| 제목 | CCExtractor ccextractor c65fb08 Memory Corruption |
|---|
| 설명 | ### Description
We discovered a Segmentation Fault in ccextractor. The crash occurs in the processmp4 function when attempting to log a message using mprint.
The ASAN report indicates a SEGV caused by a READ memory access on the address 0xbebebebebebebebe. This specific pattern (0xBE) typically indicates that the application is accessing memory that has been freed (Use-After-Free) or is uninitialized, passing a dangling pointer to strlen via printf.
Vendor confirmed and fixed this vulnerability in commit [fd7271b](https://github.com/CCExtractor/ccextractor/commit/fd7271bae238ccb3ae8a71304ea64f0886324925).
### Environment
- OS: Linux x86_64
- Complier: Clang
- Build Configuration: Release mode with ASan enabled.
### Vulnerability Details
- Target: CCExtractor
- Vulnerability Type: CWE-416: Use After Free / CWE-457: Use of Uninitialized Memory
- Function: processmp4 -> mprint
- Location: src/lib_ccx/mp4.c:902
- Root Cause Analysis: The crash happens at line 902 of src/lib_ccx/mp4.c inside a call to mprint. mprint acts as a wrapper for vfprintf. The crash trace ends in internal_strlen, implying mprint is parsing a format string (likely containing %s) and trying to calculate the length of the corresponding string argument.
The register rdi holds 0xbebebebebebebebe. In many debugging environments and sanitizers (like ASAN with specific flags or certain allocators), 0xBE is used to poison freed memory. This suggests that processmp4 is holding a pointer to an MP4 box name or data buffer that has already been freed, and it attempts to print this name for logging/debugging purposes.
### Reproduce
1. Build ccextractor with Release optimization and ASAN enabled.
2. Run with the crashing [file](https://github.com/oneafter/0123/blob/main/cc3/repro):
```
./build/ccextractor repro
```
<details>
<summary>ASAN report</summary>
```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==68859==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x55919c919330 bp 0x7ffe82f56ff0 sp 0x7ffe82f56768 T0)
==68859==The signal is caused by a READ memory access.
==68859==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used.
#0 0x55919c919330 in __sanitizer::internal_strlen(char const*) (/src/ccextractor/build_afl/ccextractor+0x1ab330) (BuildId: 144afa46e860f46ef2c26b7a110ecb6056d5f015)
#1 0x55919c886646 in printf_common(void*, char const*, __va_list_tag*) asan_interceptors.cpp.o
#2 0x55919c886c9f in vfprintf (/src/ccextractor/build_afl/ccextractor+0x118c9f) (BuildId: 144afa46e860f46ef2c26b7a110ecb6056d5f015)
#3 0x55919ce41340 in mprint /src/ccextractor/src/lib_ccx/utility.c:194:2
#4 0x55919cde315e in processmp4 /src/ccextractor/src/lib_ccx/mp4.c:902:2
#5 0x55919caa0d2f in start_ccx /src/ccextractor/src/ccextractor.c:237:12
#6 0x7f0e2771d1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#7 0x7f0e2771d28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#8 0x55919c860404 in _start (/src/ccextractor/build_afl/ccextractor+0xf2404) (BuildId: 144afa46e860f46ef2c26b7a110ecb6056d5f015)
==68859==Register values:
rax = 0xffffffffffffffff rbx = 0x00007ffe82f57000 rcx = 0x0000000000000010 rdx = 0x0000000000000073
rdi = 0xbebebebebebebebe rsi = 0x0000000000000000 rbp = 0x00007ffe82f56ff0 rsp = 0x00007ffe82f56768
r8 = 0x0000000000000007 r9 = 0xf9f90700f9f9f901 r10 = 0x3ffffffffffffff8 r11 = 0x0000000000000000
r12 = 0x000055919d23d2c4 r13 = 0x0000000000000073 r14 = 0xbebebebebebebebe r15 = 0x000055919d2fe1eb
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/src/ccextractor/build_afl/ccextractor+0x1ab330) (BuildId: 144afa46e860f46ef2c26b7a110ecb6056d5f015) in __sanitizer::internal_strlen(char const*)
==68859==ABORTING
```
</details> |
|---|
| 원천 | ⚠️ https://github.com/CCExtractor/ccextractor/issues/2055 |
|---|
| 사용자 | Oneafter (UID 92781) |
|---|
| 제출 | 2026. 02. 10. AM 03:04 (3 개월 ago) |
|---|
| 모더레이션 | 2026. 02. 20. PM 06:15 (11 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 347182 [CCExtractor 까지 0.96.5 src/lib_ccx/mp4.c processmp4 메모리 손상] |
|---|
| 포인트들 | 20 |
|---|