Heap Use After Free in function Q_IsTypeOn in gpac/gpac
Valid
Reported on
Jun 29th 2022
Description
Heap Use After Free in function Q_IsTypeOn at src/bifs/unquantize.c:169
gpac version
git log
commit ea3af7c8242d1a82657dc3a518df5a5b1b5e27ed (HEAD -> master, origin/master, origin/HEAD)
Author: Romain Bouqueau <romain.bouqueau.pro@gmail.com>
Date: Tue Jun 28 19:25:58 2022 +0200
POC
./MP4Box -bt ./poc_huaf1_s.dat
=================================================================
==1301527==ERROR: AddressSanitizer: heap-use-after-free on address 0x6100000023c4 at pc 0x7ffff2264f88 bp 0x7fffffff2dc0 sp 0x7fffffff2db8
READ of size 4 at 0x6100000023c4 thread T0
#0 0x7ffff2264f87 in Q_IsTypeOn /home/fuzz/fuzz/gpac/src/bifs/unquantize.c:169:12
#1 0x7ffff2273d98 in gf_bifs_dec_unquant_field /home/fuzz/fuzz/gpac/src/bifs/unquantize.c:398:7
#2 0x7ffff21ab00d in gf_bifs_dec_sf_field /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:84:7
#3 0x7ffff21bf41f in gf_bifs_dec_field /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:518:7
#4 0x7ffff21c2403 in gf_bifs_dec_node_mask /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:671:8
#5 0x7ffff21b9791 in gf_bifs_dec_node /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:919:7
#6 0x7ffff21bd7c3 in BD_DecMFFieldVec /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:433:24
#7 0x7ffff21c064f in gf_bifs_dec_field /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:559:9
#8 0x7ffff21c18e5 in gf_bifs_dec_node_list /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:619:7
#9 0x7ffff21b984b in gf_bifs_dec_node /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:921:7
#10 0x7ffff21dd60c in BM_ParseNodeInsert /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:433:9
#11 0x7ffff21e24d3 in BM_ParseInsert /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:583:10
#12 0x7ffff21eeb02 in BM_ParseCommand /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:907:8
#13 0x7ffff21f05d2 in gf_bifs_flush_command_list /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:962:9
#14 0x7ffff21f32bc in gf_bifs_decode_command_list /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:1042:3
#15 0x7ffff39a4274 in gf_sm_load_run_isom /home/fuzz/fuzz/gpac/src/scene_manager/loader_isom.c:303:10
#16 0x7ffff3844fee in gf_sm_load_run /home/fuzz/fuzz/gpac/src/scene_manager/scene_manager.c:719:28
#17 0x585735 in dump_isom_scene /home/fuzz/fuzz/gpac/applications/mp4box/filedump.c:203:14
#18 0x54321e in mp4box_main /home/fuzz/fuzz/gpac/applications/mp4box/mp4box.c:6343:7
#19 0x553f31 in main /home/fuzz/fuzz/gpac/applications/mp4box/mp4box.c:6810:1
#20 0x7fffeee04082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#21 0x42abed in _start (/home/fuzz/fuzz/gpac/gpac/bin/gcc/MP4Box+0x42abed)
0x6100000023c4 is located 132 bytes inside of 192-byte region [0x610000002340,0x610000002400)
freed by thread T0 here:
#0 0x4a5be2 in free (/home/fuzz/fuzz/gpac/gpac/bin/gcc/MP4Box+0x4a5be2)
#1 0x7ffff0d72324 in gf_free /home/fuzz/fuzz/gpac/src/utils/alloc.c:165:2
#2 0x7ffff128e631 in gf_node_free /home/fuzz/fuzz/gpac/src/scenegraph/base_scenegraph.c:1622:2
#3 0x7ffff13bda9c in QuantizationParameter_Del /home/fuzz/fuzz/gpac/src/scenegraph/mpeg4_nodes.c:11981:2
#4 0x7ffff13afa2d in gf_sg_mpeg4_node_del /home/fuzz/fuzz/gpac/src/scenegraph/mpeg4_nodes.c:37743:3
#5 0x7ffff1272b50 in gf_node_del /home/fuzz/fuzz/gpac/src/scenegraph/base_scenegraph.c:1904:59
#6 0x7ffff12610b9 in gf_node_unregister /home/fuzz/fuzz/gpac/src/scenegraph/base_scenegraph.c:763:3
#7 0x7ffff12853d4 in gf_node_unregister_children /home/fuzz/fuzz/gpac/src/scenegraph/base_scenegraph.c:1371:3
#8 0x7ffff13bb3f5 in LOD_Del /home/fuzz/fuzz/gpac/src/scenegraph/mpeg4_nodes.c:8552:2
#9 0x7ffff13af45d in gf_sg_mpeg4_node_del /home/fuzz/fuzz/gpac/src/scenegraph/mpeg4_nodes.c:37671:3
#10 0x7ffff1272b50 in gf_node_del /home/fuzz/fuzz/gpac/src/scenegraph/base_scenegraph.c:1904:59
#11 0x7ffff12610b9 in gf_node_unregister /home/fuzz/fuzz/gpac/src/scenegraph/base_scenegraph.c:763:3
#12 0x7ffff21b9b8c in gf_bifs_dec_node /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:931:3
#13 0x7ffff21dd60c in BM_ParseNodeInsert /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:433:9
#14 0x7ffff21e24d3 in BM_ParseInsert /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:583:10
#15 0x7ffff21eeb02 in BM_ParseCommand /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:907:8
#16 0x7ffff21f05d2 in gf_bifs_flush_command_list /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:962:9
#17 0x7ffff21f32bc in gf_bifs_decode_command_list /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:1042:3
#18 0x7ffff39a4274 in gf_sm_load_run_isom /home/fuzz/fuzz/gpac/src/scene_manager/loader_isom.c:303:10
#19 0x7ffff3844fee in gf_sm_load_run /home/fuzz/fuzz/gpac/src/scene_manager/scene_manager.c:719:28
#20 0x585735 in dump_isom_scene /home/fuzz/fuzz/gpac/applications/mp4box/filedump.c:203:14
#21 0x54321e in mp4box_main /home/fuzz/fuzz/gpac/applications/mp4box/mp4box.c:6343:7
#22 0x553f31 in main /home/fuzz/fuzz/gpac/applications/mp4box/mp4box.c:6810:1
#23 0x7fffeee04082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
previously allocated by thread T0 here:
#0 0x4a5e4d in malloc (/home/fuzz/fuzz/gpac/gpac/bin/gcc/MP4Box+0x4a5e4d)
#1 0x7ffff0d72214 in gf_malloc /home/fuzz/fuzz/gpac/src/utils/alloc.c:150:9
#2 0x7ffff132e244 in QuantizationParameter_Create /home/fuzz/fuzz/gpac/src/scenegraph/mpeg4_nodes.c:12496:2
#3 0x7ffff13a96f6 in gf_sg_mpeg4_node_new /home/fuzz/fuzz/gpac/src/scenegraph/mpeg4_nodes.c:36871:10
#4 0x7ffff1298209 in gf_node_new /home/fuzz/fuzz/gpac/src/scenegraph/base_scenegraph.c:1996:51
#5 0x7ffff21b91b4 in gf_bifs_dec_node /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:893:15
#6 0x7ffff21bd7c3 in BD_DecMFFieldVec /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:433:24
#7 0x7ffff21c064f in gf_bifs_dec_field /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:559:9
#8 0x7ffff21c18e5 in gf_bifs_dec_node_list /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:619:7
#9 0x7ffff21b984b in gf_bifs_dec_node /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:921:7
#10 0x7ffff21dd60c in BM_ParseNodeInsert /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:433:9
#11 0x7ffff21e24d3 in BM_ParseInsert /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:583:10
#12 0x7ffff21eeb02 in BM_ParseCommand /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:907:8
#13 0x7ffff21f05d2 in gf_bifs_flush_command_list /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:962:9
#14 0x7ffff21f32bc in gf_bifs_decode_command_list /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:1042:3
#15 0x7ffff39a4274 in gf_sm_load_run_isom /home/fuzz/fuzz/gpac/src/scene_manager/loader_isom.c:303:10
#16 0x7ffff3844fee in gf_sm_load_run /home/fuzz/fuzz/gpac/src/scene_manager/scene_manager.c:719:28
#17 0x585735 in dump_isom_scene /home/fuzz/fuzz/gpac/applications/mp4box/filedump.c:203:14
#18 0x54321e in mp4box_main /home/fuzz/fuzz/gpac/applications/mp4box/mp4box.c:6343:7
#19 0x553f31 in main /home/fuzz/fuzz/gpac/applications/mp4box/mp4box.c:6810:1
#20 0x7fffeee04082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/fuzz/gpac/src/bifs/unquantize.c:169:12 in Q_IsTypeOn
Shadow bytes around the buggy address:
0x0c207fff8420: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c207fff8430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c207fff8440: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c207fff8450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c207fff8460: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c207fff8470: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
0x0c207fff8480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c207fff8490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c207fff84a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c207fff84b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c207fff84c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1301527==ABORTING
Impact
This vulnerability is capable of crashing software, use unexpected value, or possible code execution.
We are processing your report and will contact the
gpac
team within 24 hours.
a year ago
We have contacted a member of the
gpac
team and are waiting to hear back
a year ago
We have sent a
follow up to the
gpac
team.
We will try again in 7 days.
a year ago
We have sent a
second
follow up to the
gpac
team.
We will try again in 10 days.
a year ago
The researcher's credibility has increased: +7
@maintainer - are you happy for us to assign and publish a CVE? Once we get your permission, we can proceed with a CVE for this report 👍
We agree. Please proceed with what's the best practice.
to join this conversation