gif2png 2.5.13 has a memory leak in the writefile function.

@zer0yu Hi, I had some tests on gif2png. But I need your help.

I used valgrind to check the memory leakage by executing `valgrind --leak-check=full ./gif2png -r poc`, and here is the output message.

    ==25395==
    ==25395== HEAP SUMMARY:
    ==25395==     in use at exit: 91,120 bytes in 136 blocks
    ==25395==   total heap usage: 602 allocs, 466 frees, 1,177,468 bytes allocated
    ==25395==
    ==25395== 8,704 bytes in 34 blocks are definitely lost in loss record 1 of 3
    ==25395==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==25395==    by 0x10CC48: xalloc (memory.c:17)
    ==25395==    by 0x10BEF3: ReadImage (gifread.c:662)
    ==25395==    by 0x10C646: ReadGIF (gifread.c:218)
    ==25395==    by 0x10B0A1: processfile.part.0 (gif2png.c:707)
    ==25395==    by 0x109A2B: processfile (stdio2.h:97)
    ==25395==    by 0x109A2B: main (gif2png.c:987)
    ==25395==
    ==25395== 18,360 bytes in 51 blocks are definitely lost in loss record 2 of 3
    ==25395==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==25395==    by 0x4E40F32: png_create_info_struct (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0)
    ==25395==    by 0x109F9C: writefile (gif2png.c:157)
    ==25395==    by 0x10B29D: processfile.part.0 (gif2png.c:788)
    ==25395==    by 0x109A2B: processfile (stdio2.h:97)
    ==25395==    by 0x109A2B: main (gif2png.c:987)
    ==25395==
    ==25395== 64,056 bytes in 51 blocks are definitely lost in loss record 3 of 3
    ==25395==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==25395==    by 0x4E46E81: png_malloc_warn (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0)
    ==25395==    by 0x4E40E8F: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0)
    ==25395==    by 0x4E4A40C: png_create_read_struct_2 (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0)
    ==25395==    by 0x4E4A460: png_create_read_struct (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0)
    ==25395==    by 0x109F86: writefile (gif2png.c:151)
    ==25395==    by 0x10B29D: processfile.part.0 (gif2png.c:788)
    ==25395==    by 0x109A2B: processfile (stdio2.h:97)
    ==25395==    by 0x109A2B: main (gif2png.c:987)
    ==25395==
    ==25395== LEAK SUMMARY:
    ==25395==    definitely lost: 91,120 bytes in 136 blocks
    ==25395==    indirectly lost: 0 bytes in 0 blocks
    ==25395==      possibly lost: 0 bytes in 0 blocks
    ==25395==    still reachable: 0 bytes in 0 blocks
    ==25395==         suppressed: 0 bytes in 0 blocks
    ==25395==
    ==25395== For counts of detected and suppressed errors, rerun with: -v
    ==25395== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
    

We can see the key function `png_malloc_warn` and `png_create_info_struct`. Although the program did not crash, the output message was similar to the error information offered by @zer0yu .

So I reviewed the gif2png source code, whose git-tag was 2.5.9 and commit id was `b6c6bb`. The function `wirtefile` of gif2png calls `png_create_read_struct` and `png_create_info_struct`. That will cause libpng to allocate memory. But `png_destroy_read_struct` is not called to free the memory after that.

Here is my patch to fixed it.

    diff --git a/gif2png.c b/gif2png.c
    index 8a3d1c1..25537a5
    --- a/gif2png.c
    +++ b/gif2png.c
    @@ -311,6 +311,7 @@ static int writefile(struct GIFelement *s, struct GIFelement *e,
             (void)free(info_ptr);
             return 1;
         }
    +    png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
    
         /* Create and initialize the png_struct with the desired error handler
          * functions.  If you want to use the default stderr and longjump method,
    diff --git a/gifread.c b/gifread.c
    index 6995c3a..f48ab65
    --- a/gifread.c
    +++ b/gifread.c
    @@ -727,9 +727,11 @@ ReadImage(FILE *fd, int x_off, int y_off, int width, int height,
                             goto fini;
                         } else {
                             (void)check_recover(true);
    +                        (void)free(image);
                             return(true);
                         }
                     } else {
    +                    (void)free(image);
                         return(true);
                     }
                 }
    

And here is the new output message

    ==27072== HEAP SUMMARY:
    ==27072==     in use at exit: 0 bytes in 0 blocks
    ==27072==   total heap usage: 602 allocs, 602 frees, 1,177,468 bytes allocated
    ==27072==
    ==27072== All heap blocks were freed -- no leaks are possible
    ==27072==
    ==27072== For counts of detected and suppressed errors, rerun with: -v
    ==27072== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
    

0 error!

So my conclusion is that: the memory leakage is caused by **gif2png** but **NOT libpng**.  
But I need some more information from @zer0yu to further confirm it.  
My env:

    Ubuntu 18.04 x86_64
    valgrind-3.13.0
    gcc 7.4
    libpng-dev 1.6.34

CVE-2019-17371: memory leak in png_malloc_warn and png_create_info_struct · Issue #307 · glennrp/libpng

In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv.c allows attackers to obtain sensitive information from kernel stack memory because tos and flags fields are not initialized.

CVE-2019-16714

ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load() at jfif.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Marsman1996 opened this issue

Aug 18, 2019

· 10 comments

**Comments**

**Test Environment**

Ubuntu 14.04, 64bit, ffjpeg(master 627c8a9)

**How to trigger**

1.  compile ffjpeg with cmake file from CMake Support && FPE on unknown address #6
2.  $ ./ffjpeg -d $POC

**POC file**

https://github.com/Marsman1996/pocs/blob/master/ffjpeg/poc22-jfif\_load-heapoverflow

**Details****Asan report**

    =================================================================
    ==17308== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60340000fef8 at pc 0x402fec bp 0x7ffc051db980 sp 0x7ffc051db978
    WRITE of size 4 at 0x60340000fef8 thread T0
        #0 0x402feb in jfif_load /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:187
        #1 0x401a59 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
        #2 0x7f5291e9bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
        #3 0x401858 in _start (/home/aota10/MARS_fuzzcompare/test/ffjpeg/bin_asan/bin/ffjpeg+0x401858)
    0x60340000fef8 is located 0 bytes to the right of 504-byte region [0x60340000fd00,0x60340000fef8)
    allocated by thread T0 here:
        #0 0x7f52922584e5 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x154e5)
        #1 0x40293b in jfif_load /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:154
        #2 0x401a59 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
        #3 0x7f5291e9bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:187 jfif_load
    Shadow bytes around the buggy address:
      0x0c06ffff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c06ffff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c06ffff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c06ffff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
      0x0c06ffff9fe0:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c06ffffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:     fa
      Heap righ redzone:     fb
      Freed Heap region:     fd
      Stack left redzone:    f1
      Stack mid redzone:     f2
      Stack right redzone:   f3
      Stack partial redzone: f4
      Stack after return:    f5
      Stack use after scope: f8
      Global redzone:        f9
      Global init order:     f6
      Poisoned by user:      f7
      ASan internal:         fe
    ==17308== ABORTING
    

**GDB report**

    Starting program: /home/aota10/MARS_fuzzcompare/test/ffjpeg/build_normal/ffjpeg -d poc22-jfif_load-heapoverflow 
    file eof !
    *** Error in `/home/aota10/MARS_fuzzcompare/test/ffjpeg/build_normal/ffjpeg': munmap_chunk(): invalid pointer: 0x000000000060a210 ***
    
    Program received signal SIGABRT, Aborted.
    0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
    #0  0x00007ffff7a47c37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
    #1  0x00007ffff7a4b028 in __GI_abort () at abort.c:89
    #2  0x00007ffff7a842a4 in __libc_message (do_abort=do_abort@entry=1, 
        fmt=fmt@entry=0x7ffff7b96350 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
    #3  0x00007ffff7a8f007 in malloc_printerr (action=<optimized out>, 
        str=0x7ffff7b966d0 "munmap_chunk(): invalid pointer", ptr=<optimized out>) at malloc.c:4998
    #4  0x0000000000402416 in jfif_load (file=0x7fffffffe58c "poc22-jfif_load-heapoverflow")
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:257
    #5  0x000000000040165b in main (argc=3, argv=0x7fffffffe298)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:24
    (gdb) 
    

rockcarry added a commit that referenced this issue

Aug 19, 2019

i make a new commit

commit b3039ae

which fix issue #10 #11 and #12

can you test again ?

This was referenced

Aug 19, 2019

Copy link

Contributor Author

Hi, I tested it with commit b3039ae

but there still exists some buffer overflows in jfif.c:195; jfif.c:216, jfif.c:228 and jfif.c:231

here are the POCs and asan log  
asan.log  
ffjpeg\_poc.zip

rockcarry added a commit that referenced this issue

Aug 19, 2019

Copy link

Contributor Author

Hi,

I tested it with commit 6bc54ed

and AddressSanitizer still reports heap-buffer-overflow in jfif.c:216 and jfif.c:231, which is caused by  
id:000026 & id:000029 in the ffjpeg\_poc.zip above.

to use AddressSanitizer you can compile program with cmd

    $ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g"  cmake .
    $ make
    

Cheers

are the test case 16 & 25 pass your testing ?  
and the case 26 & 29 still failed ?

I don't have the test enviroment, can you tell me how to install the AddressSanitizer?

Copy link

Contributor Author

Hi,

> are the test case 16 & 25 pass your testing ?  
> and the case 26 & 29 still failed ?

Yes, 26 & 29 still fail while 16 & 25 pass.

> I don't have the test enviroment, can you tell me how to install the AddressSanitizer?

AddressSanitizer is part of gcc since gcc-4.8, not sure whether it can be installed separately. Here (ASANwiki) is the guide to build the ASAN from source, though I think use ASAN in gcc cost less effort

Cheers

rockcarry added a commit that referenced this issue

Aug 21, 2019

rockcarry added a commit that referenced this issue

Aug 21, 2019

Copy link

Contributor Author

Hi,

I tested commit 2ad299a and ASAN reports heap buffer overflow in

for (i\=1; i<1+16; i++) len += dht\[i\];

Maybe it should be changed to

for (i\=1; i<1+16 && dht+i<end; i++) len += dht\[i\];

This would fix the overflow problem but I'm not sure if this logic is right.

Best wishes

rockcarry added a commit that referenced this issue

Aug 21, 2019

pls test commit 58b6f94  
i think it‘s ok now.

Copy link

Contributor Author

Hi,

I tested commit 58b6f94. Since no more ASAN reports, I think this series of heap-overflow problems are fixed now.

Cheers!

2 participants

CVE-2019-16352: AddressSanitizer: heap-buffer-overflow in jfif_load() at jfif.c:187 · Issue #12 · rockcarry/ffjpeg

ffjpeg before 2019-08-18 has a NULL pointer dereference in huffman_decode_step() at huffman.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Marsman1996 opened this issue

Aug 18, 2019

· 2 comments

**Comments**

**Test Environment**

Ubuntu 14.04, 64bit, ffjpeg(master 627c8a9)

**How to trigger**

1.  compile ffjpeg with cmake file from CMake Support && FPE on unknown address #6
2.  $ ./ffjpeg -d $POC

**POC file**

https://github.com/Marsman1996/pocs/blob/master/ffjpeg/poc21-huffman\_decode\_step-SEGV

**Details****Asan report**

    ASAN:SIGSEGV
    =================================================================
    ==19241== ERROR: AddressSanitizer: SEGV on unknown address 0x000000001590 (pc 0x000000410e8b sp 0x7fff54e12780 bp 0x7fff54e127a0 T0)
    AddressSanitizer can not provide additional info.
        #0 0x410e8a in huffman_decode_step /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/huffman.c:371
        #1 0x405f04 in jfif_decode /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:493
        #2 0x401a70 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:25
        #3 0x7f8d44273f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
        #4 0x401858 in _start (/home/aota10/MARS_fuzzcompare/test/ffjpeg/bin_asan/bin/ffjpeg+0x401858)
    SUMMARY: AddressSanitizer: SEGV /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/huffman.c:371 huffman_decode_step
    ==19241== ABORTING
    

**GDB report**

    Program received signal SIGSEGV, Segmentation fault.
    0x000000000040775f in huffman_decode_step (phc=0x0)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/huffman.c:371
    371         if (!phc->input) return EOF;
    (gdb) bt
    #0  0x000000000040775f in huffman_decode_step (phc=0x0)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/huffman.c:371
    #1  0x0000000000403357 in jfif_decode (ctxt=0x60a010, pb=0x7fffffffe190)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:493
    #2  0x0000000000401672 in main (argc=3, argv=0x7fffffffe298)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:25
    

rockcarry added a commit that referenced this issue

Aug 19, 2019

This was referenced

Aug 19, 2019

i make a new commit

commit b3039ae

which fix issue #10 #11 and #12

can you test again ?

Copy link

Contributor Author

I tested it with commit b3039ae  
and I think it has been fixed

2 participants

CVE-2019-16351: SEGV in huffman_decode_step() at huffman.c:371 · Issue #11 · rockcarry/ffjpeg

ffjpeg before 2019-08-18 has a NULL pointer dereference in idct2d8x8() at dct.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Marsman1996 opened this issue

Aug 18, 2019

· 2 comments

**Comments**

**Test Environment**

Ubuntu 14.04, 64bit, ffjpeg(master 627c8a9)

**How to trigger**

1.  compile ffjpeg with cmake file from CMake Support && FPE on unknown address #6
2.  $ ./ffjpeg -d $POC

**POC file**

https://github.com/Marsman1996/pocs/blob/master/ffjpeg/poc20-idct2d8x8-SEGV

**Details****Asan report**

    ASAN:SIGSEGV
    =================================================================
    ==21545== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000040db78 sp 0x7ffd4681f2e0 bp 0x7ffd4681f340 T0)
    AddressSanitizer can not provide additional info.
        #0 0x40db77 in idct2d8x8 /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/dct.c:201
        #1 0x40605b in jfif_decode /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:508
        #2 0x401a70 in main /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:25
        #3 0x7f8448218f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
        #4 0x401858 in _start (/home/aota10/MARS_fuzzcompare/test/ffjpeg/bin_asan/bin/ffjpeg+0x401858)
    SUMMARY: AddressSanitizer: SEGV /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/dct.c:201 idct2d8x8
    ==21545== ABORTING
    

**GDB report**

    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000406402 in idct2d8x8 (data=0x7fffffffe070, ftab=0xffffffff)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/dct.c:201
    201             data[ctr] *= ftab[ctr];
    (gdb) bt
    #0  0x0000000000406402 in idct2d8x8 (data=0x7fffffffe070, ftab=0xffffffff)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/dct.c:201
    #1  0x0000000000403435 in jfif_decode (ctxt=0x60a010, pb=0x7fffffffe1a0)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/jfif.c:508
    #2  0x0000000000401672 in main (argc=3, argv=0x7fffffffe2a8)
        at /home/aota10/MARS_fuzzcompare/test/ffjpeg/code/ffjpeg.c:25
    

rockcarry added a commit that referenced this issue

Aug 19, 2019

i make a new commit

commit b3039ae

which fix issue #10 #11 and #12

can you test again ?

Copy link

Contributor Author

I tested it with commit b3039ae  
and I think it has been fixed

2 participants

CVE-2019-16350: NULL Pointer Dereference in idct2d8x8() at dct.c:201 · Issue #10 · rockcarry/ffjpeg

marc-q libwav through 2017-04-20 has a NULL pointer dereference in gain_file() at wav_gain.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

Marsman1996 opened this issue

Aug 15, 2019

· 0 comments

**Comments**

Tested in Ubuntu 14.04, 64bit, libwav (master 5cc8746)

Triggered by  
$ ./wav_gain $POC /dev/null

POC file:  
https://github.com/Marsman1996/pocs/blob/master/libwav/poc18-gain\_file-SEGV

ASAN info:

    ASAN:SIGSEGV
    =================================================================
    ==21704== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7faf08a8ce02 sp 0x7ffc93c70b50 bp 0xac4400020001 T0)
    AddressSanitizer can not provide additional info.
        #0 0x7faf08a8ce01 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x7e01)
        #1 0x7faf08a9a367 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x15367)
        #2 0x400d80 in gain_file /home/aota10/MARS_fuzzcompare/test/wav_gain/build_asan/wav_gain.c:33
        #3 0x400d80 in main /home/aota10/MARS_fuzzcompare/test/wav_gain/build_asan/wav_gain.c:43
        #4 0x7faf086ddf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
        #5 0x400e24 in _start (/home/aota10/MARS_fuzzcompare/test/wav_gain/bin_asan/bin/wav_gain+0x400e24)
    SUMMARY: AddressSanitizer: SEGV ??:0 ??
    ==21704== ABORTING
    

 Marsman1996 changed the title NULL Pointer Dereference in gain\_file at wav\_gain.c:33 NULL Pointer Dereference in gain\_file() at wav\_gain.c:33

Aug 15, 2019

1 participant

CVE-2019-16348: NULL Pointer Dereference in gain_file() at wav_gain.c:33 · Issue #24 · marc-q/libwav

audio_sample_entry_AddBox() at isomedia/box_code_base.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.

Tested in Ubuntu 18.04, 64bit, gcc 7.3.0, gpac (master 94ad872)

Compile cmd:  
$ ./configure --extra-cflags="-fsanitize=address,undefined -g" --extra-ldflags="-fsanitize=address,undefined -ldl -g"  
$ make

Triggered by  
$ MP4Box -diso $POC

POC file:  
https://github.com/Marsman1996/pocs/blob/master/gpac/poc14-heapoverflow

ASAN info:

    ==71438==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000591 at pc 0x7ffa85321aff bp 0x7ffc13f5e4b0 sp 0x7ffc13f5e4a0
    READ of size 1 at 0x603000000591 thread T0
        #0 0x7ffa85321afe in audio_sample_entry_AddBox /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3934
        #1 0x7ffa853f002c in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1327
        #2 0x7ffa8533c83b in audio_sample_entry_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3999
        #3 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #4 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #5 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #6 0x7ffa85329db7 in unkn_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:762
        #7 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #8 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #9 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #10 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #11 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #12 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #13 0x7ffa8533a0fc in minf_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3513
        #14 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #15 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #16 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #17 0x7ffa853367f3 in mdia_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3034
        #18 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #19 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #20 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #21 0x7ffa85354187 in trak_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:6905
        #22 0x7ffa853ef142 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #23 0x7ffa853ef142 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #24 0x7ffa853efec3 in gf_isom_box_array_read_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
        #25 0x7ffa85329db7 in unkn_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:762
        #26 0x7ffa853f1363 in gf_isom_box_read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
        #27 0x7ffa853f1363 in gf_isom_box_parse_ex /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
        #28 0x7ffa853f20c5 in gf_isom_parse_root_box /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:42
        #29 0x7ffa8541e398 in gf_isom_parse_movie_boxes /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:206
        #30 0x7ffa854237a4 in gf_isom_open_file /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:615
        #31 0x55e7b46eb046 in mp4boxMain /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/applications/mp4box/main.c:4539
        #32 0x7ffa822c6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #33 0x55e7b46ca199 in _start (/home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/build_asan/bin/gcc/MP4Box+0xac199)
    
    0x603000000591 is located 0 bytes to the right of 17-byte region [0x603000000580,0x603000000591)
    allocated by thread T0 here:
        #0 0x7ffa887fcb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
        #1 0x7ffa85329a80 in unkn_Read /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:742
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3934 in audio_sample_entry_AddBox
    Shadow bytes around the buggy address:
      0x0c067fff8060: fa fa 00 00 02 fa fa fa 00 00 05 fa fa fa 00 00
      0x0c067fff8070: 04 fa fa fa 00 00 00 01 fa fa 00 00 06 fa fa fa
      0x0c067fff8080: 00 00 01 fa fa fa 00 00 02 fa fa fa 00 00 00 01
      0x0c067fff8090: fa fa 00 00 05 fa fa fa 00 00 04 fa fa fa 00 00
      0x0c067fff80a0: 02 fa fa fa 00 00 04 fa fa fa 00 00 00 00 fa fa
    =>0x0c067fff80b0: 00 00[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c067fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==71438==ABORTING
    

GDB info:

    malloc_consolidate(): invalid chunk size
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    #1  0x00007ffff7350801 in __GI_abort () at abort.c:79
    #2  0x00007ffff7399897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff74c6b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
    #3  0x00007ffff73a090a in malloc_printerr (str=str@entry=0x7ffff74c83f0 "malloc_consolidate(): invalid chunk size") at malloc.c:5350
    #4  0x00007ffff73a0bae in malloc_consolidate (av=av@entry=0x7ffff76fbc40 <main_arena>) at malloc.c:4441
    #5  0x00007ffff73a47d8 in _int_malloc (av=av@entry=0x7ffff76fbc40 <main_arena>, bytes=bytes@entry=4096) at malloc.c:3703
    #6  0x00007ffff73a70fc in __GI___libc_malloc (bytes=4096) at malloc.c:3057
    #7  0x00007ffff738e18c in __GI__IO_file_doallocate (fp=0x5555557a6260) at filedoalloc.c:101
    #8  0x00007ffff739e379 in __GI__IO_doallocbuf (fp=fp@entry=0x5555557a6260) at genops.c:365
    #9  0x00007ffff739ad23 in _IO_new_file_seekoff (fp=0x5555557a6260, offset=0, dir=2, mode=<optimized out>) at fileops.c:960
    #10 0x00007ffff7398dd9 in fseeko (fp=fp@entry=0x5555557a6260, offset=offset@entry=0, whence=whence@entry=2) at fseeko.c:36
    #11 0x00007ffff77527c9 in gf_fseek (fp=fp@entry=0x5555557a6260, offset=offset@entry=0, whence=whence@entry=2)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/utils/os_file.c:756
    #12 0x00007ffff7753323 in gf_bs_from_file (f=0x5555557a6260, mode=mode@entry=0) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/utils/bitstream.c:179
    #13 0x00007ffff7894173 in gf_isom_fdm_new (sPath=<optimized out>, mode=<optimized out>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/data_map.c:453
    #14 0x00007ffff7894400 in gf_isom_datamap_new (location=<optimized out>, location@entry=0x7fffffffe197 "../../poc14-heapoverflow", parentPath=parentPath@entry=0x0, 
        mode=mode@entry=1 '\001', outDataMap=outDataMap@entry=0x5555557a68b0) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/data_map.c:185
    #15 0x00007ffff789cf66 in gf_isom_open_progressive (fileName=<optimized out>, start_range=0, end_range=0, the_file=0x5555557a5738 <file>, BytesMissing=0x7fffffff9390)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_read.c:367
    #16 0x000055555556f48b in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/applications/mp4box/main.c:4542
    #17 0x00007ffff7331b97 in __libc_start_main (main=0x555555561e30 <main>, argc=3, argv=0x7fffffffdd98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
        stack_end=0x7fffffffdd88) at ../csu/libc-start.c:310
    #18 0x0000555555561e6a in _start ()

CVE-2018-21016: AddressSanitizer: heap-buffer-overflow in audio_sample_entry_AddBox() at box_code_base.c:3934 · Issue #1180 · gpac/gpac

AVC_DuplicateConfig() at isomedia/avc_ext.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. There is "cfg_new->AVCLevelIndication = cfg->AVCLevelIndication;" but cfg could be NULL.

Tested in Ubuntu 18.04, 64bit, gcc 7.3.0, gpac (master 94ad872)

Compile cmd  
$ ./configure --extra-cflags=-g"  
$ make

Triggered by  
$ MP4Box -diso $POC

POC file:  
https://github.com/Marsman1996/pocs/blob/master/gpac/poc12-SEGV

gdb info:

    Program received signal SIGSEGV, Segmentation fault.
    AVC_DuplicateConfig (cfg=0x0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:847
    847		cfg_new->AVCLevelIndication = cfg->AVCLevelIndication;
    (gdb) bt
    #0  AVC_DuplicateConfig (cfg=0x0) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:847
    #1  0x00007ffff7856a5f in merge_avc_config (dst_cfg=dst_cfg@entry=0x5555557a8e00, src_cfg=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:897
    #2  0x00007ffff7859ae9 in AVC_RewriteESDescriptorEx (avc=avc@entry=0x5555557a8850, mdia=mdia@entry=0x0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:1039
    #3  0x00007ffff785a037 in AVC_RewriteESDescriptor (avc=avc@entry=0x5555557a8850)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:1067
    #4  0x00007ffff786bd1c in video_sample_entry_Read (s=0x5555557a8850, bs=0x5555557a7f70)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:4291
    #5  0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8850)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #6  gf_isom_box_parse_ex (outBox=0x7fffffff8af8, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #7  0x00007ffff789254d in gf_isom_box_array_read_ex (parent=0x5555557a8800, bs=0x5555557a7f70, add_box=0x7ffff7865140 <stsd_AddBox>, 
        parent_type=1937011556) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #8  0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8800)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #9  gf_isom_box_parse_ex (outBox=0x7fffffff8bf8, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #10 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a8730, bs=0x5555557a7f70, 
        add_box=add_box@entry=0x7ffff7863750 <stbl_AddBox>, parent_type=parent_type@entry=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #11 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a8730, bs=<optimized out>, 
        add_box=add_box@entry=0x7ffff7863750 <stbl_AddBox>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
    #12 0x00007ffff786d255 in stbl_Read (s=0x5555557a8730, bs=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:5183
    #13 0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8730)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #14 gf_isom_box_parse_ex (outBox=0x7fffffff8d18, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #15 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a8470, bs=0x5555557a7f70, 
        add_box=add_box@entry=0x7ffff7863450 <minf_AddBox>, parent_type=parent_type@entry=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #16 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a8470, bs=<optimized out>, 
        add_box=add_box@entry=0x7ffff7863450 <minf_AddBox>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
    #17 0x00007ffff786acfb in minf_Read (s=0x5555557a8470, bs=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3513
    #18 0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8470)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #19 gf_isom_box_parse_ex (outBox=0x7fffffff8e58, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #20 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a82c0, bs=0x5555557a7f70, 
        add_box=add_box@entry=0x7ffff7863330 <mdia_AddBox>, parent_type=parent_type@entry=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #21 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a82c0, bs=<optimized out>, 
        add_box=add_box@entry=0x7ffff7863330 <mdia_AddBox>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
    #22 0x00007ffff786a090 in mdia_Read (s=0x5555557a82c0, bs=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3034
    #23 0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a82c0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #24 gf_isom_box_parse_ex (outBox=0x7fffffff8f68, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
    ---Type <return> to continue, or q <return> to quit---
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #25 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a8100, bs=0x5555557a7f70, 
        add_box=add_box@entry=0x7ffff7863ec0 <trak_AddBox>, parent_type=parent_type@entry=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #26 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a8100, bs=<optimized out>, 
        add_box=add_box@entry=0x7ffff7863ec0 <trak_AddBox>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
    #27 0x00007ffff786fd1d in trak_Read (s=0x5555557a8100, bs=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:6905
    #28 0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8100)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #29 gf_isom_box_parse_ex (outBox=0x7fffffff90c8, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #30 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a7bf0, bs=bs@entry=0x5555557a7f70, 
        add_box=0x7ffff7891be0 <gf_isom_box_add_default>, parent_type=parent_type@entry=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
    #31 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a7bf0, bs=bs@entry=0x5555557a7f70, add_box=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
    #32 0x00007ffff7866a8a in unkn_Read (s=0x5555557a7bf0, bs=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:762
    #33 0x00007ffff7892bc9 in gf_isom_box_read (bs=0x5555557a6a60, a=0x5555557a7bf0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
    #34 gf_isom_box_parse_ex (outBox=outBox@entry=0x7fffffff9280, bs=bs@entry=0x5555557a6a60, is_root_box=is_root_box@entry=GF_TRUE, parent_type=0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
    #35 0x00007ffff7892fc5 in gf_isom_parse_root_box (outBox=outBox@entry=0x7fffffff9280, bs=0x5555557a6a60, 
        bytesExpected=bytesExpected@entry=0x7fffffff92d0, progressive_mode=progressive_mode@entry=GF_FALSE)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:42
    #36 0x00007ffff789a20b in gf_isom_parse_movie_boxes (mov=mov@entry=0x5555557a68a0, bytesMissing=bytesMissing@entry=0x7fffffff92d0, 
        progressive_mode=progressive_mode@entry=GF_FALSE) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:206
    #37 0x00007ffff789b048 in gf_isom_parse_movie_boxes (progressive_mode=GF_FALSE, bytesMissing=0x7fffffff92d0, mov=0x5555557a68a0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:194
    #38 gf_isom_open_file (fileName=0x7fffffffe1a0 "../../poc12-SEGV", OpenMode=0, tmp_dir=0x0)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:615
    #39 0x000055555556f3bd in mp4boxMain (argc=<optimized out>, argv=<optimized out>)
        at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/applications/mp4box/main.c:4539
    #40 0x00007ffff7331b97 in __libc_start_main (main=0x555555561e30 <main>, argc=3, argv=0x7fffffffdd98, init=<optimized out>, fini=<optimized out>, 
        rtld_fini=<optimized out>, stack_end=0x7fffffffdd88) at ../csu/libc-start.c:310
    #41 0x0000555555561e6a in _start ()

CVE-2018-21015: SEGV in AVC_DuplicateConfig() at avc_ext.c:847 · Issue #1179 · gpac/gpac

SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.

CVE-2019-16294: Scintilla

Apport before versions 2.14.1-0ubuntu3.29+esm1, 2.20.1-0ubuntu2.19, 2.20.9-0ubuntu7.7, 2.20.10-0ubuntu27.1, 2.20.11-0ubuntu5 contained a TOCTTOU vulnerability when reading the users ~/.apport-ignore.xml file, which allows a local attacker to replace this file with a symlink to any other file on the system and so cause Apport to include the contents of this other file in the resulting crash report. The crash report could then be read by that user either by causing it to be uploaded and reported to Launchpad, or by leveraging some other vulnerability to read the resulting crash report, and so allow the user to read arbitrary files on the system.

Dear Ubuntu Security Team,

I would like to report a privilege escalation vulnerability in Apport. The vulnerability is a TOCTOU which enables me to trick Apport into reading any file on the system and including it in a crash report file.

I have attached a proof-of-concept which triggers the vulnerability. I have tested it on an up-to-date Ubuntu 18.04. Run it as follows:

bunzip2 PoC.tar.bz2  
tar -xf PoC.tar  
cd PoC  
make  
./gencrashreport /etc/shadow

At this point the following file has been created:

/var/crash/\_usr\_share\_apport\_apport.0.crash

You can use the apport-unpack tool to decompress this file. If you look at the contents of the CoreDump file then you will see that it contains the contents of /etc/shadow (or whichever other file you passed on the command line of gencrashreport).

The bug has a couple of mitigations:

1\. My PoC does not work if a file named /var/crash/.lock already exists and is owned by root. This file will only exist if Apport has previously generated a crash report. Based on an informal survey of my own 4 computers (yes - maybe I don't need that many), it usually does not exist (unless the computer is used for security research).

2\. The generated crash report file, /var/crash/\_usr\_share\_apport\_apport.0.crash, is only readable by root and by the whoopsie user. It will be uploaded to daisy.ubuntu.com if you create a file named /var/crash/\_usr\_share\_apport\_apport.0.upload, but that is not a huge security concern because it wouldn't be of much benefit to an attacker. However, I have found some integer overflow vulnerabilities in whoopsie (which I will report separately). If those overflows can be exploited to gain code execution in whoopsie, then this will enable an attacker to read the contents of the crash report file.

To improve the effectiveness of the first mitigation, I would recommend that you make sure that /var/crash/.lock is created (and owned by root) by the Ubuntu installer and/or whoopsie when it starts up. It does not fix the root cause though, which I will describe next.

This is the source location of the TOCTOU vulnerability:

https://git.launchpad.net/ubuntu/+source/apport/tree/apport/report.py?h=applied/ubuntu/bionic-devel&id=2fc8fb446c78e950d643bf49bb7d4a0dc3b05429#n962

Apport allows the user to place a file in their home directory named \`~/.apport-ignore.xml\`. The call to os.access() on line 962 is intended to check that this file belongs to the correct user. But on line 967, the file is read again using xml.dom.minidom.parse. This creates a window of opportunity for an attacker to replace the file with a symlink. The symlink does not need to point to a valid XML file, because there is a try-except around the call to the parser, so if the file is invalid then Apport just ignores it and continues. However, the contents of the file still ends up in Apport's heap.

Here's a summary of how the PoC works:

1\. Start a /bin/sleep and kill it with a SIGSEGV.  
2\. Apport starts up to generate a crash report for /bin/sleep  
3\. Replace ~/.apport-ignore.xml with a symlink at exactly the right moment, so that Apport loads a forbidden file into memory.  
4\. Wait until Apport drops privileges so that we can kill it with a SIGTRAP.  
5\. A second Apport starts up to generate a crash report for the first Apport.  
6\. The second Apport writes out a crash report for the first, containing a copy of the forbidden file in the core dump.

Apport tries quite hard to not run recursively on itself, so I had to jump through a few hoops to make the PoC work:

1\. Apport sets a lock on /var/crash/.lock, using lockf. But locks created by lockf are only "advisory". If I own the file, then I can replace it with a different file, thereby deactivating the lock. This is why my PoC only works if /var/crash/.lock doesn't already exist. I need to create it before Apport does, so that I can maintain ownership of it.

2\. Apport has signal handlers for most of the core-generating signals, like SIGSEGV. But it doesn't have a handler for SIGTRAP, so that's what my PoC uses.

3\. Apport is started with an RLIMIT\_CORE value of 1, which is another recursion detection mechanism (see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/498525/comments/3). But it is possible for another process to change it to zero, using prlimit.

As I mentioned earlier, I have also found a few other vulnerabilities in whoopsie and Apport. I will file them as separate bugs and include a link to this issue.

Please let me know when you have fixed the vulnerability, so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https://lgtm.com/security#disclosure\_policy

Thank you,

Kevin Backhouse

Semmle Security Research Team

Tag

#ubuntu