Skip to content

[security]utils/bitstream.c:447 heap UAF in BS_ReadByte #3366

New issue
New issue
Closed
Closed
[security]utils/bitstream.c:447 heap UAF in BS_ReadByte#3366
@lionheartys

Description

@lionheartys
lionheartys
opened on Oct 19, 2025

Description:

When MP4box processes POC file and another specific .mp4 file with option -cat,a heap UAF will occur in BS_ReadByte(utils/bitstream.c:447)

To Reproduce:

Steps to reproduce the behavior:

./MP4Box -cat POC6 white.mp4 -out /dev/null

Output:

ASAN crash report:

==33549==ERROR: AddressSanitizer: heap-use-after-free on address 0x527000003900 at pc 0x7f767c44710e bp 0x7ffc13c01860 sp 0x7ffc13c01850
READ of size 1 at 0x527000003900 thread T0
    #0 0x7f767c44710d in BS_ReadByte utils/bitstream.c:456
    #1 0x7f767c447766 in gf_bs_read_bit utils/bitstream.c:536
    #2 0x7f767c447812 in gf_bs_read_int utils/bitstream.c:568
    #3 0x7f767c755fcc in gf_isom_nalu_get_sample_sap isomedia/avc_ext.c:340
    #4 0x7f767c88fe2e in Media_GetSample isomedia/media.c:684
    #5 0x7f767c829ade in gf_isom_get_sample_ex isomedia/isom_read.c:1962
    #6 0x7f767c829bcf in gf_isom_get_sample isomedia/isom_read.c:1982
    #7 0x563758674900 in cat_isomedia_file /home/youngmith/crashes_analyze/gpac/applications/mp4box/fileimport.c:3134
    #8 0x56375862e1b3 in do_add_cat /home/youngmith/crashes_analyze/gpac/applications/mp4box/mp4box.c:4664
    #9 0x56375862e1b3 in mp4box_main /home/youngmith/crashes_analyze/gpac/applications/mp4box/mp4box.c:6333
    #10 0x5637586317a2 in main /home/youngmith/crashes_analyze/gpac/applications/mp4box/mp4box.c:7081
    #11 0x7f767bf0b1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #12 0x7f767bf0b28a in __libc_start_main_impl ../csu/libc-start.c:360
    #13 0x563758613e04 in _start (/home/youngmith/crashes_analyze/gpac/bin/gcc/MP4Box+0x50e04) (BuildId: 62bf0b3cd034339c404044710ce637f445c22d77)

0x527000003900 is located 0 bytes inside of 12664-byte region [0x527000003900,0x527000006a78)
freed by thread T0 here:
    #0 0x7f767dbf4778 in realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:85
    #1 0x7f767c45ac6e in gf_realloc utils/alloc.c:160

previously allocated by thread T0 here:
    #0 0x7f767dbf59c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7f767c45ac4a in gf_malloc utils/alloc.c:150

SUMMARY: AddressSanitizer: heap-use-after-free utils/bitstream.c:456 in BS_ReadByte
Shadow bytes around the buggy address:
  0x527000003680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x527000003700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x527000003780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x527000003800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x527000003880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x527000003900:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x527000003980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x527000003a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x527000003a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x527000003b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x527000003b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==33549==ABORTING
[1]    33549 IOT instruction (core dumped)  ./MP4Box -cat  /home/youngmith/crashes_analyze/mp4box_cat_inputs/white.mp4

environment:

./MP4Box -version                                                                                                                      MP4Box - GPAC version 2.5-DEV-rev1838-gda4c5f99d-master
(c) 2000-2024 Telecom Paris distributed under LGPL v2.1+ - https://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --extra-cflags=-fsanitize=address -g -O1 --extra-ldflags=-fsanitize=address
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB

Additional context:

the UAF(illegal read) happens here:

res = bs->original[bs->position++];

POC6.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions