Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infinite recursion in Media_GetSample isomedia/media.c:662 #2359

Closed
3 tasks done
xidoo123 opened this issue Dec 18, 2022 · 0 comments
Closed
3 tasks done

Infinite recursion in Media_GetSample isomedia/media.c:662 #2359

xidoo123 opened this issue Dec 18, 2022 · 0 comments

Comments

@xidoo123
Copy link

  • I looked for a similar issue and couldn't find any.
  • I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • I give enough information for contributors to reproduce my issue (meaningful title, github labels,

Description

segment fault (/stack overflow) due to infinite recursion in Media_GetSample isomedia/media.c:662

Version info

latest version atm

MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

compile and run

./configure --enable-sanitizer
make
./MP4Box import -cat poc_segfault2.mp4

Crash reported by sanitizer

[HEVC] Error parsing NAL unit type 63
Track Importing L-HEVC - Width 1 Height 6 FPS 25000/1000
[HEVC] NAL Unit type 26 not handled - adding
[HEVC] xPS changed but could not flush frames before signaling state change !
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing NAL unit type 32
[HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing Sequence Param Set
[HEVC] Error parsing NAL unit type 34
[HEVC] Error parsing NAL unit type 0
[HEVC] Error parsing NAL unit type 32         
[HEVC] Error parsing NAL unit type 32
HEVC Import results: 7 samples (39 NALUs) - Slices: 0 I 0 P 1 B - 0 SEI - 0 IDR - 0 CRA
HEVC L-HEVC Import results: Slices: 3 I 0 P 2 B
HEVC Stream uses forward prediction - stream CTS offset: 6 frames
HEVC Max NALU size is 106 - stream could be optimized by setting nal_length=1
Appending file /home/sumuchuan/Desktop/gpac_fuzz/cat_gpac/bin/gcc/out/default/crashes/160.mp4
No suitable destination track found - creating new one (type vide)
AddressSanitizer:DEADLYSIGNAL   | (57/100)
=================================================================
==738673==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdae782bc0 (pc 0x7f415d384491 bp 0x7ffdae783400 sp 0x7ffdae782bc0 T0)
    #0 0x7f415d384491 in __sanitizer::StackTrace::StackTrace(unsigned long const*, unsigned int) ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:52
    #1 0x7f415d384491 in __sanitizer::BufferedStackTrace::BufferedStackTrace() ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:105
    #2 0x7f415d384491 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #3 0x7f415787f858 in __GI__IO_free_backup_area libio/genops.c:190
    #4 0x7f415787cae3 in _IO_new_file_seekoff libio/fileops.c:975
    #5 0x7f415787ad52 in __fseeko libio/fseeko.c:40
    #6 0x7f4159a1536a in BS_SeekIntern utils/bitstream.c:1338
    #7 0x7f4159a1536a in gf_bs_seek utils/bitstream.c:1373
    #8 0x7f4159fbbfc9 in gf_isom_fdm_get_data isomedia/data_map.c:501
    #9 0x7f4159fbbfc9 in gf_isom_datamap_get_data isomedia/data_map.c:279
    #10 0x7f415a0a1f40 in Media_GetSample isomedia/media.c:641
    #11 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
    #12 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
    #13 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
    #14 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
    #15 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
    #16 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
    #17 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
    #18 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
    #19 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
    #20 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
    #21 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
    #22 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
    #23 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
    #24 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
    ...

looks like an infinite recursion

Media_GetSample isomedia/media.c:662
 -> gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
 -> gf_isom_get_sample_ex isomedia/isom_read.c:1916
 -> Media_GetSample isomedia/media.c:662

if compile without ASAN and run the same poc

./configure --static-bin
make
./MP4Box import -cat poc_segfault2.mp4

there will be a segment fault

[HEVC] Error parsing NAL unit type 63
Track Importing L-HEVC - Width 1 Height 6 FPS 25000/1000
[HEVC] NAL Unit type 26 not handled - adding
[HEVC] xPS changed but could not flush frames before signaling state change !
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing NAL unit type 32
[HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing Sequence Param Set
[HEVC] Error parsing NAL unit type 34
[HEVC] Error parsing NAL unit type 0
[HEVC] Error parsing NAL unit type 32         
[HEVC] Error parsing NAL unit type 32
HEVC Import results: 7 samples (39 NALUs) - Slices: 0 I 0 P 1 B - 0 SEI - 0 IDR - 0 CRA
HEVC L-HEVC Import results: Slices: 3 I 0 P 2 B
HEVC Stream uses forward prediction - stream CTS offset: 6 frames
HEVC Max NALU size is 106 - stream could be optimized by setting nal_length=1
Appending file /home/sumuchuan/Desktop/gpac_fuzz/cat_gpac/bin/gcc/out/default/crashes/160.mp4
No suitable destination track found - creating new one (type vide)
Segmentation fault=====         | (57/100)

Because it ran out of stack space, making rsp and rbp point to an unmapped memory, causing seg fault. backtrace atm

pwndbg> bt
...
#16487 0x000000000054d599 in gf_isom_get_sample_ex ()
#16488 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
#16489 0x0000000000570e13 in Media_GetSample ()
#16490 0x000000000054d599 in gf_isom_get_sample_ex ()
#16491 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
#16492 0x0000000000570e13 in Media_GetSample ()
#16493 0x000000000054d599 in gf_isom_get_sample_ex ()
#16494 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
#16495 0x0000000000570e13 in Media_GetSample ()
...

POC

poc-segfault2.zip

Impact

Potentially causing DoS

Credit

Xdchase
@jeanlf jeanlf closed this as completed in 080a627 Dec 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xidoo123