Use After Free in gf_filterpacket_del filter_core/filter.c:38 in gpac/gpac
Valid
Reported on
Aug 30th 2023
Description
Use After Free in MP4Box.
I'm not sure if this is a bug or an exploitable vulnerability. Since it was a double-free crash, I classified it as a UAF vulnerability type.
Version
$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
complie and run
./configure --enable-sanitizer
make
Proof of Concept
./bin/gcc/MP4Box -dash 1000 -out /dev/null ./crash000119
crash000119 is here.
ASAN
information reported by sanitizer
$ ./bin/gcc/MP4Box -dash 1000 ./crash000119
[ODF] Not enough bytes (23) to read descriptor (size=362733)
[iso file] Read Box "esds" (start 1050) failed (Invalid MPEG-4 Descriptor) - skipping
[ODF] Not enough bytes (23) to read descriptor (size=362733)
[iso file] Unknown top-level box type y028B,
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[isom] not enough bytes in box mp4a: 0 left, reading 16 (file isomedia/sample_descs.c, line 215) - try specifying -no-check (might crash)
[iso file] Read Box "mp4a" (start 0) failed (Invalid IsoMedia File) - skipping
[MPD] Generating MPD at time 2023-08-30T08:25:45.061Z2s 88 %
[Dasher] End of Period
[Dasher] End of MPD (no more active streams)
=================================================================
==865336==ERROR: AddressSanitizer: attempting double-free on 0x610000000c40 in thread T0:
#0 0x7f4df0e1c40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x7f4dee1f1ad3 in gf_filterpacket_del filter_core/filter.c:38
#2 0x7f4dee1c7cd7 in gf_fq_del filter_core/filter_queue.c:105
#3 0x7f4dee22132a in gf_filter_del filter_core/filter.c:664
#4 0x7f4dee1e037e in gf_fs_del filter_core/filter_session.c:782
#5 0x7f4dedb6f5f6 in gf_dasher_clean_inputs media_tools/dash_segmenter.c:164
#6 0x7f4dedb6f6b4 in gf_dasher_del media_tools/dash_segmenter.c:173
#7 0x561209424ede in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4888
#8 0x561209424ede in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
#9 0x7f4deae20082 in __libc_start_main ../csu/libc-start.c:308
#10 0x5612093fcf5d in _start (/home/functionmain/Desktop/gpac-master-asan/bin/gcc/MP4Box+0xa5f5d)
0x610000000c40 is located 0 bytes inside of 186-byte region [0x610000000c40,0x610000000cfa)
freed by thread T0 here:
#0 0x7f4df0e1cc3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
#1 0x7f4deda17976 in Media_GetSample isomedia/media.c:619
#2 0x7f4ded96bccd in gf_isom_get_sample_ex isomedia/isom_read.c:1950
#3 0x7f4dee4ab15e in isor_reader_get_sample filters/isoffin_read_ch.c:489
#4 0x7f4dee4acc5e in isor_reader_get_sample filters/isoffin_read_ch.c:499
#5 0x7f4dee4a1ec1 in isoffin_process filters/isoffin_read.c:1486
#6 0x7f4dee20f33e in gf_filter_process_task filter_core/filter.c:2971
#7 0x7f4dee1ce66a in gf_fs_thread_proc filter_core/filter_session.c:1962
#8 0x7f4dee1dbfd6 in gf_fs_run filter_core/filter_session.c:2261
#9 0x7f4dedb71a9d in gf_dasher_process media_tools/dash_segmenter.c:1236
#10 0x561209424bb6 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
#11 0x561209424bb6 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
#12 0x7f4deae20082 in __libc_start_main ../csu/libc-start.c:308
previously allocated by thread T0 here:
#0 0x7f4df0e1c808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7f4dee13ff77 in gf_filter_pck_new_alloc_internal filter_core/filter_pck.c:159
#2 0x7f4dee4a74ae in isor_sample_alloc filters/isoffin_read_ch.c:322
#3 0x7f4deda17552 in Media_GetSample isomedia/media.c:626
#4 0x7f4ded96bccd in gf_isom_get_sample_ex isomedia/isom_read.c:1950
#5 0x7f4dee4ab15e in isor_reader_get_sample filters/isoffin_read_ch.c:489
#6 0x7f4dee4a1ec1 in isoffin_process filters/isoffin_read.c:1486
#7 0x7f4dee20f33e in gf_filter_process_task filter_core/filter.c:2971
#8 0x7f4dee1ce66a in gf_fs_thread_proc filter_core/filter_session.c:1962
#9 0x7f4dee1dbfd6 in gf_fs_run filter_core/filter_session.c:2261
#10 0x7f4dedb71a9d in gf_dasher_process media_tools/dash_segmenter.c:1236
#11 0x561209424bb6 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
#12 0x561209424bb6 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
#13 0x7f4deae20082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 in __interceptor_free
==865336==ABORTING
Impact
This is capable of causing crashes.
References
crash000119 is here.
Impact
This is capable of causing crashes.
References
We are processing your report and will contact the
gpac
team within 24 hours.
22 days ago
functionmain modified the report
22 days ago
We have contacted a member of the
gpac
team and are waiting to hear back
21 days ago
Thanks for reporting! https://github.com/gpac/gpac/issues/2577
The researcher's credibility has increased: +7
to join this conversation