[security] utils/bitstream.c:1179 double free in gf_bs_write_data #3370
Description
Description:
A double-free vulnerability occurs in the MP4Box application during media sample processing. It’s triggered in gf_bs_write_data calling realloc , where memory allocated with malloc is freed twice, causing a crash.
Steps to reproduce the behavior:
./MP4Box -cat POC white.mp4 -out /dev/null
Output:
ASAN-report:
Unrecognized import option 000085,sig, ignoring
Unrecognized import option 06,src, ignoring
Unrecognized import option 000122,time, ignoring
Unrecognized import option 6558001,execs, ignoring
Unrecognized import option 1584531,op, ignoring
Unrecognized import option havoc,rep, ignoring
Unrecognized import option 2, ignoring
IsoMedia import id:000085,sig:06,src:000122,time:6558001,execs:1584531,op:havoc,rep:2 - track ID 1 - Video (size 304 x 176)
Appending file id:000085,sig:06,src:000122,time:6558001,execs:1584531,op:havoc,rep:2
Sample 226 (size 13) rewrite: corrupted NAL Unit (size 101)
Sample 227 (size 13) rewrite: corrupted NAL Unit (size 1701143909)
=================================================================
==871969==ERROR: AddressSanitizer: attempting double-free on 0x60200000a490 in thread T0:
#0 0x7fba5b229c16 in realloc (/usr/lib/llvm-14/lib/clang/14.0.0/lib/linux/libclang_rt.asan-x86_64.so+0xcdc16) (BuildId: a6105a816e63299474c1078329a59ed80f244fbf)
#1 0x7fba5a93b3fc in gf_bs_write_data (/gpac/bin/gcc/libgpac.so.13+0xb93fc) (BuildId: 41c3cd506b1eeffd2fc1d11317679a8494f2ce08)
#2 0x7fba5a93fa43 in gf_bs_transfer (/gpac/bin/gcc/libgpac.so.13+0xbda43) (BuildId: 41c3cd506b1eeffd2fc1d11317679a8494f2ce08)
#3 0x7fba5aa58201 in gf_isom_nalu_sample_rewrite (/gpac/bin/gcc/libgpac.so.13+0x1d6201) (BuildId: 41c3cd506b1eeffd2fc1d11317679a8494f2ce08)
#4 0x7fba5aad3286 in Media_GetSample (/gpac/bin/gcc/libgpac.so.13+0x251286) (BuildId: 41c3cd506b1eeffd2fc1d11317679a8494f2ce08)
#5 0x7fba5aab0a58 in gf_isom_get_sample_ex (/gpac/bin/gcc/libgpac.so.13+0x22ea58) (BuildId: 41c3cd506b1eeffd2fc1d11317679a8494f2ce08)
#6 0x55e3d5d8e96a in cat_isomedia_file (/gpac/bin/gcc/MP4Box+0x4896a) (BuildId: c2866a5cf83375fbe1707d63782199cc11aef195)
#7 0x55e3d5d6c553 in do_add_cat mp4box.c
#8 0x55e3d5d6911b in mp4box_main (/gpac/bin/gcc/MP4Box+0x2311b) (BuildId: c2866a5cf83375fbe1707d63782199cc11aef195)
#9 0x7fba5a67cd8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: d5197096f709801829b118af1b7cf6631efa2dcd)
#10 0x7fba5a67ce3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: d5197096f709801829b118af1b7cf6631efa2dcd)
#11 0x55e3d5d5ddf4 in _start (/gpac/bin/gcc/MP4Box+0x17df4) (BuildId: c2866a5cf83375fbe1707d63782199cc11aef195)
0x60200000a490 is located 0 bytes inside of 13-byte region [0x60200000a490,0x60200000a49d)
freed by thread T0 here:
#0 0x7fba5b229542 in free (/usr/lib/llvm-14/lib/clang/14.0.0/lib/linux/libclang_rt.asan-x86_64.so+0xcd542) (BuildId: a6105a816e63299474c1078329a59ed80f244fbf)
#1 0x7fba5aaada56 in gf_isom_sample_del (/gpac/bin/gcc/libgpac.so.13+0x22ba56) (BuildId: 41c3cd506b1eeffd2fc1d11317679a8494f2ce08)
previously allocated by thread T0 here:
#0 0x7fba5b2297ee in __interceptor_malloc (/usr/lib/llvm-14/lib/clang/14.0.0/lib/linux/libclang_rt.asan-x86_64.so+0xcd7ee) (BuildId: a6105a816e63299474c1078329a59ed80f244fbf)
#1 0x7fba5aad326e in Media_GetSample (/gpac/bin/gcc/libgpac.so.13+0x25126e) (BuildId: 41c3cd506b1eeffd2fc1d11317679a8494f2ce08)
SUMMARY: AddressSanitizer: double-free (/usr/lib/llvm-14/lib/clang/14.0.0/lib/linux/libclang_rt.asan-x86_64.so+0xcdc16) (BuildId: a6105a816e63299474c1078329a59ed80f244fbf) in realloc
Environment:
OS: Linux f14f652592a0 5.4.0-200-generic #220-Ubuntu SMP Fri Sep 27 13:19:16 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux;
Compiler version: Ubuntu clang version 16.0.6;
Build-opts: ./configure --extra-cflags="-g -O1 -fsanitize=address" ;
CPU type: x86_64 ;
MP4Box - GPAC commit hash 7f2e107108e53c19d30cb15d89a8324c9cf980aa ;
MP4Box - GPAC version 2.5-DEV-rev1823-g7f2e10710-master;
Additional context:
See sample in the attachment.
gdb infomation:
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Unrecognized import option 000085,sig, ignoring
Unrecognized import option 06,src, ignoring
Unrecognized import option 000122,time, ignoring
Unrecognized import option 6558001,execs, ignoring
Unrecognized import option 1584531,op, ignoring
Unrecognized import option havoc,rep, ignoring
Unrecognized import option 2, ignoring
IsoMedia import id:000085,sig:06,src:000122,time:6558001,execs:1584531,op:havoc,rep:2 - track ID 1 - Video (size 304 x 176)
Appending file id:000085,sig:06,src:000122,time:6558001,execs:1584531,op:havoc,rep:2
Sample 226 (size 13) rewrite: corrupted NAL Unit (size 101)
Sample 227 (size 13) rewrite: corrupted NAL Unit (size 1701143909)
free(): double free detected in tcache 20)
Program received signal SIGABRT, Aborted.
0x00007fe35e55c9fc in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007fe35e55c9fc in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007fe35e508476 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007fe35e4ee7f3 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007fe35e54f677 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00007fe35e566cfc in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#5 0x00007fe35e5690ab in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#6 0x00007fe35e56abdb in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#7 0x00007fe35e56b909 in realloc () from /lib/x86_64-linux-gnu/libc.so.6
#8 0x00007fe35e7b72a7 in gf_bs_write_data (bs=bs@entry=0x564de22ca2a0, data=data@entry=0x564de22c5d40 "", nbBytes=nbBytes@entry=38) at utils/bitstream.c:1179
#9 0x00007fe35e7bf8e6 in gf_bs_transfer (dst=0x564de22ca2a0, src=0x564de22c1380, keep_src=keep_src@entry=GF_TRUE) at utils/bitstream.c:1816
#10 0x00007fe35e9ec1e4 in gf_isom_nalu_sample_rewrite (mdia=mdia@entry=0x564de22c9550, sample=0x564de22c6380, sampleNumber=sampleNumber@entry=241, entry=<optimized out>) at isomedia/avc_ext.c:879
#11 0x00007fe35eae8159 in Media_GetSample (mdia=0x564de22c9550, sampleNumber=sampleNumber@entry=241, samp=samp@entry=0x7ffd5bba0b38, sIDX=sIDX@entry=0x7ffd5bba0b44, no_data=no_data@entry=GF_FALSE, out_offset=out_offset@entry=0x0,
ext_realloc=GF_FALSE) at isomedia/media.c:680
#12 0x00007fe35ea9cdce in gf_isom_get_sample_ex (the_file=0x564de22c07d0, trackNumber=<optimized out>, sampleNumber=241, sampleDescriptionIndex=0x7ffd5bba0bd8, static_sample=0x0, data_offset=0x0) at isomedia/isom_read.c:1962
#13 0x0000564db3dee48a in cat_isomedia_file (dest=dest@entry=0x564de22bc1a0, fileName=fileName@entry=0x7ffd5bba269d "id:000085,sig:06,src:000122,time:6558001,execs:1584531,op:havoc,rep:2", import_flags=import_flags@entry=0,
force_fps=..., frames_per_sample=<optimized out>, force_cat=GF_FALSE, align_timelines=GF_TRUE, allow_add_in_command=GF_FALSE, is_pl=GF_FALSE) at fileimport.c:3134
#14 0x0000564db3db10fc in do_add_cat (argc=<optimized out>, argc@entry=6, argv=<optimized out>, argv@entry=0x7ffd5bba1fb8) at mp4box.c:4664
#15 0x0000564db3daa0cf in mp4box_main (argc=6, argv=0x7ffd5bba1fb8) at mp4box.c:6333
#16 0x00007fe35e4efd90 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#17 0x00007fe35e4efe40 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#18 0x0000564db3d97f75 in _start ()
(gdb) list
7067
7068
7069 err_exit:
7070 /*close libgpac*/
7071 if (file) gf_isom_delete(file);
7072 M4_LOG(GF_LOG_ERROR, ("\n\tError: %s\n", gf_error_to_string(e)));
7073 return mp4box_cleanup(1);
7074
7075 exit:
7076 return mp4box_cleanup(0);
screenshot: