Lucene search
Coolkingcole711E0988-5345-4C01-A2FE-1179604DD07FHistoryMay 18, 2023 - 5:57 a.m.
OOB Read segfault
2023-05-1805:57:16
coolkingcole
www.huntr.dev
4
addresssanitizer
debian gnu/linux
segmentationfault
filter_session.c
crash_file
mp4box
asan
bounded_loop
debugging
dasher_event
poc_file
blacklisting
media_tools
dash_segmenter
gf_filter_update_status
filein_process
transaction_note
dasher_process
0.001 Low
EPSS
Percentile
47.8%
Environment
Distributor ID: Debian
Description: Debian GNU/Linux bookworm/sid
Release: n/a
Codename: bookworm
Version
I checked against the latest release as of 05/18/23 the current master branch at commita6ae93532ea5615c876c81a6580badbfa01d4383 .
Description
This AddressSanitizer output is indicating that an out of bounds read occurred in the function gf_filter_get_stats atline 4149in the filefilter_session.c. A bit of debugging leads me to think that the loop at lineline 4131 is improperly bounded since at the crash, the loop iterator i equals 0xffff4f07
for (i=0; i<f->num_input_pids; i++)
POC
AFL_MAP_SIZE=260000 ./MP4Box -dash 1000 ./crash_file
ASAN
[Dasher] No template assigned, using $File$_dash$FS$$Number$
Failed to connect filter fin PID crash_file to filter rfmpgvid: Feature Not Supported
Blacklisting rfmpgvid as output from fin and retrying connections
[MP4Mux] muxing codecID 0 not yet implemented - patch welcome
Failed to connect filter dasher PID crash_file to filter mp4mx: Feature Not Supported
Blacklisting mp4mx as output from dasher and retrying connections
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2980979==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000009c (pc 0x7ffff6d5968a bp 0x0c2600000200 sp 0x7fffffff4f90 T0)
==2980979==The signal is caused by a READ memory access.
==2980979==Hint: address points to the zero page.
#0 0x7ffff6d5968a in gf_filter_get_stats /path/to/gpac/src/filter_core/filter_session.c:4149:32
#1 0x7ffff660b68b in on_dasher_event /path/to/gpac/src/media_tools/dash_segmenter.c:501:8
#2 0x7ffff6d51fc9 in gf_fs_ui_event /path/to/gpac/src/filter_core/filter_session.c:4180:8
#3 0x7ffff6d831da in gf_filter_update_status /path/to/gpac/src/filter_core/filter.c:4738:2
#4 0x7ffff6f74b0a in filein_process /path/to/gpac/src/filters/in_file.c:699:3
#5 0x7ffff6d74d05 in gf_filter_process_task /path/to/gpac/src/filter_core/filter.c:2894:7
#6 0x7ffff6d4153c in gf_fs_thread_proc /path/to/gpac/src/filter_core/filter_session.c:1962:3
#7 0x7ffff6d3fd2f in gf_fs_run /path/to/gpac/src/filter_core/filter_session.c:2264:3
#8 0x7ffff660245a in gf_dasher_process /path/to/gpac/src/media_tools/dash_segmenter.c:1236:6
#9 0x5555556c15fc in do_dash /path/to/gpac/applications/mp4box/mp4box.c:4825:15
#10 0x5555556b2a8e in mp4box_main /path/to/gpac/applications/mp4box/mp4box.c:6236:7
#11 0x7ffff5846189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#12 0x7ffff5846244 in __libc_start_main csu/../csu/libc-start.c:381:3
#13 0x5555555dad30 in _start (/path/to/gpac/new_pull_2_build/bin/gcc/MP4Box+0x86d30) (BuildId: 764c86f2d59b4db3d4590a720eca33bd143620a7)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /path/to/gpac/src/filter_core/filter_session.c:4149:32 in gf_filter_get_stats
==2980979==ABORTING
Related
debiancve
debiancve
CVE-2023-2838
2023-05-22 18:15:09
cve
cve
CVE-2023-2838
2023-05-22 18:15:09
ubuntucve
ubuntucve
CVE-2023-2838
2023-05-22 00:00:00
cvelist
cvelist
CVE-2023-2838 Out-of-bounds Read in gpac/gpac
2023-05-22 00:00:00
veracode
veracode
Out-of-bounds Read
2023-05-26 08:42:21
prion
prion
Design/Logic Flaw
2023-05-22 18:15:00
nvd
nvd
CVE-2023-2838
2023-05-22 18:15:09
osv
osv
CVE-2023-2838
2023-05-22 18:15:09
gpac - security update
2023-05-26 00:00:00
debian
debian
[SECURITY] [DSA 5411-1] gpac security update
2023-05-26 14:00:08
nessus
nessus
Debian DSA-5411-1 : gpac - security update
2023-05-27 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-5411-1)
2023-05-29 00:00:00