Soumettre #101479: gpac contains double free in gf_av1_reset_state media_tools/av_parsers.c:4024information

Titregpac contains double free in gf_av1_reset_state media_tools/av_parsers.c:4024
Description## version MP4Box - GPAC version 2.3-DEV-rev35-gbbca86917-master (c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC Configuration: --enable-sanitizer --enable-debug Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D ## reproduce ./configure --enable-sanitizer make ./MP4Box -info poc ## asan information [AV1] unknown OBU type 12 (size 100). Skipping. [AV1] unknown OBU type 12 (size 100). Skipping. [AV1] unknown OBU type 12 (size 100). Skipping. [AV1] unknown OBU type 12 (size 100). Skipping. [AV1] unknown OBU type 12 (size 100). Skipping. [AV1] unknown OBU type 12 (size 100). Skipping. [AV1] unknown OBU type 12 (size 100). Skipping. [AV1] unknown OBU type 12 (size 100). Skipping. [AV1] unknown OBU type 12 (size 100). Skipping. [AV1] unknown OBU type 12 (size 100). Skipping. [AV1] unknown OBU type 12 (size 100). Skipping. [AV1] unknown OBU type 12 (size 100). Skipping. [AV1] computed OBU size -1 (input value = 0). Skipping. ================================================================= ==4000990==ERROR: AddressSanitizer: attempting double-free on 0x615000013400 in thread T0: #0 0x7fe4a288c40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 #1 0x7fe49b5abbd9 in gf_free utils/alloc.c:165 #2 0x7fe49c378e6f in gf_av1_reset_state media_tools/av_parsers.c:4024 #3 0x7fe49d61b5db in av1dmx_finalize filters/reframe_av1.c:1246 #4 0x7fe49ce06b63 in gf_fs_del filter_core/filter_session.c:771 #5 0x7fe49c42688d in gf_media_import media_tools/media_import.c:1293 #6 0x55a5ca2469ab in convert_file_info /root/gpac/applications/mp4box/fileimport.c:130 #7 0x55a5ca1ff07d in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6302 #8 0x55a5ca201cc0 in main /root/gpac/applications/mp4box/mp4box.c:6846 #9 0x7fe4973ab082 in __libc_start_main ../csu/libc-start.c:308 #10 0x55a5ca1bfb6d in _start (/root/gpac/bin/gcc/MP4Box+0x104b6d) 0x615000013400 is located 0 bytes inside of 512-byte region [0x615000013400,0x615000013600) freed by thread T0 here: #0 0x7fe4a288cc3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163 #1 0x7fe49b5abbbb in gf_realloc utils/alloc.c:160 #2 0x7fe49b58ae0e in gf_bs_write_data utils/bitstream.c:1059 #3 0x7fe49c3667af in av1_add_obu_internal media_tools/av_parsers.c:2519 #4 0x7fe49c36785c in av1_populate_state_from_obu media_tools/av_parsers.c:2596 #5 0x7fe49c367d8f in aom_av1_parse_temporal_unit_from_section5 media_tools/av_parsers.c:2623 #6 0x7fe49d616bd4 in av1dmx_parse_av1 filters/reframe_av1.c:1006 #7 0x7fe49d6179ee in av1dmx_process_buffer filters/reframe_av1.c:1084 #8 0x7fe49d61b0ff in av1dmx_process filters/reframe_av1.c:1225 #9 0x7fe49ce6abe4 in gf_filter_process_task filter_core/filter.c:2828 #10 0x7fe49ce156d7 in gf_fs_thread_proc filter_core/filter_session.c:1859 #11 0x7fe49ce18ce8 in gf_fs_run filter_core/filter_session.c:2120 #12 0x7fe49c424742 in gf_media_import media_tools/media_import.c:1228 #13 0x55a5ca2469ab in convert_file_info /root/gpac/applications/mp4box/fileimport.c:130 #14 0x55a5ca1ff07d in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6302 #15 0x55a5ca201cc0 in main /root/gpac/applications/mp4box/mp4box.c:6846 #16 0x7fe4973ab082 in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7fe4a288c808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 #1 0x7fe49b5abb69 in gf_malloc utils/alloc.c:150 #2 0x7fe49b57ab5d in gf_bs_new utils/bitstream.c:154 #3 0x7fe49c3661b6 in av1_add_obu_internal media_tools/av_parsers.c:2492 #4 0x7fe49c36785c in av1_populate_state_from_obu media_tools/av_parsers.c:2596 #5 0x7fe49c367d8f in aom_av1_parse_temporal_unit_from_section5 media_tools/av_parsers.c:2623 #6 0x7fe49d606a79 in av1dmx_check_format filters/reframe_av1.c:269 #7 0x7fe49d617838 in av1dmx_process_buffer filters/reframe_av1.c:1075 #8 0x7fe49d61b0ff in av1dmx_process filters/reframe_av1.c:1225 #9 0x7fe49ce6abe4 in gf_filter_process_task filter_core/filter.c:2828 #10 0x7fe49ce156d7 in gf_fs_thread_proc filter_core/filter_session.c:1859 #11 0x7fe49ce18ce8 in gf_fs_run filter_core/filter_session.c:2120 #12 0x7fe49c424742 in gf_media_import media_tools/media_import.c:1228 #13 0x55a5ca2469ab in convert_file_info /root/gpac/applications/mp4box/fileimport.c:130 #14 0x55a5ca1ff07d in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6302 #15 0x55a5ca201cc0 in main /root/gpac/applications/mp4box/mp4box.c:6846 #16 0x7fe4973ab082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 in __interceptor_free ==4000990==ABORTING
La source⚠️ https://github.com/gpac/gpac/issues/2387
Utilisateur
 Tmotfl (UID 41304)
Soumission14/03/2023 13:07 (il y a 3 ans)
Modérer17/03/2023 07:44 (3 days later)
StatutAccepté
Entrée VulDB223294 [GPAC 2.3-DEV-rev35-gbbca86917-master media_tools/av_parsers.c gf_av1_reset_state buffer overflow]
Points20

PrécédentAperçuSuivant

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!