Heap-buffer-overflow in MP4Box.
$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
complie and run
./configure --enable-sanitizer
make
./bin/gcc/MP4Box -dash 1000 -out /dev/null ./crash1
poc is here
information reported by sanitizer
$ ./bin/gcc/MP4Box -dash 1000 -out /dev/null ./crash1
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No bitrate property assigned to PID crash1, computing from bitstream
[RFC6381] Cannot find M4V config, using default mp4v.20
[Dasher] No bitrate property assigned to PID crash1, computing from bitstream
[FileOut] cannot open output file /dev/crash1_dashinit.mp4
[FileOut] output file handle is not opened, discarding 1333 bytes
=================================================================
==1235145==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500001b324 at pc 0x7f2384ca859d bp 0x7ffddcfcb4b0 sp 0x7ffddcfcac58
WRITE of size 28416 at 0x62500001b324 thread T0
#0 0x7f2384ca859c in __interceptor_fread ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:989
#1 0x7f2381c712fe in avi_read media_tools/avilib.c:67
#2 0x7f2381c712fe in AVI_read_frame media_tools/avilib.c:2934
#3 0x7f23822628dd in avidmx_process filters/dmx_avi.c:524
#4 0x7f238213d33e in gf_filter_process_task filter_core/filter.c:2971
#5 0x7f23820fc66a in gf_fs_thread_proc filter_core/filter_session.c:1962
#6 0x7f2382109fd6 in gf_fs_run filter_core/filter_session.c:2261
#7 0x7f2381a9fa9d in gf_dasher_process media_tools/dash_segmenter.c:1236
#8 0x55ddba368bb6 in do_dash /home/functionmain/desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
#9 0x55ddba368bb6 in mp4box_main /home/functionmain/desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
#10 0x7f237ed4e082 in __libc_start_main ../csu/libc-start.c:308
#11 0x55ddba340f5d in _start (/home/functionmain/desktop/gpac-master-asan/bin/gcc/MP4Box+0xa5f5d)
0x62500001b324 is located 0 bytes to the right of 8740-byte region [0x625000019100,0x62500001b324)
allocated by thread T0 here:
#0 0x7f2384d4a808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7f238206df77 in gf_filter_pck_new_alloc_internal filter_core/filter_pck.c:159
#2 0x7f2382262865 in avidmx_process filters/dmx_avi.c:522
#3 0x7f238213d33e in gf_filter_process_task filter_core/filter.c:2971
#4 0x7f23820fc66a in gf_fs_thread_proc filter_core/filter_session.c:1962
#5 0x7f2382109fd6 in gf_fs_run filter_core/filter_session.c:2261
#6 0x7f2381a9fa9d in gf_dasher_process media_tools/dash_segmenter.c:1236
#7 0x55ddba368bb6 in do_dash /home/functionmain/desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
#8 0x55ddba368bb6 in mp4box_main /home/functionmain/desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
#9 0x7f237ed4e082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:989 in __interceptor_fread
Shadow bytes around the buggy address:
0x0c4a7fffb610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fffb620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fffb630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fffb640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fffb650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fffb660: 00 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffb670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffb680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffb690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffb6a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffb6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1235145==ABORTING
This is capable of causing crashes.