heap-use-after-free in MP4Box in gpac/gpac

Valid

Reported on

Oct 11th 2023

Description

heap-use-after-free in MP4Box

Version

$ ./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master

Platform

$ uname -a
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Asan

[33m[TTML EBU-TTD] time indicates frames but no frame rate set, assuming 25 FPS
[0m[31m[TTML EBU-TTD] invalid timings: "begin"=24680 , "end"=23320. Abort.
[0m[32m[Dasher] No template assigned, using $File$_dash$FS$$Number$
[0m[32m[Dasher] No bitrate property assigned to PID id000310sig06src000702time203216797execs1924021ophavocrep2, computing from bitstream
[0m[31m[TTML EBU-TTD] duplicated "begin" attribute. Abort.
[0m=================================================================
==734465==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000000868 at pc 0x7fa699af74f8 bp 0x7ffe98c75570 sp 0x7ffe98c75568
READ of size 8 at 0x604000000868 thread T0
    #0 0x7fa699af74f7 in gf_xml_dom_node_reset /home/user/fuzzing_gpac/gpac/src/utils/xml_parser.c:1658:12
    #1 0x7fa699af7547 in gf_xml_dom_node_del /home/user/fuzzing_gpac/gpac/src/utils/xml_parser.c:1681:2
    #2 0x7fa699af7410 in gf_xml_dom_node_reset /home/user/fuzzing_gpac/gpac/src/utils/xml_parser.c:1672:4
    #3 0x7fa699af7547 in gf_xml_dom_node_del /home/user/fuzzing_gpac/gpac/src/utils/xml_parser.c:1681:2
    #4 0x7fa699af7410 in gf_xml_dom_node_reset /home/user/fuzzing_gpac/gpac/src/utils/xml_parser.c:1672:4
    #5 0x7fa699af7547 in gf_xml_dom_node_del /home/user/fuzzing_gpac/gpac/src/utils/xml_parser.c:1681:2
    #6 0x7fa699af7410 in gf_xml_dom_node_reset /home/user/fuzzing_gpac/gpac/src/utils/xml_parser.c:1672:4
    #7 0x7fa699af7547 in gf_xml_dom_node_del /home/user/fuzzing_gpac/gpac/src/utils/xml_parser.c:1681:2
    #8 0x7fa699af7b20 in gf_xml_dom_reset /home/user/fuzzing_gpac/gpac/src/utils/xml_parser.c:1814:4
    #9 0x7fa699af77d3 in gf_xml_dom_del /home/user/fuzzing_gpac/gpac/src/utils/xml_parser.c:1826:2
    #10 0x7fa69ac9ffad in ttxtin_reset /home/user/fuzzing_gpac/gpac/src/filters/load_text.c:4044:32
    #11 0x7fa69ac9ffad in txtin_finalize /home/user/fuzzing_gpac/gpac/src/filters/load_text.c:4293:2
    #12 0x7fa69a96eb6c in gf_fs_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:773:6
    #13 0x7fa69a2283f6 in gf_dasher_clean_inputs /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:164:3
    #14 0x7fa69a2283f6 in gf_dasher_del /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:173:2
    #15 0x563912e69d2d in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4894:2
    #16 0x563912e5ab6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
    #17 0x7fa699229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #18 0x7fa699229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #19 0x563912d82dd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)

0x604000000868 is located 24 bytes inside of 48-byte region [0x604000000850,0x604000000880)
freed by thread T0 here:
    #0 0x563912e05972 in free (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x105972) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
    #1 0x7fa699af7410 in gf_xml_dom_node_reset /home/user/fuzzing_gpac/gpac/src/utils/xml_parser.c:1672:4

previously allocated by thread T0 here:
    #0 0x563912e05c1e in malloc (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x105c1e) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
    #1 0x7fa699af80fc in on_dom_node_start /home/user/fuzzing_gpac/gpac/src/utils/xml_parser.c:1702:2

SUMMARY: AddressSanitizer: heap-use-after-free /home/user/fuzzing_gpac/gpac/src/utils/xml_parser.c:1658:12 in gf_xml_dom_node_reset
Shadow bytes around the buggy address:
  0x0c087fff80b0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff80c0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff80d0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c087fff80e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff80f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
=>0x0c087fff8100: fa fa fd fd fd fd fd fd fa fa fd fd fd[fd]fd fd
  0x0c087fff8110: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8120: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8130: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8140: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8150: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==734465==ABORTING

Reproduce

./MP4Box -dash 10000 poc

POC File

https://github.com/gandalf4a/crash_report/blob/main/gpac/MP4Box/poc2/huaf_1658

Credit

Gandalf4a

Impact

This vulnerability allows a remote attacker to cause a denial of service or even arbitrary code execution on an affected gpac MP4Box. Exploiting this vulnerability requires user interaction, as the target must access a malicious page or open a malicious file.

We are processing your report and will contact the gpac team within 24 hours. 2 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 months ago
We have contacted a member of the gpac team and are waiting to hear back 2 months ago
gpac/gpac maintainer
2 months ago

Maintainer

https://github.com/gpac/gpac/issues/2638

gpac/gpac maintainer modified the Severity from Medium (6.8) to Medium (5.1) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
gpac/gpac maintainer validated this vulnerability 2 months ago
gandalf4a has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.3.0-DEV with commit fb5eb9 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
gpac/gpac maintainer published this vulnerability 2 months ago
gandalf4a
2 months ago

Researcher

Can this vulnerability be applied for cve? @admin

Ben Harvie
2 months ago

Admin

CVE assignment is the maintainers decision, if we can get confirmation from them I can assign a CVE. Thanks!

gandalf4a
2 months ago

Researcher

The maintainers didn't seem to know how to do it, they were confirmed directly in the github issue(https://github.com/gpac/gpac/issues/2638). Can we assign a CVE through this? Thanks! @admin

to join this conversation