'll close this issue when the last one is fixed