heap-use-after-free in gf_odf_vvc_cfg_read_bs in gpac/gpac
Valid
Reported on
Jan 16th 2023
Description
heap-use-after-free in gf_odf_vvc_cfg_read_bs at odf/descriptors.c:1403
Version
Author: Lim Wei Cheng <aaron.lim446@gmail.com>
./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev23-g5a733aec7-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
same POC can also trigger heap-use-after-free (as of 17 Jan 2023):
./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev27-g5195ad4e2-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Proof of Concept
./MP4Box -hint POC
[iso file] Unknown top-level box type freN
[VVC] Invalid NALU type in vvcC - ignoring
=================================================================
==3978220==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000013d0 at pc 0x7f31abf6419f bp 0x7fff5dfe20c0 sp 0x7fff5dfe20b0
READ of size 1 at 0x6020000013d0 thread T0
#0 0x7f31abf6419e in gf_odf_vvc_cfg_read_bs odf/descriptors.c:1403
#1 0x7f31abaf001c in vvcc_box_read isomedia/avc_ext.c:3085
#2 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
#3 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
#4 0x7f31abb5f774 in video_sample_entry_box_read isomedia/box_code_base.c:4354
#5 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
#6 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
#7 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
#8 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
#9 0x7f31abb6daad in stbl_box_read isomedia/box_code_base.c:5115
#10 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
#11 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
#12 0x7f31abb4e2ea in minf_box_read isomedia/box_code_base.c:3583
#13 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
#14 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
#15 0x7f31abb47884 in mdia_box_read isomedia/box_code_base.c:3134
#16 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
#17 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
#18 0x7f31abb8b0fa in trak_box_read isomedia/box_code_base.c:6907
#19 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
#20 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
#21 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
#22 0x7f31abc85924 in gf_isom_parse_root_box isomedia/box_funcs.c:38
#23 0x7f31abcc3217 in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:378
#24 0x7f31abcc3217 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:868
#25 0x7f31abccde34 in gf_isom_open_file isomedia/isom_intern.c:988
#26 0x556d29130472 in mp4box_main /home/limweicheng/Desktop/Fuzz/gpac/applications/mp4box/mp4box.c:6221
#27 0x7f31aa6cfd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#28 0x7f31aa6cfe3f in __libc_start_main_impl ../csu/libc-start.c:392
#29 0x556d290cb244 in _start (/home/limweicheng/Desktop/Fuzz/gpac/bin/gcc/MP4Box+0x50244)
0x6020000013d0 is located 0 bytes inside of 16-byte region [0x6020000013d0,0x6020000013e0)
freed by thread T0 here:
#0 0x7f31ae2b8517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x7f31abf6282f in gf_odf_vvc_cfg_read_bs odf/descriptors.c:1399
previously allocated by thread T0 here:
#0 0x7f31ae2b8867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f31abf625f9 in gf_odf_vvc_cfg_read_bs odf/descriptors.c:1375
SUMMARY: AddressSanitizer: heap-use-after-free odf/descriptors.c:1403 in gf_odf_vvc_cfg_read_bs
Shadow bytes around the buggy address:
0x0c047fff8220: fa fa 04 fa fa fa 00 04 fa fa 00 00 fa fa 00 00
0x0c047fff8230: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8240: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8250: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 01 fa
0x0c047fff8260: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8270: fa fa 00 00 fa fa 00 00 fa fa[fd]fd fa fa fa fa
0x0c047fff8280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3978220==ABORTING
Impact
This is capable of causing crashes by using unexpected value, or possible code execution.
References
We are processing your report and will contact the
gpac
team within 24 hours.
3 months ago
soaarony modified the report
3 months ago
soaarony modified the report
3 months ago
soaarony modified the report
2 months ago
soaarony modified the report
2 months ago
soaarony modified the report
2 months ago
soaarony modified the report
2 months ago
soaarony modified the report
2 months ago
We have contacted a member of the
gpac
team and are waiting to hear back
2 months ago
The researcher's credibility has increased: +7
to join this conversation