OOB read from unchecked return

2023-05-2916:23:39

coolkingcole

www.huntr.dev

debian gnu/linux

oob read

mp4

avcconfig

error handling

addresssanitizer

0.0004 Low

EPSS

Percentile

9.0%

JSON

Environment

Distributor ID:	Debian
Description:	Debian GNU/Linux bookworm/sid

Version

I checked against the latest release as of 05/29/23 the current master branch at commit4f810869b06b5d7b0cb73d166864dfb4b1e900f6 .

Description

This AddressSanitizer output is indicating a read on an unknown address 0x8. This exception occurred in the functiondasher_configure_pidatline 1418in the filedasher.c. This root cause of this error is that the function call togf_odf_avc_cfg_readon the lineline 1418just before the call togf_list_get can return 0/NULL.
This value is set to the variable avccfg and is then dereferenced like this:

avccfg-&gt;sequenceParameterSets

The fix is to properly check the return value whenever gf_odf_avc_cfg_read is called, or change said function to exit cleanly with an error if it is fatal.

GF_AVCConfig* avccfg = gf_odf_avc_cfg_read(dsi-&gt;value.data.ptr, dsi-&gt;value.data.size);  
//The provided testcase causes avccfg to equal 0.
GF_NALUFFParam *sl = (GF_NALUFFParam *)gf_list_get(avccfg-&gt;sequenceParameterSets, 0); // the deref that causes the asan output is here

POC

./MP4Box -dash 1000 ./POC3_config4

POC File

ASAN

./bin/gcc/MP4Box -dash 1000 ../d_test_min

[BS] Attempt to overread bitstream
[Core] exp-golomb read failed, not enough bits in bitstream !
[AVC|H264] Error parsing NAL unit type 13
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No bitrate property assigned to PID d_test_min, computing from bitstream
[Dasher] No bitrate property assigned to PID d_test_min, computing from bitstream
[AVC] Wrong param set size 1
AddressSanitizer:DEADLYSIGNAL
=================================================================
==934039==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7ffff6de6190 bp 0x7fffffff4fb0 sp 0x7ffffffc4ae0 T0)
==934039==The signal is caused by a READ memory access.
==934039==Hint: address points to the zero page.
    #0 0x7ffff6de6190 in dasher_configure_pid /path/to/gpac/src/filters/dasher.c:1418:64
    #1 0x7ffff6cd87d5 in gf_filter_pid_configure /path/to/gpac/src/filter_core/filter_pid.c:860:6
    #2 0x7ffff6d061b3 in filter_pck_check_prop_change /path/to/gpac/src/filter_core/filter_pid.c:6157:9
    #3 0x7ffff6cdd0b8 in gf_filter_pid_get_packet /path/to/gpac/src/filter_core/filter_pid.c:6206:6
    #4 0x7ffff6e1e08a in dasher_switch_period /path/to/gpac/src/filters/dasher.c:6111:3
    #5 0x7ffff6ddf178 in dasher_process /path/to/gpac/src/filters/dasher.c:9490:6
    #6 0x7ffff6d7bae5 in gf_filter_process_task /path/to/gpac/src/filter_core/filter.c:2894:7
    #7 0x7ffff6d4830c in gf_fs_thread_proc /path/to/gpac/src/filter_core/filter_session.c:1962:3
    #8 0x7ffff6d46aff in gf_fs_run /path/to/gpac/src/filter_core/filter_session.c:2264:3
    #9 0x7ffff6607cfa in gf_dasher_process /path/to/gpac/src/media_tools/dash_segmenter.c:1236:6
    #10 0x5555556c161c in do_dash /path/to/gpac/applications/mp4box/mp4box.c:4825:15
    #11 0x5555556b2aae in mp4box_main /path/to/gpac/applications/mp4box/mp4box.c:6236:7
    #12 0x7ffff5846189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x7ffff5846244 in __libc_start_main csu/../csu/libc-start.c:381:3
    #14 0x5555555dad50 in _start (/path/to/gpac/bin/gcc/MP4Box+0x86d50) (BuildId: 4f810869b06b5d7b0cb73d166864dfb4b1e900f6)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /path/to/gpac/src/filters/dasher.c:1418:64 in dasher_configure_pid
==934039==ABORTING