Heap-buffer-overflow in MP4Box.
$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
complie and run
./configure --enable-sanitizer
make
./bin/gcc/MP4Box -dash 1000 -out /dev/null ./crash1
POC_crash000394 is here
information reported by sanitizer
$ ./bin/gcc/MP4Box -dash 1000 ./crash000394
SWF Import - Scene Size 37.7x-30.65 - 512 frames @ 0 FPS
[TXTIn] swf -> svg not fully migrated, using SWF flags 0 and no flatten angle. Patch welcome
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No bitrate property assigned to PID crash000394, computing from bitstream
[SWF Parsing] Tag UnknownTag (0x1a4) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x1bd) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x12f) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x15b) not implemented - skipping (frame 1)
[SWF Parsing] tag DefineShape3 over-read of 20608 bytes (size 23) (frame 1)
[SWF Parsing] Tag UnknownTag (0x1d0) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x1d5) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x144) not implemented - skipping (frame 1)
=================================================================
==491931==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002750 at pc 0x7f555206c5d3 bp 0x7fff4f3717c0 sp 0x7fff4f3717b0
WRITE of size 4 at 0x602000002750 thread T0
#0 0x7f555206c5d2 in swf_def_font scene_manager/swf_parse.c:1449
#1 0x7f555206c5d2 in swf_process_tag scene_manager/swf_parse.c:2350
#2 0x7f555206c5d2 in swf_parse_tag scene_manager/swf_parse.c:2422
#3 0x7f555275c089 in gf_text_process_swf filters/load_text.c:2542
#4 0x7f555275c089 in gf_text_process_swf filters/load_text.c:2519
#5 0x7f55527714a2 in txtin_process filters/load_text.c:3992
#6 0x7f5552469dbe in gf_filter_process_task filter_core/filter.c:2971
#7 0x7f55524290ea in gf_fs_thread_proc filter_core/filter_session.c:1962
#8 0x7f5552436a56 in gf_fs_run filter_core/filter_session.c:2261
#9 0x7f5551dcc03d in gf_dasher_process media_tools/dash_segmenter.c:1236
#10 0x560d3aaebc26 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
#11 0x560d3aaebc26 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
#12 0x7f554f078082 in __libc_start_main ../csu/libc-start.c:308
#13 0x560d3aac3fcd in _start (/home/functionmain/Desktop/gpac-master-asan/bin/gcc/MP4Box+0xa5fcd)
0x602000002751 is located 0 bytes to the right of 1-byte region [0x602000002750,0x602000002751)
allocated by thread T0 here:
#0 0x7f5555079808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7f5552068180 in swf_def_font scene_manager/swf_parse.c:1448
#2 0x7f5552068180 in swf_process_tag scene_manager/swf_parse.c:2350
#3 0x7f5552068180 in swf_parse_tag scene_manager/swf_parse.c:2422
#4 0x7f555275c089 in gf_text_process_swf filters/load_text.c:2542
#5 0x7f555275c089 in gf_text_process_swf filters/load_text.c:2519
#6 0x7f55527714a2 in txtin_process filters/load_text.c:3992
#7 0x7f5552469dbe in gf_filter_process_task filter_core/filter.c:2971
#8 0x7f55524290ea in gf_fs_thread_proc filter_core/filter_session.c:1962
#9 0x7f5552436a56 in gf_fs_run filter_core/filter_session.c:2261
#10 0x7f5551dcc03d in gf_dasher_process media_tools/dash_segmenter.c:1236
#11 0x560d3aaebc26 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
#12 0x560d3aaebc26 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
#13 0x7f554f078082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow scene_manager/swf_parse.c:1449 in swf_def_font
Shadow bytes around the buggy address:
0x0c047fff8490: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fff84a0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fff84b0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fff84c0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fff84d0: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff84e0: fa fa 00 00 fa fa 00 00 fa fa[01]fa fa fa fa fa
0x0c047fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==491931==ABORTING
This is capable of causing crashes.
POC_crash000394 is here