3 SEGV in MP4Box - Githubissues

Reproduce
./MP4Box -dash 10000 poc
poc: https://github.com/gandalf4a/crash_report/blob/main/gpac/MP4Box/poc2/segv_media
Description

3 SEGV in MP4Box
Version

$ ./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master

Platform

$ uname -a
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Credit

Gandalf4a

Impact

This vulnerability allows a remote attacker to cause a denial of service on an affected gpac MP4Box. Exploiting this vulnerability requires user interaction, as the target must access a malicious page or open a malicious file.
Occurrences

tx3g.c L105

SEGV in /gpac/src/isomedia/tx3g.c:105:46 in gf_isom_get_text_description
poc

https://github.com/gandalf4a/crash_report/blob/main/gpac/MP4Box/poc2/segv_105
asan

[32m[iso file] Unknown box type f0100b in parent tx3g
[0mAddressSanitizer:DEADLYSIGNAL
=================================================================
==723342==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000024 (pc 0x7f9e8457c6ad bp 0x56467ebbcaa0 sp 0x7fff2b899080 T0)
==723342==The signal is caused by a READ memory access.
==723342==Hint: address points to the zero page.
    #0 0x7f9e8457c6ad in gf_isom_get_text_description /home/user/fuzzing_gpac/gpac/src/isomedia/tx3g.c:105:46
    #1 0x7f9e850293c0 in isor_declare_track /home/user/fuzzing_gpac/gpac/src/filters/isoffin_load.c:267:8
    #2 0x7f9e8503e827 in isor_declare_objects /home/user/fuzzing_gpac/gpac/src/filters/isoffin_load.c:1728:3
    #3 0x7f9e8504614f in isoffin_setup /home/user/fuzzing_gpac/gpac/src/filters/isoffin_read.c:181:6
    #4 0x7f9e85043443 in isoffin_configure_pid /home/user/fuzzing_gpac/gpac/src/filters/isoffin_read.c:477:9
    #5 0x7f9e84d0740c in gf_filter_pid_configure /home/user/fuzzing_gpac/gpac/src/filter_core/filter_pid.c:876:6
    #6 0x7f9e84d262a6 in gf_filter_pid_connect_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter_pid.c:1230:3
    #7 0x7f9e84d7d47b in gf_fs_thread_proc /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2105:3
    #8 0x7f9e84d7b5cf in gf_fs_run /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2405:3
    #9 0x7f9e8462ac6a in gf_dasher_process /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:1236:6
    #10 0x56467ea9d6dc in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4831:15
    #11 0x56467ea8eb6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
    #12 0x7f9e83629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x7f9e83629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #14 0x56467e9b6dd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/fuzzing_gpac/gpac/src/isomedia/tx3g.c:105:46 in gf_isom_get_text_description
==723342==ABORTING

isoffin_load.c L92

SEGV in /gpac/bin/gcc/MP4Box+0x11cc00 in __sanitizer::internal_strlen(char const*)
poc

https://github.com/gandalf4a/crash_report/blob/main/gpac/MP4Box/poc2/segv_11cc
asan

/home/user/vul/MP4Box/crashes1/id000400sig11src000359time287654266execs2699429ophavocrep16
[32m[iso file] Unknown box type 110387F4
[0mAddressSanitizer:DEADLYSIGNAL
=================================================================
==741124==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55e484f78c00 bp 0x7ffec5f6e230 sp 0x7ffec5f6d9e8 T0)
==741124==The signal is caused by a READ memory access.
==741124==Hint: address points to the zero page.
    #0 0x55e484f78c00 in __sanitizer::internal_strlen(char const*) (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x11cc00) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
    #1 0x55e484f4c461 in strdup (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0xf0461) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
    #2 0x7f475163175d in isor_get_chapters /home/user/fuzzing_gpac/gpac/src/filters/isoffin_load.c:92:20
    #3 0x7f475163175d in isor_declare_track /home/user/fuzzing_gpac/gpac/src/filters/isoffin_load.c:1187:3
    #4 0x7f475163e827 in isor_declare_objects /home/user/fuzzing_gpac/gpac/src/filters/isoffin_load.c:1728:3
    #5 0x7f475164614f in isoffin_setup /home/user/fuzzing_gpac/gpac/src/filters/isoffin_read.c:181:6
    #6 0x7f4751643443 in isoffin_configure_pid /home/user/fuzzing_gpac/gpac/src/filters/isoffin_read.c:477:9
    #7 0x7f475130740c in gf_filter_pid_configure /home/user/fuzzing_gpac/gpac/src/filter_core/filter_pid.c:876:6
    #8 0x7f47513262a6 in gf_filter_pid_connect_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter_pid.c:1230:3
    #9 0x7f475137d47b in gf_fs_thread_proc /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2105:3
    #10 0x7f475137b5cf in gf_fs_run /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2405:3
    #11 0x7f4750c2ac6a in gf_dasher_process /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:1236:6
    #12 0x55e484fc56dc in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4831:15
    #13 0x55e484fb6b6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
    #14 0x7f474fc29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #15 0x7f474fc29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #16 0x55e484ededd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x11cc00) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9) in __sanitizer::internal_strlen(char const*)
==741124==ABORTING

media.c L144

SEGV in /gpac/src/isomedia/media.c in Media_GetESD

asan

[32m[iso file] Unknown box type ysrC in parent lsr1
[0m[32m[iso file] Unknown top-level box type 08B0AB00
[0m[32m[iso file] Unknown box type ysrC in parent lsr1
[0m[32m[iso file] Unknown top-level box type 08B0AB00
[0mAddressSanitizer:DEADLYSIGNAL
=================================================================
==709034==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7fea150f47e4 bp 0x7ffcd94d09b0 sp 0x7ffcd94d06a0 T0)
==709034==The signal is caused by a READ memory access.
==709034==Hint: address points to the zero page.
    #0 0x7fea150f47e4 in Media_GetESD /home/user/fuzzing_gpac/gpac/src/isomedia/media.c
    #1 0x7fea151699d6 in GetESD /home/user/fuzzing_gpac/gpac/src/isomedia/track.c:86:6
    #2 0x7fea1516cbe9 in GetESDForTime /home/user/fuzzing_gpac/gpac/src/isomedia/track.c:325:9
    #3 0x7fea15055202 in gf_isom_get_root_od /home/user/fuzzing_gpac/gpac/src/isomedia/isom_read.c:792:23
    #4 0x7fea1549ded7 in gf_sm_load_init_isom /home/user/fuzzing_gpac/gpac/src/scene_manager/loader_isom.c:369:47
    #5 0x7fea1544c4ee in gf_sm_load_init /home/user/fuzzing_gpac/gpac/src/scene_manager/scene_manager.c:697:10
    #6 0x55f84837059a in dump_isom_scene /home/user/fuzzing_gpac/gpac/applications/mp4box/filedump.c:208:6
    #7 0x55f848358c0a in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6467:7
    #8 0x7fea14229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7fea14229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #10 0x55f84827fdd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/fuzzing_gpac/gpac/src/isomedia/media.c in Media_GetESD
==709034==ABORTING
gpac / gpac

3 SEGV in MP4Box #2633
