Heap Use After Free in function Q_IsTypeOn in gpac/gpac

Valid

Reported on

Jun 29th 2022

Description

Heap Use After Free in function Q_IsTypeOn at src/bifs/unquantize.c:169

gpac version

git log
commit ea3af7c8242d1a82657dc3a518df5a5b1b5e27ed (HEAD -> master, origin/master, origin/HEAD)
Author: Romain Bouqueau <romain.bouqueau.pro@gmail.com>
Date:   Tue Jun 28 19:25:58 2022 +0200

POC

./MP4Box -bt ./poc_huaf1_s.dat

=================================================================
==1301527==ERROR: AddressSanitizer: heap-use-after-free on address 0x6100000023c4 at pc 0x7ffff2264f88 bp 0x7fffffff2dc0 sp 0x7fffffff2db8
READ of size 4 at 0x6100000023c4 thread T0
    #0 0x7ffff2264f87 in Q_IsTypeOn /home/fuzz/fuzz/gpac/src/bifs/unquantize.c:169:12
    #1 0x7ffff2273d98 in gf_bifs_dec_unquant_field /home/fuzz/fuzz/gpac/src/bifs/unquantize.c:398:7
    #2 0x7ffff21ab00d in gf_bifs_dec_sf_field /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:84:7
    #3 0x7ffff21bf41f in gf_bifs_dec_field /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:518:7
    #4 0x7ffff21c2403 in gf_bifs_dec_node_mask /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:671:8
    #5 0x7ffff21b9791 in gf_bifs_dec_node /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:919:7
    #6 0x7ffff21bd7c3 in BD_DecMFFieldVec /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:433:24
    #7 0x7ffff21c064f in gf_bifs_dec_field /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:559:9
    #8 0x7ffff21c18e5 in gf_bifs_dec_node_list /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:619:7
    #9 0x7ffff21b984b in gf_bifs_dec_node /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:921:7
    #10 0x7ffff21dd60c in BM_ParseNodeInsert /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:433:9
    #11 0x7ffff21e24d3 in BM_ParseInsert /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:583:10
    #12 0x7ffff21eeb02 in BM_ParseCommand /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:907:8
    #13 0x7ffff21f05d2 in gf_bifs_flush_command_list /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:962:9
    #14 0x7ffff21f32bc in gf_bifs_decode_command_list /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:1042:3
    #15 0x7ffff39a4274 in gf_sm_load_run_isom /home/fuzz/fuzz/gpac/src/scene_manager/loader_isom.c:303:10
    #16 0x7ffff3844fee in gf_sm_load_run /home/fuzz/fuzz/gpac/src/scene_manager/scene_manager.c:719:28
    #17 0x585735 in dump_isom_scene /home/fuzz/fuzz/gpac/applications/mp4box/filedump.c:203:14
    #18 0x54321e in mp4box_main /home/fuzz/fuzz/gpac/applications/mp4box/mp4box.c:6343:7
    #19 0x553f31 in main /home/fuzz/fuzz/gpac/applications/mp4box/mp4box.c:6810:1
    #20 0x7fffeee04082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #21 0x42abed in _start (/home/fuzz/fuzz/gpac/gpac/bin/gcc/MP4Box+0x42abed)

0x6100000023c4 is located 132 bytes inside of 192-byte region [0x610000002340,0x610000002400)
freed by thread T0 here:
    #0 0x4a5be2 in free (/home/fuzz/fuzz/gpac/gpac/bin/gcc/MP4Box+0x4a5be2)
    #1 0x7ffff0d72324 in gf_free /home/fuzz/fuzz/gpac/src/utils/alloc.c:165:2
    #2 0x7ffff128e631 in gf_node_free /home/fuzz/fuzz/gpac/src/scenegraph/base_scenegraph.c:1622:2
    #3 0x7ffff13bda9c in QuantizationParameter_Del /home/fuzz/fuzz/gpac/src/scenegraph/mpeg4_nodes.c:11981:2
    #4 0x7ffff13afa2d in gf_sg_mpeg4_node_del /home/fuzz/fuzz/gpac/src/scenegraph/mpeg4_nodes.c:37743:3
    #5 0x7ffff1272b50 in gf_node_del /home/fuzz/fuzz/gpac/src/scenegraph/base_scenegraph.c:1904:59
    #6 0x7ffff12610b9 in gf_node_unregister /home/fuzz/fuzz/gpac/src/scenegraph/base_scenegraph.c:763:3
    #7 0x7ffff12853d4 in gf_node_unregister_children /home/fuzz/fuzz/gpac/src/scenegraph/base_scenegraph.c:1371:3
    #8 0x7ffff13bb3f5 in LOD_Del /home/fuzz/fuzz/gpac/src/scenegraph/mpeg4_nodes.c:8552:2
    #9 0x7ffff13af45d in gf_sg_mpeg4_node_del /home/fuzz/fuzz/gpac/src/scenegraph/mpeg4_nodes.c:37671:3
    #10 0x7ffff1272b50 in gf_node_del /home/fuzz/fuzz/gpac/src/scenegraph/base_scenegraph.c:1904:59
    #11 0x7ffff12610b9 in gf_node_unregister /home/fuzz/fuzz/gpac/src/scenegraph/base_scenegraph.c:763:3
    #12 0x7ffff21b9b8c in gf_bifs_dec_node /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:931:3
    #13 0x7ffff21dd60c in BM_ParseNodeInsert /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:433:9
    #14 0x7ffff21e24d3 in BM_ParseInsert /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:583:10
    #15 0x7ffff21eeb02 in BM_ParseCommand /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:907:8
    #16 0x7ffff21f05d2 in gf_bifs_flush_command_list /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:962:9
    #17 0x7ffff21f32bc in gf_bifs_decode_command_list /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:1042:3
    #18 0x7ffff39a4274 in gf_sm_load_run_isom /home/fuzz/fuzz/gpac/src/scene_manager/loader_isom.c:303:10
    #19 0x7ffff3844fee in gf_sm_load_run /home/fuzz/fuzz/gpac/src/scene_manager/scene_manager.c:719:28
    #20 0x585735 in dump_isom_scene /home/fuzz/fuzz/gpac/applications/mp4box/filedump.c:203:14
    #21 0x54321e in mp4box_main /home/fuzz/fuzz/gpac/applications/mp4box/mp4box.c:6343:7
    #22 0x553f31 in main /home/fuzz/fuzz/gpac/applications/mp4box/mp4box.c:6810:1
    #23 0x7fffeee04082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4a5e4d in malloc (/home/fuzz/fuzz/gpac/gpac/bin/gcc/MP4Box+0x4a5e4d)
    #1 0x7ffff0d72214 in gf_malloc /home/fuzz/fuzz/gpac/src/utils/alloc.c:150:9
    #2 0x7ffff132e244 in QuantizationParameter_Create /home/fuzz/fuzz/gpac/src/scenegraph/mpeg4_nodes.c:12496:2
    #3 0x7ffff13a96f6 in gf_sg_mpeg4_node_new /home/fuzz/fuzz/gpac/src/scenegraph/mpeg4_nodes.c:36871:10
    #4 0x7ffff1298209 in gf_node_new /home/fuzz/fuzz/gpac/src/scenegraph/base_scenegraph.c:1996:51
    #5 0x7ffff21b91b4 in gf_bifs_dec_node /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:893:15
    #6 0x7ffff21bd7c3 in BD_DecMFFieldVec /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:433:24
    #7 0x7ffff21c064f in gf_bifs_dec_field /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:559:9
    #8 0x7ffff21c18e5 in gf_bifs_dec_node_list /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:619:7
    #9 0x7ffff21b984b in gf_bifs_dec_node /home/fuzz/fuzz/gpac/src/bifs/field_decode.c:921:7
    #10 0x7ffff21dd60c in BM_ParseNodeInsert /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:433:9
    #11 0x7ffff21e24d3 in BM_ParseInsert /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:583:10
    #12 0x7ffff21eeb02 in BM_ParseCommand /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:907:8
    #13 0x7ffff21f05d2 in gf_bifs_flush_command_list /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:962:9
    #14 0x7ffff21f32bc in gf_bifs_decode_command_list /home/fuzz/fuzz/gpac/src/bifs/memory_decoder.c:1042:3
    #15 0x7ffff39a4274 in gf_sm_load_run_isom /home/fuzz/fuzz/gpac/src/scene_manager/loader_isom.c:303:10
    #16 0x7ffff3844fee in gf_sm_load_run /home/fuzz/fuzz/gpac/src/scene_manager/scene_manager.c:719:28
    #17 0x585735 in dump_isom_scene /home/fuzz/fuzz/gpac/applications/mp4box/filedump.c:203:14
    #18 0x54321e in mp4box_main /home/fuzz/fuzz/gpac/applications/mp4box/mp4box.c:6343:7
    #19 0x553f31 in main /home/fuzz/fuzz/gpac/applications/mp4box/mp4box.c:6810:1
    #20 0x7fffeee04082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/fuzz/gpac/src/bifs/unquantize.c:169:12 in Q_IsTypeOn
Shadow bytes around the buggy address:
  0x0c207fff8420: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c207fff8430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c207fff8440: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c207fff8450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c207fff8460: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c207fff8470: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c207fff8480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c207fff8490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c207fff84a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c207fff84b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c207fff84c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1301527==ABORTING

poc_huaf1_s.dat

Impact

This vulnerability is capable of crashing software, use unexpected value, or possible code execution.

We are processing your report and will contact the gpac team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

We have contacted a member of the gpac team and are waiting to hear back a year ago

A gpac/gpac maintainer

commented a year ago

Maintainer

https://github.com/gpac/gpac/issues/2212

We have sent a follow up to the gpac team. We will try again in 7 days. a year ago

We have sent a second follow up to the gpac team. We will try again in 10 days. a year ago

A gpac/gpac maintainer validated this vulnerability a year ago

Uinitech has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A gpac/gpac maintainer marked this as fixed in 2.1-DEV with commit dc7de8 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Uinitech

commented a year ago

Researcher

@admin can we get a CVE for this?

Jamie Slome

commented a year ago

Admin

@maintainer - are you happy for us to assign and publish a CVE? Once we get your permission, we can proceed with a CVE for this report 👍

A gpac/gpac maintainer

commented a year ago

Maintainer

We agree. Please proceed with what's the best practice.

Jamie Slome

commented a year ago

Admin

Done 👍

to join this conversation

We are processing your report and will contact the gpac team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

We have contacted a member of the gpac team and are waiting to hear back a year ago

A gpac/gpac maintainer

commented a year ago

Maintainer

https://github.com/gpac/gpac/issues/2212

We have sent a follow up to the gpac team. We will try again in 7 days. a year ago

We have sent a second follow up to the gpac team. We will try again in 10 days. a year ago

A gpac/gpac maintainer validated this vulnerability a year ago

Uinitech has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A gpac/gpac maintainer marked this as fixed in 2.1-DEV with commit dc7de8 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Uinitech

commented a year ago

Researcher

@admin can we get a CVE for this?

Jamie Slome

commented a year ago

Admin

@maintainer - are you happy for us to assign and publish a CVE? Once we get your permission, we can proceed with a CVE for this report 👍

A gpac/gpac maintainer

commented a year ago

Maintainer

We agree. Please proceed with what's the best practice.

Jamie Slome

commented a year ago

Admin

Done 👍

to join this conversation