| タイトル | gpac contains Heap-buffer-overflow in function gf_m2ts_process_sdt of media_tools/mpegts.c:828 |
|---|
| 説明 | ## gpac version
MP4Box - GPAC version 2.3-DEV-rev35-gbbca86917-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer --enable-debug
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
## reproduce step
./configure --enable-sanitizer
make
./MP4Box -info poc
## asan information
=================================================================
==4003817==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000001114 at pc 0x7fa5cde90b3b bp 0x7ffe09c26cd0 sp 0x7ffe09c26cc0
READ of size 1 at 0x603000001114 thread T0
#0 0x7fa5cde90b3a in gf_m2ts_process_sdt media_tools/mpegts.c:828
#1 0x7fa5cde8cb21 in gf_m2ts_section_complete media_tools/mpegts.c:623
#2 0x7fa5cde8ff0b in gf_m2ts_gather_section media_tools/mpegts.c:760
#3 0x7fa5cdeb0db9 in gf_m2ts_process_packet media_tools/mpegts.c:2703
#4 0x7fa5cdeb3125 in gf_m2ts_process_data media_tools/mpegts.c:2812
#5 0x7fa5cdeb8145 in gf_m2ts_probe_buffer media_tools/mpegts.c:3196
#6 0x7fa5cdeb886c in gf_m2ts_probe_data media_tools/mpegts.c:3251
#7 0x7fa5ceb1df9f in m2tsdmx_probe_data filters/dmx_m2ts.c:1438
#8 0x7fa5ce8d92a4 in gf_filter_pid_raw_new filter_core/filter.c:4210
#9 0x7fa5cec2cb68 in filein_process filters/in_file.c:492
#10 0x7fa5ce8c1be4 in gf_filter_process_task filter_core/filter.c:2828
#11 0x7fa5ce86c6d7 in gf_fs_thread_proc filter_core/filter_session.c:1859
#12 0x7fa5ce86fce8 in gf_fs_run filter_core/filter_session.c:2120
#13 0x7fa5cde7b742 in gf_media_import media_tools/media_import.c:1228
#14 0x55d5db4c09ab in convert_file_info /root/gpac/applications/mp4box/fileimport.c:130
#15 0x55d5db47907d in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6302
#16 0x55d5db47bcc0 in main /root/gpac/applications/mp4box/mp4box.c:6846
#17 0x7fa5c8e02082 in __libc_start_main ../csu/libc-start.c:308
#18 0x55d5db439b6d in _start (/root/gpac/bin/gcc/MP4Box+0x104b6d)
Address 0x603000001114 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow media_tools/mpegts.c:828 in gf_m2ts_process_sdt
Shadow bytes around the buggy address:
0x0c067fff81d0: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa
0x0c067fff81e0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c067fff81f0: fd fa fa fa 00 00 01 fa fa fa fd fd fd fa fa fa
0x0c067fff8200: 00 00 00 03 fa fa 00 00 00 03 fa fa 00 00 00 00
0x0c067fff8210: fa fa 00 00 04 fa fa fa 00 00 01 fa fa fa fa fa
=>0x0c067fff8220: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4003817==ABORTING |
|---|
| ソース | ⚠️ https://github.com/gpac/gpac/issues/2388 |
|---|
| ユーザー | Tmotfl (UID 41304) |
|---|
| 送信 | 2023年03月14日 13:05 (3 年 ago) |
|---|
| モデレーション | 2023年03月17日 07:43 (3 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 223293 [GPAC 2.3-DEV-rev35-gbbca86917-master media_tools/mpegts.c gf_m2ts_process_sdt メモリ破損] |
|---|
| ポイント | 20 |
|---|