[security]utils/bitstream.c:1184 heap UAF in gf_bs_write_data #3369
Description
utils/bitstream.c:1184 heap UAF in gf_bs_write_data
Description:
When MP4box processes POC file and another specific .mp4 file with option -cat,a SEGV will occur in gf_bs_write_data(utils/bitstream.c:1184)when it call memcpy
To Reproduce:
Steps to reproduce the behavior:
./MP4Box -cat POC8 white.mp4 -out /dev/null
Output:
ASAN crash report:
==60942==ERROR: AddressSanitizer: heap-use-after-free on address 0x510000002e40 at pc 0x7f6870a7a303 bp 0x7ffc9ed7ab10 sp 0x7ffc9ed7a2b8
WRITE of size 36 at 0x510000002e40 thread T0
#0 0x7f6870a7a302 in memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115
#1 0x7f686f2cd683 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
#2 0x7f686f2cd683 in gf_bs_write_data utils/bitstream.c:1184
#3 0x7f686f2d1574 in gf_bs_transfer utils/bitstream.c:1816
#4 0x7f686f5e05ed in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:879
#5 0x7f686f716dd9 in Media_GetSample isomedia/media.c:680
#6 0x7f686f6b0ade in gf_isom_get_sample_ex isomedia/isom_read.c:1962
#7 0x7f686f6b0bcf in gf_isom_get_sample isomedia/isom_read.c:1982
#8 0x55b7e51da900 in cat_isomedia_file /home/youngmith/crashes_analyze/gpac/applications/mp4box/fileimport.c:3134
#9 0x55b7e51941b3 in do_add_cat /home/youngmith/crashes_analyze/gpac/applications/mp4box/mp4box.c:4664
#10 0x55b7e51941b3 in mp4box_main /home/youngmith/crashes_analyze/gpac/applications/mp4box/mp4box.c:6333
#11 0x55b7e51977a2 in main /home/youngmith/crashes_analyze/gpac/applications/mp4box/mp4box.c:7081
#12 0x7f686ed921c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#13 0x7f686ed9228a in __libc_start_main_impl ../csu/libc-start.c:360
#14 0x55b7e5179e04 in _start (/home/youngmith/crashes_analyze/gpac/bin/gcc/MP4Box+0x50e04) (BuildId: 62bf0b3cd034339c404044710ce637f445c22d77)
0x510000002e40 is located 0 bytes inside of 186-byte region [0x510000002e40,0x510000002efa)
freed by thread T0 here:
#0 0x7f6870a7b4d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x7f686f2e1c80 in gf_free utils/alloc.c:165
previously allocated by thread T0 here:
#0 0x7f6870a7c9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7f686f2e1c4a in gf_malloc utils/alloc.c:150
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115 in memcpy
Shadow bytes around the buggy address:
0x510000002b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x510000002c00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x510000002c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x510000002d00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x510000002d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
=>0x510000002e00: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x510000002e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x510000002f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x510000002f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x510000003000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x510000003080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==60942==ABORTING
environment:
./MP4Box -version MP4Box - GPAC version 2.5-DEV-rev1838-gda4c5f99d-master
(c) 2000-2024 Telecom Paris distributed under LGPL v2.1+ - https://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --extra-cflags=-fsanitize=address -g -O1 --extra-ldflags=-fsanitize=address
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB
Additional context:
the UAF happens in :
memcpy(bs->original + bs->position - bs->bytes_out, data, nbBytes);
This may be because bs->original + bs->position - bs->bytes_out operation points to a memory location that has been freed.