| Title | gpac 2.5-DEV-rev228-g11067ea92-master Heap-use-after-free scene_manager/loader_xmt.c:531 in xmt_resolv |
|---|
| Description | ## version
```shell
./MP4Box -version
MP4Box - GPAC version 2.5-DEV-rev228-g11067ea92-master
(c) 2000-2024 Telecom Paris distributed under LGPL v2.1+ - https://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
```
## reproduce
Complie and run
```
./configure --enable-sanitizer
make
./MP4Box -info poc4
```
Information
```shell
XMT: MPEG-4 (XMT) Scene Parsing
[XMT Parsing] Warning: descriptor InitialObjectDescriptor defined outside scene scope - skipping (line 10)
=================================================================
==18912==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000032052 at pc 0x7f54fc2647ed bp 0x7ffce79c0f30 sp 0x7ffce79c0f20
READ of size 2 at 0x607000032052 thread T0
#0 0x7f54fc2647ec in xmt_resolve_od_links scene_manager/loader_xmt.c:531
#1 0x7f54fc2666f0 in load_xmt_run scene_manager/loader_xmt.c:3148
#2 0x7f54fc93db85 in ctxload_process filters/load_bt_xmt.c:522
#3 0x7f54fc67ed9d in gf_filter_process_task filter_core/filter.c:3164
#4 0x7f54fc64a599 in gf_fs_thread_proc filter_core/filter_session.c:2145
#5 0x7f54fc64e903 in gf_fs_run filter_core/filter_session.c:2452
#6 0x7f54fc0cc145 in gf_media_import media_tools/media_import.c:1239
#7 0x5647e6b54da4 in convert_file_info /home/ubuntu/gpac_testt/gpac/applications/mp4box/fileimport.c:130
#8 0x5647e6b2212d in mp4box_main /home/ubuntu/gpac_testt/gpac/applications/mp4box/mp4box.c:6398
#9 0x7f54f989fc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#10 0x5647e6b01579 in _start (/home/ubuntu/gpac_testt/gpac/bin/gcc/MP4Box+0x87579)
0x607000032052 is located 2 bytes inside of 80-byte region [0x607000032050,0x6070000320a0)
freed by thread T0 here:
#0 0x7f54fe7b17a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
#1 0x7f54fbfbab49 in gf_odf_del_iod odf/odf_code.c:442
#2 0x7f54fb94c1ff in xml_sax_node_end utils/xml_parser.c:265
#3 0x7f54fb94f965 in xml_sax_parse utils/xml_parser.c:867
#4 0x7f54fb951cce in gf_xml_sax_parse_intern utils/xml_parser.c:1104
#5 0x7f54fb952507 in gf_xml_sax_parse utils/xml_parser.c:1132
#6 0x7f54fb952818 in xml_sax_read_file utils/xml_parser.c:1219
#7 0x7f54fb9539aa in gf_xml_sax_parse_file utils/xml_parser.c:1331
#8 0x7f54fc2666ba in load_xmt_run scene_manager/loader_xmt.c:3144
#9 0x7f54fc93db85 in ctxload_process filters/load_bt_xmt.c:522
#10 0x7f54fc67ed9d in gf_filter_process_task filter_core/filter.c:3164
#11 0x7f54fc64a599 in gf_fs_thread_proc filter_core/filter_session.c:2145
#12 0x7f54fc64e903 in gf_fs_run filter_core/filter_session.c:2452
#13 0x7f54fc0cc145 in gf_media_import media_tools/media_import.c:1239
#14 0x5647e6b54da4 in convert_file_info /home/ubuntu/gpac_testt/gpac/applications/mp4box/fileimport.c:130
#15 0x5647e6b2212d in mp4box_main /home/ubuntu/gpac_testt/gpac/applications/mp4box/mp4box.c:6398
#16 0x7f54f989fc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
previously allocated by thread T0 here:
#0 0x7f54fe7b1b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x7f54fbfba932 in gf_odf_new_iod odf/odf_code.c:415
#2 0x7f54fbfc3fe3 in gf_odf_desc_new odf/odf_codec.c:244
#3 0x7f54fc278e6f in xmt_parse_descriptor scene_manager/loader_xmt.c:1951
#4 0x7f54fc27bf5d in xmt_node_start scene_manager/loader_xmt.c:2578
#5 0x7f54fb94cd55 in xml_sax_node_start utils/xml_parser.c:308
#6 0x7f54fb94fe5d in xml_sax_parse_attribute utils/xml_parser.c:397
#7 0x7f54fb94fe5d in xml_sax_parse utils/xml_parser.c:940
#8 0x7f54fb951cce in gf_xml_sax_parse_intern utils/xml_parser.c:1104
#9 0x7f54fb952507 in gf_xml_sax_parse utils/xml_parser.c:1132
#10 0x7f54fb952818 in xml_sax_read_file utils/xml_parser.c:1219
#11 0x7f54fb9539aa in gf_xml_sax_parse_file utils/xml_parser.c:1331
#12 0x7f54fc2666ba in load_xmt_run scene_manager/loader_xmt.c:3144
#13 0x7f54fc93db85 in ctxload_process filters/load_bt_xmt.c:522
#14 0x7f54fc67ed9d in gf_filter_process_task filter_core/filter.c:3164
#15 0x7f54fc64a599 in gf_fs_thread_proc filter_core/filter_session.c:2145
#16 0x7f54fc64e903 in gf_fs_run filter_core/filter_session.c:2452
#17 0x7f54fc0cc145 in gf_media_import media_tools/media_import.c:1239
#18 0x5647e6b54da4 in convert_file_info /home/ubuntu/gpac_testt/gpac/applications/mp4box/fileimport.c:130
#19 0x5647e6b2212d in mp4box_main /home/ubuntu/gpac_testt/gpac/applications/mp4box/mp4box.c:6398
#20 0x7f54f989fc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
SUMMARY: AddressSanitizer: heap-use-after-free scene_manager/loader_xmt.c:531 in xmt_resolve_od_links
Shadow bytes around the buggy address:
0x0c0e7fffe3b0: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00
0x0c0e7fffe3c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
0x0c0e7fffe3d0: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0e7fffe3e0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
0x0c0e7fffe3f0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
=>0x0c0e7fffe400: fd fd fd fd fd fd fa fa fa fa[fd]fd fd fd fd fd
0x0c0e7fffe410: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fffe420: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00
0x0c0e7fffe430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fffe440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fffe450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18912==ABORTING
``` |
|---|
| Source | ⚠️ https://github.com/gpac/gpac/issues/2874 |
|---|
| User | Fantasy (ID 69897) |
|---|
| Submission | 06/13/2024 15:33 (2 months ago) |
|---|
| Moderation | 06/17/2024 15:38 (4 days later) |
|---|
| Status | Accepted |
|---|
| VulDB Entry | 268792 |
|---|