Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Hi GPAC Team,
I found 3 new UAF bugs on the lastest commit 56eaea8 of GPAC version 0.8.0.
I think it is probably due to an imcomplete fix of the UAF bug #1340. Actually, these new bugs share the same buggy function which is gf_isom_box_del() in src/isomedia/box_funcs.c with #1340, but have different alloc function esds_New() in src/isomedia/box_code_base.c (instead of stco_New()).
Command: MP4Box -info $POC or MP4Box -diso $POC
1) UAF Bug 1
PoC: https://github.com/strongcourage/PoCs/blob/master/gpac_56eaea8/uaf1
ASAN says:
=================================================================
==31565==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400000dde8 at pc 0x0000006c601e bp 0x7fff726c3b70 sp 0x7fff726c3b60
READ of size 8 at 0x60400000dde8 thread T0
#0 0x6c601d in gf_isom_box_del /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:1504
#1 0x6c5f5e in gf_isom_box_array_del /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:272
#2 0x6c5f5e in gf_isom_box_del /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:1520
#3 0x6c5f5e in gf_isom_box_array_del /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:272
#4 0x6c5f5e in gf_isom_box_del /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:1520
#5 0x6c5f5e in gf_isom_box_array_del /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:272
#6 0x6c5f5e in gf_isom_box_del /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:1520
#7 0x6c5f5e in gf_isom_box_array_del /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:272
#8 0x6c5f5e in gf_isom_box_del /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:1520
#9 0x6c72cd in gf_isom_box_array_read_ex /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:1427
#10 0xae0b0f in mdia_Read /home/dungnguyen/fuzz/gpac/src/isomedia/box_code_base.c:3021
#11 0x6c6456 in gf_isom_box_read /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:1532
#12 0x6c6456 in gf_isom_box_parse_ex /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:210
#13 0x6c6e02 in gf_isom_box_array_read_ex /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:1425
#14 0xaeffe8 in trak_Read /home/dungnguyen/fuzz/gpac/src/isomedia/box_code_base.c:7188
#15 0x6c6456 in gf_isom_box_read /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:1532
#16 0x6c6456 in gf_isom_box_parse_ex /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:210
#17 0x6c6e02 in gf_isom_box_array_read_ex /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:1425
#18 0xae3444 in moov_Read /home/dungnguyen/fuzz/gpac/src/isomedia/box_code_base.c:3749
#19 0x6c7764 in gf_isom_box_read /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:1532
#20 0x6c7764 in gf_isom_box_parse_ex /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:210
#21 0x6c7fb4 in gf_isom_parse_root_box /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:42
#22 0x6dd940 in gf_isom_parse_movie_boxes /home/dungnguyen/fuzz/gpac/src/isomedia/isom_intern.c:207
#23 0x6e05d3 in gf_isom_parse_movie_boxes /home/dungnguyen/fuzz/gpac/src/isomedia/isom_intern.c:195
#24 0x6e05d3 in gf_isom_open_file /home/dungnguyen/fuzz/gpac/src/isomedia/isom_intern.c:616
#25 0x43375d in mp4boxMain /home/dungnguyen/fuzz/gpac/applications/mp4box/main.c:4814
#26 0x7fca8b87382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#27 0x41e4f8 in _start (/home/dungnguyen/PoCs/gpac_new/MP4Box+0x41e4f8)
0x60400000dde8 is located 24 bytes inside of 48-byte region [0x60400000ddd0,0x60400000de00)
freed by thread T0 here:
#0 0x7fca8c61732a in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9832a)
#1 0x6c5f9f in gf_isom_box_del /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:1512
previously allocated by thread T0 here:
#0 0x7fca8c617662 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)
#1 0xadb68d in esds_New /home/dungnguyen/fuzz/gpac/src/isomedia/box_code_base.c:1287
SUMMARY: AddressSanitizer: heap-use-after-free /home/dungnguyen/fuzz/gpac/src/isomedia/box_funcs.c:1504 gf_isom_box_del
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Hi GPAC Team,
I found 3 new UAF bugs on the lastest commit 56eaea8 of GPAC version 0.8.0.
I think it is probably due to an imcomplete fix of the UAF bug #1340. Actually, these new bugs share the same buggy function which is
gf_isom_box_del()in src/isomedia/box_funcs.c with #1340, but have different alloc functionesds_New()insrc/isomedia/box_code_base.c(instead ofstco_New()).Command:
MP4Box -info $POCorMP4Box -diso $POC1) UAF Bug 1
PoC: https://github.com/strongcourage/PoCs/blob/master/gpac_56eaea8/uaf1
ASAN says: