Use After Free in gpac/gpac

Valid

Reported on

May 15th 2022


Description

Use After Free in gpac

Proof of Concept

MP4Box -bt POC1

POC1 is here

ASAN

==74043==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000003fd0 at pc 0x7f0c5374e845 bp 0x7ffcfc56f2b0 sp 0x7ffcfc56f2a8
READ of size 8 at 0x604000003fd0 thread T0
    #0 0x7f0c5374e844 in gf_node_try_destroy /home/wjh/gpac/src/scenegraph/base_scenegraph.c:668:24
    #1 0x7f0c537623c1 in gf_sg_command_del /home/wjh/gpac/src/scenegraph/commands.c:120:3
    #2 0x7f0c53f10d1c in gf_sm_au_del /home/wjh/gpac/src/scene_manager/scene_manager.c:113:4
    #3 0x7f0c53f0dcd8 in gf_sm_reset_stream /home/wjh/gpac/src/scene_manager/scene_manager.c:126:3
    #4 0x7f0c53f0dcd8 in gf_sm_delete_stream /home/wjh/gpac/src/scene_manager/scene_manager.c:133:2
    #5 0x7f0c53f0dcd8 in gf_sm_del /home/wjh/gpac/src/scene_manager/scene_manager.c:147:3
    #6 0x505572 in dump_isom_scene /home/wjh/gpac/applications/mp4box/filedump.c:220:2
    #7 0x4f3e66 in mp4box_main /home/wjh/gpac/applications/mp4box/mp4box.c:6227:7
    #8 0x7f0c52e34082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #9 0x42ac0d in _start (/home/wjh/gpac/bin/gcc/MP4Box+0x42ac0d)

0x604000003fd0 is located 0 bytes inside of 48-byte region [0x604000003fd0,0x604000004000)
freed by thread T0 here:
    #0 0x4a49fd in free (/home/wjh/gpac/bin/gcc/MP4Box+0x4a49fd)
    #1 0x7f0c5374a1cf in gf_node_unregister /home/wjh/gpac/src/scenegraph/base_scenegraph.c:763:3
    #2 0x7f0c5374e7dc in gf_node_try_destroy /home/wjh/gpac/src/scenegraph/base_scenegraph.c:669:9
    #3 0x7f0c53f10d1c in gf_sm_au_del /home/wjh/gpac/src/scene_manager/scene_manager.c:113:4
    #4 0x7f0c53f0dcd8 in gf_sm_reset_stream /home/wjh/gpac/src/scene_manager/scene_manager.c:126:3
    #5 0x7f0c53f0dcd8 in gf_sm_delete_stream /home/wjh/gpac/src/scene_manager/scene_manager.c:133:2
    #6 0x7f0c53f0dcd8 in gf_sm_del /home/wjh/gpac/src/scene_manager/scene_manager.c:147:3

previously allocated by thread T0 here:
    #0 0x4a4c7d in malloc (/home/wjh/gpac/bin/gcc/MP4Box+0x4a4c7d)
    #1 0x7f0c5377e2db in Group_Create /home/wjh/gpac/src/scenegraph/mpeg4_nodes.c:7579:2
    #2 0x7f0c5377e2db in gf_sg_mpeg4_node_new /home/wjh/gpac/src/scenegraph/mpeg4_nodes.c:36809:10

SUMMARY: AddressSanitizer: heap-use-after-free /home/wjh/gpac/src/scenegraph/base_scenegraph.c:668:24 in gf_node_try_destroy
Shadow bytes around the buggy address:
  0x0c087fff87a0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff87b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff87c0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff87d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff87e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
=>0x0c087fff87f0: fa fa 00 00 00 00 02 fa fa fa[fd]fd fd fd fd fd
  0x0c087fff8800: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff8810: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff8820: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8830: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8840: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==74043==ABORTING

Impact

can cause a program to crash, use unexpected values, or execute code.

We are processing your report and will contact the gpac team within 24 hours. a month ago
We have contacted a member of the gpac team and are waiting to hear back a month ago
gpac/gpac maintainer validated this vulnerability a month ago
wjhwjhn has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer confirmed that a fix has been merged on c535ba a month ago
The fix bounty has been dropped
wjhwjhn
a month ago

Researcher


Hi @admin, may i have CVE assigned to this case? Thanks!

Jamie Slome
a month ago

Admin


Sorted 👍

to join this conversation