إرسال #87277: heap over flow in function mp3_dmx_process filters/reframe_mp3.cالمعلومات

عنوان	heap over flow in function mp3_dmx_process filters/reframe_mp3.c
الوصف	# version ``` MP4Box - GPAC version 2.3-DEV-rev40-g3602a5ded-master (c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC Configuration: --enable-sanitizer --verbose Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D ``` Reproduce ``` ./configure --enable-sanitizer --enable-debug make ./MP4Box -info mp3_dmx_process_poc3 ``` # Proof of Concept ``` ================================================================= ==4005989==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e00000037e at pc 0x7fc264d43490 bp 0x7ffe77236d80 sp 0x7ffe77236528 READ of size 96 at 0x60e00000037e thread T0 #0 0x7fc264d4348f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 #1 0x7fc26269ac9f in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34 #2 0x7fc26269ac9f in mp3_dmx_process filters/reframe_mp3.c:677 #3 0x7fc26227a0ed in gf_filter_process_task filter_core/filter.c:2828 #4 0x7fc26223c082 in gf_fs_thread_proc filter_core/filter_session.c:1859 #5 0x7fc262248856 in gf_fs_run filter_core/filter_session.c:2120 #6 0x7fc261c86806 in gf_media_import media_tools/media_import.c:1228 #7 0x559ba631e3b1 in convert_file_info /home/qianshuidewajueji/gpac/applications/mp4box/fileimport.c:130 #8 0x559ba62eddb5 in mp4box_main /home/qianshuidewajueji/gpac/applications/mp4box/mp4box.c:6302 #9 0x7fc25ef1e082 in __libc_start_main ../csu/libc-start.c:308 #10 0x559ba62c1cfd in _start (/home/qianshuidewajueji/gpac/bin/gcc/MP4Box+0xa3cfd) 0x60e00000037e is located 0 bytes to the right of 158-byte region [0x60e0000002e0,0x60e00000037e) allocated by thread T0 here: #0 0x7fc264db5c3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163 #1 0x7fc26269c248 in mp3_dmx_process filters/reframe_mp3.c:547 #2 0x7fc26227a0ed in gf_filter_process_task filter_core/filter.c:2828 #3 0x7fc26223c082 in gf_fs_thread_proc filter_core/filter_session.c:1859 #4 0x7fc262248856 in gf_fs_run filter_core/filter_session.c:2120 #5 0x7fc261c86806 in gf_media_import media_tools/media_import.c:1228 #6 0x559ba631e3b1 in convert_file_info /home/qianshuidewajueji/gpac/applications/mp4box/fileimport.c:130 #7 0x559ba62eddb5 in mp4box_main /home/qianshuidewajueji/gpac/applications/mp4box/mp4box.c:6302 #8 0x7fc25ef1e082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy Shadow bytes around the buggy address: 0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c1c7fff8020: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1c7fff8030: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 0x0c1c7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1c7fff8050: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00 =>0x0c1c7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[06] 0x0c1c7fff8070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c1c7fff8080: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c1c7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1c7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==4005989==ABORTING ``` # Poc https://github.com/qianshuidewajueji/poc/blob/main/gpac/mp3_dmx_process_poc3
المستخدم	qianshuidewajueji (UID 40731)
ارسال	10/02/2023 01:56 PM (3 سنوات منذ)
الاعتدال	15/02/2023 02:33 PM (5 days later)
الحالة	تمت الموافقة
إدخال VulDB	221087 [GPAC 2.3-DEV-rev40-g3602a5ded filters/reframe_mp3.c mp3_dmx_process تلف الذاكرة]
النقاط	17

التالي ▸نظرة عامة ◂ السابق

Might our Artificial Intelligence support you?

Check our Alexa App!