We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

heap-use-after-free in mp4_mux_process_fragmented filters/mux_isom.c:6634 in gpac/gpac

Valid

Reported on

Sep 1st 2023

Description

heap-use-after-free in MP4Box.

Version

$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

complie and run

./configure --enable-sanitizer
make

Proof of Concept

./bin/gcc/MP4Box -dash 1000 -out /dev/null ./crash000024

POC_crash000024 is here.

ASAN

information reported by sanitizer

$ ./bin/gcc/MP4Box -dash 1000 ./crash000024
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
[Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
[RFC6381] Cannot find M4V config, using default mp4v.20
[Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
[Dasher] PID crash000024 config changed during active period, forcing period switch
[MPD] Generating MPD at time 2023-09-01T02:57:51.085Z
[Dasher] End of Period 
[MP4Mux] PID has no input packet and configuration not known after 10 retries, aborting initial timing sync
[Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
[Dasher] PID crash000024 config changed during active period, forcing period switch
[MPD] Generating MPD at time 2023-09-01T02:57:51.088Z
[Dasher] End of Period 
[RFC6381] Cannot find M4V config, using default mp4v.20
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 11000/29667
[Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
[Dasher] PID crash000024 config changed during active period, forcing period switch
[MP4Mux] PID has no input packet and configuration not known after 10 retries, aborting initial timing sync
[MP4Mux] Unable to setup fragmentation for track ID 0: Bad Parameter
[MPD] Generating MPD at time 2023-09-01T02:57:51.090Z
[Dasher] End of Period 
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 12000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 13000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 14000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 15000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 16000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 17000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 18000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 19000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 20000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 21000/29667
[Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
[Dasher] PID crash000024 config changed during active period, forcing period switch
[MPD] Generating MPD at time 2023-09-01T02:57:51.093Z
[Dasher] End of Period 
[RFC6381] Cannot find M4V config, using default mp4v.20
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 22000/29667
[Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
=================================================================
==416525==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000012b40 at pc 0x7f561b9e449d bp 0x7ffd43a3c280 sp 0x7ffd43a3c270
READ of size 8 at 0x617000012b40 thread T0
    #0 0x7f561b9e449c in mp4_mux_process_fragmented filters/mux_isom.c:6634
    #1 0x7f561b9e449c in mp4_mux_process filters/mux_isom.c:7207
    #2 0x7f561b66adbe in gf_filter_process_task filter_core/filter.c:2971
    #3 0x7f561b62a0ea in gf_fs_thread_proc filter_core/filter_session.c:1962
    #4 0x7f561b637a56 in gf_fs_run filter_core/filter_session.c:2261
    #5 0x7f561afcd03d in gf_dasher_process media_tools/dash_segmenter.c:1236
    #6 0x55c711eb7c26 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
    #7 0x55c711eb7c26 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
    #8 0x7f5618279082 in __libc_start_main ../csu/libc-start.c:308
    #9 0x55c711e8ffcd in _start (/home/functionmain/Desktop/gpac-master-asan/bin/gcc/MP4Box+0xa5fcd)

0x617000012b40 is located 320 bytes inside of 672-byte region [0x617000012a00,0x617000012ca0)
freed by thread T0 here:
    #0 0x7f561e27a40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x7f561b9d9b86 in mp4_mux_configure_pid filters/mux_isom.c:3994
    #2 0x7f561b5f941e in gf_filter_pid_configure filter_core/filter_pid.c:876
    #3 0x7f561b601505 in gf_filter_pid_disconnect_task filter_core/filter_pid.c:1285
    #4 0x7f561b62a0ea in gf_fs_thread_proc filter_core/filter_session.c:1962
    #5 0x7f561b637a56 in gf_fs_run filter_core/filter_session.c:2261
    #6 0x7f561afcd03d in gf_dasher_process media_tools/dash_segmenter.c:1236
    #7 0x55c711eb7c26 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
    #8 0x55c711eb7c26 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
    #9 0x7f5618279082 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7f561e27a808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7f561b9bf53d in mp4_mux_setup_pid filters/mux_isom.c:1078
    #2 0x7f561b5f941e in gf_filter_pid_configure filter_core/filter_pid.c:876
    #3 0x7f561b601dee in gf_filter_pid_connect_task filter_core/filter_pid.c:1230
    #4 0x7f561b62a0ea in gf_fs_thread_proc filter_core/filter_session.c:1962
    #5 0x7f561b637a56 in gf_fs_run filter_core/filter_session.c:2261
    #6 0x7f561afcd03d in gf_dasher_process media_tools/dash_segmenter.c:1236
    #7 0x55c711eb7c26 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
    #8 0x55c711eb7c26 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
    #9 0x7f5618279082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free filters/mux_isom.c:6634 in mp4_mux_process_fragmented
Shadow bytes around the buggy address:
  0x0c2e7fffa510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fffa520: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fffa550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e7fffa560: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c2e7fffa570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fffa580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fffa590: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa5a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==416525==ABORTING

Impact

This is capable of causing crashes.

References

POC_crash000024 is here.

Impact

This is capable of causing crashes.

References

We are processing your report and will contact the gpac team within 24 hours. 20 days ago
We have contacted a member of the gpac team and are waiting to hear back 19 days ago
gpac/gpac maintainer
19 days ago

Maintainer

https://github.com/gpac/gpac/issues/2583

gpac/gpac maintainer validated this vulnerability 17 days ago
functionmain has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.3-DEV with commit 895ac1 17 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
gpac/gpac maintainer published this vulnerability 17 days ago
to join this conversation