Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
[ √] I looked for a similar issue and couldn't find any.
[ √] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
[ √] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
A crafted input will lead to crash in av_parsers.c at gpac 0.8.0.it is similar to issue(#1332) ,but this poc can cause UAF issue.
Triggered by
./MP4Box -diso POC -out /dev/null
Poc
002-gf_isom_box_del-uaf1500
The ASAN information is as follows:
./MP4Box -diso 002-gf_isom_box_del-uaf1500 -out /dev/null
[ODF] Error reading descriptor (tag 2 size 35): Invalid MPEG-4 Descriptor
[iso file] Read Box "esds" (start 770) failed (Invalid MPEG-4 Descriptor) - skipping
[iso file] Box "stco" (start 3368) has 4 extra bytes
[iso file] Box "ctts" is larger than container box
[iso file] Box "stbl" size 12337 (start 1159) invalid (read 14373)
[iso file] Read Box type 00303030 (0x00303030) at position 13496 has size 0 but is not at root/file level, skipping
[iso file] Missing MediaHeaderBox
=================================================================
==23401==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000004b8 at pc 0x562734e8e048 bp 0x7ffce997be90 sp 0x7ffce997be80
READ of size 8 at 0x6060000004b8 thread T0
#0 0x562734e8e047 in gf_isom_box_del isomedia/box_funcs.c:1500
#1 0x562734e8df96 in gf_isom_box_array_del isomedia/box_funcs.c:270
#2 0x562734e8df96 in gf_isom_box_del isomedia/box_funcs.c:1516
#3 0x562734e8df96 in gf_isom_box_array_del isomedia/box_funcs.c:270
#4 0x562734e8df96 in gf_isom_box_del isomedia/box_funcs.c:1516
#5 0x562734e8df96 in gf_isom_box_array_del isomedia/box_funcs.c:270
#6 0x562734e8df96 in gf_isom_box_del isomedia/box_funcs.c:1516
#7 0x562734e8e416 in gf_isom_box_parse_ex isomedia/box_funcs.c:219
#8 0x562734e8ee10 in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419
#9 0x562735330906 in trak_Read isomedia/box_code_base.c:7129
#10 0x562734e8e3d4 in gf_isom_box_read isomedia/box_funcs.c:1528
#11 0x562734e8e3d4 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#12 0x562734e8ee10 in gf_isom_box_array_read_ex isomedia/box_funcs.c:1419
#13 0x562735323f64 in moov_Read isomedia/box_code_base.c:3745
#14 0x562734e8fb35 in gf_isom_box_read isomedia/box_funcs.c:1528
#15 0x562734e8fb35 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#16 0x562734e901e4 in gf_isom_parse_root_box isomedia/box_funcs.c:42
#17 0x562734ea6f44 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
#18 0x562734ea9bca in gf_isom_open_file isomedia/isom_intern.c:615
#19 0x562734bf2852 in mp4boxMain /home/liuz/gpac-master/applications/mp4box/main.c:4767
#20 0x7f9e595d8b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#21 0x562734be3b19 in _start (/usr/local/gpac-asan3/bin/MP4Box+0x163b19)
0x6060000004b8 is located 24 bytes inside of 56-byte region [0x6060000004a0,0x6060000004d8)
freed by thread T0 here:
#0 0x7f9e5a2617b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
#1 0x562734e8dfc6 in gf_isom_box_del isomedia/box_funcs.c:1508
previously allocated by thread T0 here:
#0 0x7f9e5a261b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x56273532aa6a in stco_New isomedia/box_code_base.c:5616
SUMMARY: AddressSanitizer: heap-use-after-free isomedia/box_funcs.c:1500 in gf_isom_box_del
Shadow bytes around the buggy address:
0x0c0c7fff8040: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
0x0c0c7fff8050: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 03
0x0c0c7fff8060: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c7fff8070: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
0x0c0c7fff8080: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c0c7fff8090: fa fa fa fa fd fd fd[fd]fd fd fd fa fa fa fa fa
0x0c0c7fff80a0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
0x0c0c7fff80b0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==23401==ABORTING
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
[ √] I looked for a similar issue and couldn't find any.
[ √] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
[ √] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
A crafted input will lead to crash in av_parsers.c at gpac 0.8.0.it is similar to issue(#1332) ,but this poc can cause UAF issue.
Triggered by
./MP4Box -diso POC -out /dev/null
Poc
002-gf_isom_box_del-uaf1500
The ASAN information is as follows: