Submit #356316: gpac 2.5-DEV-rev228-g11067ea92-master Heap-use-after-free scene_manager/loader_xmt.c:531 in xmt_resolvinfo

Titlegpac 2.5-DEV-rev228-g11067ea92-master Heap-use-after-free scene_manager/loader_xmt.c:531 in xmt_resolv
Description## version ```shell ./MP4Box -version MP4Box - GPAC version 2.5-DEV-rev228-g11067ea92-master (c) 2000-2024 Telecom Paris distributed under LGPL v2.1+ - https://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC Configuration: --enable-sanitizer Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D ``` ## reproduce Complie and run ``` ./configure --enable-sanitizer make ./MP4Box -info poc4 ``` Information ```shell XMT: MPEG-4 (XMT) Scene Parsing [XMT Parsing] Warning: descriptor InitialObjectDescriptor defined outside scene scope - skipping (line 10) ================================================================= ==18912==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000032052 at pc 0x7f54fc2647ed bp 0x7ffce79c0f30 sp 0x7ffce79c0f20 READ of size 2 at 0x607000032052 thread T0 #0 0x7f54fc2647ec in xmt_resolve_od_links scene_manager/loader_xmt.c:531 #1 0x7f54fc2666f0 in load_xmt_run scene_manager/loader_xmt.c:3148 #2 0x7f54fc93db85 in ctxload_process filters/load_bt_xmt.c:522 #3 0x7f54fc67ed9d in gf_filter_process_task filter_core/filter.c:3164 #4 0x7f54fc64a599 in gf_fs_thread_proc filter_core/filter_session.c:2145 #5 0x7f54fc64e903 in gf_fs_run filter_core/filter_session.c:2452 #6 0x7f54fc0cc145 in gf_media_import media_tools/media_import.c:1239 #7 0x5647e6b54da4 in convert_file_info /home/ubuntu/gpac_testt/gpac/applications/mp4box/fileimport.c:130 #8 0x5647e6b2212d in mp4box_main /home/ubuntu/gpac_testt/gpac/applications/mp4box/mp4box.c:6398 #9 0x7f54f989fc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #10 0x5647e6b01579 in _start (/home/ubuntu/gpac_testt/gpac/bin/gcc/MP4Box+0x87579) 0x607000032052 is located 2 bytes inside of 80-byte region [0x607000032050,0x6070000320a0) freed by thread T0 here: #0 0x7f54fe7b17a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) #1 0x7f54fbfbab49 in gf_odf_del_iod odf/odf_code.c:442 #2 0x7f54fb94c1ff in xml_sax_node_end utils/xml_parser.c:265 #3 0x7f54fb94f965 in xml_sax_parse utils/xml_parser.c:867 #4 0x7f54fb951cce in gf_xml_sax_parse_intern utils/xml_parser.c:1104 #5 0x7f54fb952507 in gf_xml_sax_parse utils/xml_parser.c:1132 #6 0x7f54fb952818 in xml_sax_read_file utils/xml_parser.c:1219 #7 0x7f54fb9539aa in gf_xml_sax_parse_file utils/xml_parser.c:1331 #8 0x7f54fc2666ba in load_xmt_run scene_manager/loader_xmt.c:3144 #9 0x7f54fc93db85 in ctxload_process filters/load_bt_xmt.c:522 #10 0x7f54fc67ed9d in gf_filter_process_task filter_core/filter.c:3164 #11 0x7f54fc64a599 in gf_fs_thread_proc filter_core/filter_session.c:2145 #12 0x7f54fc64e903 in gf_fs_run filter_core/filter_session.c:2452 #13 0x7f54fc0cc145 in gf_media_import media_tools/media_import.c:1239 #14 0x5647e6b54da4 in convert_file_info /home/ubuntu/gpac_testt/gpac/applications/mp4box/fileimport.c:130 #15 0x5647e6b2212d in mp4box_main /home/ubuntu/gpac_testt/gpac/applications/mp4box/mp4box.c:6398 #16 0x7f54f989fc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) previously allocated by thread T0 here: #0 0x7f54fe7b1b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x7f54fbfba932 in gf_odf_new_iod odf/odf_code.c:415 #2 0x7f54fbfc3fe3 in gf_odf_desc_new odf/odf_codec.c:244 #3 0x7f54fc278e6f in xmt_parse_descriptor scene_manager/loader_xmt.c:1951 #4 0x7f54fc27bf5d in xmt_node_start scene_manager/loader_xmt.c:2578 #5 0x7f54fb94cd55 in xml_sax_node_start utils/xml_parser.c:308 #6 0x7f54fb94fe5d in xml_sax_parse_attribute utils/xml_parser.c:397 #7 0x7f54fb94fe5d in xml_sax_parse utils/xml_parser.c:940 #8 0x7f54fb951cce in gf_xml_sax_parse_intern utils/xml_parser.c:1104 #9 0x7f54fb952507 in gf_xml_sax_parse utils/xml_parser.c:1132 #10 0x7f54fb952818 in xml_sax_read_file utils/xml_parser.c:1219 #11 0x7f54fb9539aa in gf_xml_sax_parse_file utils/xml_parser.c:1331 #12 0x7f54fc2666ba in load_xmt_run scene_manager/loader_xmt.c:3144 #13 0x7f54fc93db85 in ctxload_process filters/load_bt_xmt.c:522 #14 0x7f54fc67ed9d in gf_filter_process_task filter_core/filter.c:3164 #15 0x7f54fc64a599 in gf_fs_thread_proc filter_core/filter_session.c:2145 #16 0x7f54fc64e903 in gf_fs_run filter_core/filter_session.c:2452 #17 0x7f54fc0cc145 in gf_media_import media_tools/media_import.c:1239 #18 0x5647e6b54da4 in convert_file_info /home/ubuntu/gpac_testt/gpac/applications/mp4box/fileimport.c:130 #19 0x5647e6b2212d in mp4box_main /home/ubuntu/gpac_testt/gpac/applications/mp4box/mp4box.c:6398 #20 0x7f54f989fc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: heap-use-after-free scene_manager/loader_xmt.c:531 in xmt_resolve_od_links Shadow bytes around the buggy address: 0x0c0e7fffe3b0: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x0c0e7fffe3c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa 0x0c0e7fffe3d0: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c0e7fffe3e0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 0x0c0e7fffe3f0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd =>0x0c0e7fffe400: fd fd fd fd fd fd fa fa fa fa[fd]fd fd fd fd fd 0x0c0e7fffe410: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00 0x0c0e7fffe420: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x0c0e7fffe430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fffe440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fffe450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==18912==ABORTING ```
Source⚠️ https://github.com/gpac/gpac/issues/2874
UserFantasy (ID 69897)
Submission06/13/2024 15:33 (2 months ago)
Moderation06/17/2024 15:38 (4 days later)
StatusAccepted
VulDB Entry268792

Do you need the next level of professionalism?

Upgrade your account now!