Description

heap-use-after-free in MP4Box.

Version

$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

complie and run

./configure --enable-sanitizer
make

Proof of Concept

./bin/gcc/MP4Box -dash 1000 -out /dev/null ./crash000024

POC_crash000024 is here.

ASAN

information reported by sanitizer

$ ./bin/gcc/MP4Box -dash 1000 ./crash000024
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
[Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
[RFC6381] Cannot find M4V config, using default mp4v.20
[Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
[Dasher] PID crash000024 config changed during active period, forcing period switch
[MPD] Generating MPD at time 2023-09-01T02:57:51.085Z
[Dasher] End of Period 
[MP4Mux] PID has no input packet and configuration not known after 10 retries, aborting initial timing sync
[Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
[Dasher] PID crash000024 config changed during active period, forcing period switch
[MPD] Generating MPD at time 2023-09-01T02:57:51.088Z
[Dasher] End of Period 
[RFC6381] Cannot find M4V config, using default mp4v.20
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 11000/29667
[Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
[Dasher] PID crash000024 config changed during active period, forcing period switch
[MP4Mux] PID has no input packet and configuration not known after 10 retries, aborting initial timing sync
[MP4Mux] Unable to setup fragmentation for track ID 0: Bad Parameter
[MPD] Generating MPD at time 2023-09-01T02:57:51.090Z
[Dasher] End of Period 
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 12000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 13000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 14000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 15000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 16000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 17000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 18000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 19000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 20000/29667
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 21000/29667
[Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
[Dasher] PID crash000024 config changed during active period, forcing period switch
[MPD] Generating MPD at time 2023-09-01T02:57:51.093Z
[Dasher] End of Period 
[RFC6381] Cannot find M4V config, using default mp4v.20
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 22000/29667
[Dasher] No bitrate property assigned to PID crash000024, computing from bitstream
=================================================================
==416525==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000012b40 at pc 0x7f561b9e449d bp 0x7ffd43a3c280 sp 0x7ffd43a3c270
READ of size 8 at 0x617000012b40 thread T0
    #0 0x7f561b9e449c in mp4_mux_process_fragmented filters/mux_isom.c:6634
    #1 0x7f561b9e449c in mp4_mux_process filters/mux_isom.c:7207
    #2 0x7f561b66adbe in gf_filter_process_task filter_core/filter.c:2971
    #3 0x7f561b62a0ea in gf_fs_thread_proc filter_core/filter_session.c:1962
    #4 0x7f561b637a56 in gf_fs_run filter_core/filter_session.c:2261
    #5 0x7f561afcd03d in gf_dasher_process media_tools/dash_segmenter.c:1236
    #6 0x55c711eb7c26 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
    #7 0x55c711eb7c26 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
    #8 0x7f5618279082 in __libc_start_main ../csu/libc-start.c:308
    #9 0x55c711e8ffcd in _start (/home/functionmain/Desktop/gpac-master-asan/bin/gcc/MP4Box+0xa5fcd)

0x617000012b40 is located 320 bytes inside of 672-byte region [0x617000012a00,0x617000012ca0)
freed by thread T0 here:
    #0 0x7f561e27a40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x7f561b9d9b86 in mp4_mux_configure_pid filters/mux_isom.c:3994
    #2 0x7f561b5f941e in gf_filter_pid_configure filter_core/filter_pid.c:876
    #3 0x7f561b601505 in gf_filter_pid_disconnect_task filter_core/filter_pid.c:1285
    #4 0x7f561b62a0ea in gf_fs_thread_proc filter_core/filter_session.c:1962
    #5 0x7f561b637a56 in gf_fs_run filter_core/filter_session.c:2261
    #6 0x7f561afcd03d in gf_dasher_process media_tools/dash_segmenter.c:1236
    #7 0x55c711eb7c26 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
    #8 0x55c711eb7c26 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
    #9 0x7f5618279082 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7f561e27a808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7f561b9bf53d in mp4_mux_setup_pid filters/mux_isom.c:1078
    #2 0x7f561b5f941e in gf_filter_pid_configure filter_core/filter_pid.c:876
    #3 0x7f561b601dee in gf_filter_pid_connect_task filter_core/filter_pid.c:1230
    #4 0x7f561b62a0ea in gf_fs_thread_proc filter_core/filter_session.c:1962
    #5 0x7f561b637a56 in gf_fs_run filter_core/filter_session.c:2261
    #6 0x7f561afcd03d in gf_dasher_process media_tools/dash_segmenter.c:1236
    #7 0x55c711eb7c26 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
    #8 0x55c711eb7c26 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
    #9 0x7f5618279082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free filters/mux_isom.c:6634 in mp4_mux_process_fragmented
Shadow bytes around the buggy address:
  0x0c2e7fffa510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fffa520: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fffa550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e7fffa560: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c2e7fffa570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fffa580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fffa590: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa5a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==416525==ABORTING

Impact

This is capable of causing crashes.

References

POC_crash000024 is here.