heap-use-after-free in gf_odf_vvc_cfg_read_bs in gpac/gpac

Valid

Reported on

Jan 16th 2023


Description

heap-use-after-free in gf_odf_vvc_cfg_read_bs at odf/descriptors.c:1403

Version

Author: Lim Wei Cheng <aaron.lim446@gmail.com>

./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev23-g5a733aec7-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

same POC can also trigger heap-use-after-free (as of 17 Jan 2023): 
./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev27-g5195ad4e2-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Proof of Concept

./MP4Box -hint POC
[iso file] Unknown top-level box type freN
[VVC] Invalid NALU type in vvcC - ignoring
=================================================================
==3978220==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000013d0 at pc 0x7f31abf6419f bp 0x7fff5dfe20c0 sp 0x7fff5dfe20b0
READ of size 1 at 0x6020000013d0 thread T0
    #0 0x7f31abf6419e in gf_odf_vvc_cfg_read_bs odf/descriptors.c:1403
    #1 0x7f31abaf001c in vvcc_box_read isomedia/avc_ext.c:3085
    #2 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
    #3 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
    #4 0x7f31abb5f774 in video_sample_entry_box_read isomedia/box_code_base.c:4354
    #5 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
    #6 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
    #7 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
    #8 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
    #9 0x7f31abb6daad in stbl_box_read isomedia/box_code_base.c:5115
    #10 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
    #11 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
    #12 0x7f31abb4e2ea in minf_box_read isomedia/box_code_base.c:3583
    #13 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
    #14 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
    #15 0x7f31abb47884 in mdia_box_read isomedia/box_code_base.c:3134
    #16 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
    #17 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
    #18 0x7f31abb8b0fa in trak_box_read isomedia/box_code_base.c:6907
    #19 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
    #20 0x7f31abc8cc46 in gf_isom_box_array_read isomedia/box_funcs.c:1790
    #21 0x7f31abc8188e in gf_isom_box_parse_ex isomedia/box_funcs.c:282
    #22 0x7f31abc85924 in gf_isom_parse_root_box isomedia/box_funcs.c:38
    #23 0x7f31abcc3217 in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:378
    #24 0x7f31abcc3217 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:868
    #25 0x7f31abccde34 in gf_isom_open_file isomedia/isom_intern.c:988
    #26 0x556d29130472 in mp4box_main /home/limweicheng/Desktop/Fuzz/gpac/applications/mp4box/mp4box.c:6221
    #27 0x7f31aa6cfd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #28 0x7f31aa6cfe3f in __libc_start_main_impl ../csu/libc-start.c:392
    #29 0x556d290cb244 in _start (/home/limweicheng/Desktop/Fuzz/gpac/bin/gcc/MP4Box+0x50244)

0x6020000013d0 is located 0 bytes inside of 16-byte region [0x6020000013d0,0x6020000013e0)
freed by thread T0 here:
    #0 0x7f31ae2b8517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x7f31abf6282f in gf_odf_vvc_cfg_read_bs odf/descriptors.c:1399

previously allocated by thread T0 here:
    #0 0x7f31ae2b8867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7f31abf625f9 in gf_odf_vvc_cfg_read_bs odf/descriptors.c:1375

SUMMARY: AddressSanitizer: heap-use-after-free odf/descriptors.c:1403 in gf_odf_vvc_cfg_read_bs
Shadow bytes around the buggy address:
  0x0c047fff8220: fa fa 04 fa fa fa 00 04 fa fa 00 00 fa fa 00 00
  0x0c047fff8230: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8240: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8250: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 01 fa
  0x0c047fff8260: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8270: fa fa 00 00 fa fa 00 00 fa fa[fd]fd fa fa fa fa
  0x0c047fff8280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3978220==ABORTING

Impact

This is capable of causing crashes by using unexpected value, or possible code execution.

References

We are processing your report and will contact the gpac team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
soaarony modified the report
a year ago
soaarony modified the report
a year ago
soaarony modified the report
a year ago
soaarony modified the report
a year ago
soaarony modified the report
a year ago
soaarony modified the report
a year ago
soaarony modified the report
a year ago
We have contacted a member of the gpac team and are waiting to hear back a year ago
gpac/gpac maintainer
a year ago

https://github.com/gpac/gpac/issues/2378

gpac/gpac maintainer validated this vulnerability a year ago

Solved by https://github.com/gpac/gpac/commit/9971fb125cf91cefd081a080c417b90bbe4a467b

soaarony has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.3.0-DEV with commit 9971fb a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation