heap-buffer-overflow in function mp3_dmx_process

[qianshuidewajueji]

git log commit bbca869177585aaca8eb66d8541079e6f364798e (HEAD -> master, origin/master, origin/HEAD) Author: jeanlf jeanlf@gpac.io Date: Wed Jan 18 11:40:30 2023 +0100

compile setting: ./configure --enable-sanitizer

./MP4Box -info xxx

================================================================= ==2298535==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000000839 at pc 0x7ff4a18a8490 bp 0x7ffe6ddf6040 sp 0x7ffe6ddf57e8 READ of size 276 at 0x606000000839 thread T0

0 0x7ff4a18a848f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790

#1 0x7ff49f1ffc75 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#2 0x7ff49f1ffc75 in mp3_dmx_process filters/reframe_mp3.c:673
#3 0x7ff49eddf14d in gf_filter_process_task filter_core/filter.c:2828
#4 0x7ff49eda10e2 in gf_fs_thread_proc filter_core/filter_session.c:1859
#5 0x7ff49edad8b6 in gf_fs_run filter_core/filter_session.c:2120
#6 0x7ff49e7eb8a6 in gf_media_import media_tools/media_import.c:1228
#7 0x5560971a73b1 in convert_file_info /home/qianshuidewajueji/gpac/applications/mp4box/fileimport.c:130
#8 0x556097176db5 in mp4box_main /home/qianshuidewajueji/gpac/applications/mp4box/mp4box.c:6302
#9 0x7ff49ba83082 in __libc_start_main ../csu/libc-start.c:308
#10 0x55609714acfd in _start (/home/qianshuidewajueji/gpac/bin/gcc/MP4Box+0xa3cfd)

0x606000000839 is located 0 bytes to the right of 57-byte region [0x606000000800,0x606000000839) allocated by thread T0 here:

0 0x7ff4a191ac3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163

#1 0x7ff49f2011d8 in mp3_dmx_process filters/reframe_mp3.c:547
#2 0x7ff49eddf14d in gf_filter_process_task filter_core/filter.c:2828
#3 0x7ff49eda10e2 in gf_fs_thread_proc filter_core/filter_session.c:1859
#4 0x7ff49edad8b6 in gf_fs_run filter_core/filter_session.c:2120
#5 0x7ff49e7eb8a6 in gf_media_import media_tools/media_import.c:1228
#6 0x5560971a73b1 in convert_file_info /home/qianshuidewajueji/gpac/applications/mp4box/fileimport.c:130
#7 0x556097176db5 in mp4box_main /home/qianshuidewajueji/gpac/applications/mp4box/mp4box.c:6302
#8 0x7ff49ba83082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy Shadow bytes around the buggy address: 0x0c0c7fff80b0: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7fff80c0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c0c7fff80d0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 0x0c0c7fff80e0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 0x0c0c7fff80f0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa =>0x0c0c7fff8100: 00 00 00 00 00 00 00[01]fa fa fa fa 00 00 00 00 0x0c0c7fff8110: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 0x0c0c7fff8120: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c0c7fff8130: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 0x0c0c7fff8140: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 0x0c0c7fff8150: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2298535==ABORTING

This vulnerability is capable of crashing software, use unexpected value, or possible code execution. Occurrences

poc: xxx

[aureliendavid]

Hi,

Thanks for the report.

Should now be fixed, reopen if needed.

[qianshuidewajueji]

can I get a cve for this report?