An issue was discovered in Bento4 v1.6.0-639. There is a memory leak in AP4_DescriptorFactory::CreateDescriptorFromStream in Core/Ap4DescriptorFactory.cpp, as demonstrated by mp42aac.

Hi, developers of Bento4:  
In the test of the binary mp42aac instrumented with ASAN. There are some inputs causing memory leaks. Here is the ASAN mode output:

\=================================================================  
\==19530==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 80 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x5ad493 in AP4\_DescriptorFactory::CreateDescriptorFromStream(AP4\_ByteStream&, AP4\_Descriptor\*&) /root/Bento4/Source/C++/Core/Ap4DescriptorFactory.cpp:85

Indirect leak of 112 byte(s) in 2 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x5ad7a9 in AP4\_DescriptorFactory::CreateDescriptorFromStream(AP4\_ByteStream&, AP4\_Descriptor\*&) /root/Bento4/Source/C++/Core/Ap4DescriptorFactory.cpp:127

Indirect leak of 72 byte(s) in 3 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x604f8b in AP4\_List<AP4\_Descriptor>::Add(AP4\_Descriptor\*) /root/Bento4/Source/C++/Core/Ap4List.h:160  
#2 0x604f8b in AP4\_ObjectDescriptor::AP4\_ObjectDescriptor(AP4\_ByteStream&, unsigned char, unsigned int, unsigned int) /root/Bento4/Source/C++/Core/Ap4ObjectDescriptor.cpp:103

Indirect leak of 32 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x5ad532 in AP4\_DescriptorFactory::CreateDescriptorFromStream(AP4\_ByteStream&, AP4\_Descriptor\*&) /root/Bento4/Source/C++/Core/Ap4DescriptorFactory.cpp:115

Indirect leak of 25 byte(s) in 2 object(s) allocated from:  
#0 0x7ffff6f03712 in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99712)  
#1 0x415b81 in AP4\_DataBuffer::ReallocateBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210  
#2 0x415b81 in AP4\_DataBuffer::SetDataSize(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:151

SUMMARY: AddressSanitizer: 321 byte(s) leaked in 9 allocation(s).

**Crash Input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/mp42aac-ml-00

**Verification steps：**

git clone https://github.com/axiomatic-systems/Bento4  
cd Bento4/  
mkdir check\_build && cd check\_build  
cmake ../ -DCMAKE\_C\_COMPILER=clang -DCMAKE\_CXX\_COMPILER=clang++ -DCMAKE\_C\_FLAGS="-fsanitize=address" -DCMAKE\_CXX\_FLAGS="-fsanitize=address" -DCMAKE\_BUILD\_TYPE=Release  
make -j  
./mp42aac mp42aac-ml-00 /dev/null

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-43032: Memory leaks with ASAN in mp42aac · Issue #763 · axiomatic-systems/Bento4

An issue was discovered in Bento4 1.6.0-639. There is a memory leak in the function AP4_File::ParseStream in /Core/Ap4File.cpp.

Hi, developers of Bento4:  
In the test of the binary mp42aac instrumented with ASAN. There are some inputs causing memory leaks. Here is the ASAN mode output. The output is different from #763.

\=================================================================  
\==6659==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 64 byte(s) in 1 object(s) allocated from:  
#0 0x7f8d891f0592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x418dff in AP4\_File::ParseStream(AP4\_ByteStream&, AP4\_AtomFactory&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:108  
#2 0x418dff in AP4\_File::AP4\_File(AP4\_ByteStream&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:78

SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s).

**Crash Input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/mp42aac-ml-01

**Verification steps：**

git clone https://github.com/axiomatic-systems/Bento4  
cd Bento4/  
mkdir check\_build && cd check\_build  
cmake ../ -DCMAKE\_C\_COMPILER=clang -DCMAKE\_CXX\_COMPILER=clang++ -DCMAKE\_C\_FLAGS="-fsanitize=address" -DCMAKE\_CXX\_FLAGS="-fsanitize=address" -DCMAKE\_BUILD\_TYPE=Release  
make -j  
./mp42aac mp42aac-ml-01 /dev/null

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-43037: Memory leaks with ASAN in mp42aac · Issue #788 · axiomatic-systems/Bento4

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function gf_isom_box_dump_start_ex at /isomedia/box_funcs.c.

**Description**

Heap-buffer-overflow in isomedia/box\_funcs.c:2074 in gf\_isom\_box\_dump\_start\_ex

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -diso mp4box-diso-heap-buffer-over-flow-1
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-diso-heap-buffer-over-flow-1

**ASAN**

    
    [iso file] Read Box type 04@0004 (0x04400004) at position 94 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "meta" (start 32) has 206 extra bytes
    [iso file] Box "uuid" (start 4061) has 58 extra bytes
    [iso file] Incomplete box mdat - start 4151 size 54847
    [iso file] Incomplete file while reading for dump - aborting parsing
    =================================================================
    ==18099==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000540 at pc 0x7f54a04dd880 bp 0x7ffcec3ea7e0 sp 0x7ffcec3ea7d0
    READ of size 1 at 0x604000000540 thread T0
        #0 0x7f54a04dd87f in gf_isom_box_dump_start_ex isomedia/box_funcs.c:2074
        #1 0x7f54a04dd87f in gf_isom_box_dump_start isomedia/box_funcs.c:2093
        #2 0x7f54a04c0ae7 in trgt_box_dump isomedia/box_dump.c:5807
        #3 0x7f54a04ddbb8 in gf_isom_box_dump isomedia/box_funcs.c:2108
        #4 0x7f54a0470ffa in gf_isom_box_array_dump isomedia/box_dump.c:104
        #5 0x7f54a04ddda8 in gf_isom_box_dump_done isomedia/box_funcs.c:2115
        #6 0x7f54a04c09d5 in trgr_box_dump isomedia/box_dump.c:5799
        #7 0x7f54a04ddbb8 in gf_isom_box_dump isomedia/box_funcs.c:2108
        #8 0x7f54a04714d6 in gf_isom_dump isomedia/box_dump.c:138
        #9 0x55e8639f1804 in dump_isom_xml /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/filedump.c:2067
        #10 0x55e8639c1d79 in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6364
        #11 0x7f549f4e0c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #12 0x55e8639920a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    0x604000000540 is located 0 bytes to the right of 48-byte region [0x604000000510,0x604000000540)
    allocated by thread T0 here:
        #0 0x7f54a2a4cb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7f54a041bd12 in trgt_box_new isomedia/box_code_base.c:10623
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box_funcs.c:2074 in gf_isom_box_dump_start_ex
    Shadow bytes around the buggy address:
      0x0c087fff8050: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8060: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
      0x0c087fff8070: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
      0x0c087fff8080: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8090: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
    =>0x0c087fff80a0: fa fa 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
      0x0c087fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==18099==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43040: heap-buffer-overflow isomedia/box_funcs.c:2074 in gf_isom_box_dump_start_ex · Issue #2280 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function BD_CheckSFTimeOffset at /bifs/field_decode.c.

**Description**

SEGV in BD\_CheckSFTimeOffset bifs/field\_decode.c:58

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -bt mp4box-bt-segv-0
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-bt-segv-0

**ASAN**

    
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent minf
    [iso file] Missing DataInformationBox
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 20) has 806 extra bytes
    [iso file] Unknown top-level box type 0000
    [iso file] Incomplete box 0000 - start 12356 size 808358436
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent minf
    [iso file] Missing DataInformationBox
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 20) has 806 extra bytes
    [iso file] Unknown top-level box type 0000
    [iso file] Incomplete box 0000 - start 12356 size 808358436
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [ODF] Reading bifs config: shift in sizes (not supported)
    ASAN:DEADLYSIGNAL                 | (00/100)
    =================================================================
    ==64022==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f4bf2457608 bp 0x7fff7805fc00 sp 0x7fff7805f360 T0)
    ==64022==The signal is caused by a READ memory access.
    ==64022==Hint: address points to the zero page.
        #0 0x7f4bf2457607  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5b607)
        #1 0x7f4befd4dd1a in BD_CheckSFTimeOffset bifs/field_decode.c:58
        #2 0x7f4befd53e80 in gf_bifs_dec_sf_field bifs/field_decode.c:105
        #3 0x7f4befd6a1be in BM_XReplace bifs/memory_decoder.c:355
        #4 0x7f4befd6a1be in BM_ParseExtendedUpdates bifs/memory_decoder.c:398
        #5 0x7f4befd754ad in BM_ParseInsert bifs/memory_decoder.c:586
        #6 0x7f4befd754ad in BM_ParseCommand bifs/memory_decoder.c:908
        #7 0x7f4befd7660d in gf_bifs_decode_command_list bifs/memory_decoder.c:1038
        #8 0x7f4bf0743bc6 in gf_sm_load_run_isom scene_manager/loader_isom.c:303
        #9 0x562cf53f8dd7 in dump_isom_scene /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/filedump.c:207
        #10 0x562cf53d37ff in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6336
        #11 0x7f4beef6ec86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #12 0x562cf53a50a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5b607) 
    ==64022==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43043: SEGV BD_CheckSFTimeOffset bifs/field_decode.c:58 · Issue #2276 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_dump_vrml_sffield at /scene_manager/scene_dump.c.

**Description**

SEGV scene\_manager/scene\_dump.c:693 in gf\_dump\_vrml\_sffield

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -bt mp4box-bt-segv-1
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-bt-segv-1

**ASAN**

    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent minf
    [iso file] Missing DataInformationBox
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 20) has 806 extra bytes
    [iso file] Unknown top-level box type 0000
    [iso file] Incomplete box 0000 - start 12356 size 808358436
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent minf
    [iso file] Missing DataInformationBox
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 20) has 806 extra bytes
    [iso file] Unknown top-level box type 0000
    [iso file] Incomplete box 0000 - start 12356 size 808358436
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [ODF] Reading bifs config: shift in sizes (not supported)
    [MP4 Loading] Unable to fetch sample 38 from track ID 8 - aborting track import
    Scene loaded - dumping 1 systems streams
    ASAN:DEADLYSIGNAL
    =================================================================
    ==42376==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f6a20c34c94 bp 0x60b000000720 sp 0x7ffd44396130 T0)
    ==42376==The signal is caused by a READ memory access.
    ==42376==Hint: address points to the zero page.
        #0 0x7f6a20c34c93 in gf_dump_vrml_sffield scene_manager/scene_dump.c:693
        #1 0x7f6a20c69012 in gf_dump_vrml_simple_field scene_manager/scene_dump.c:775
        #2 0x7f6a20c5020c in DumpXReplace scene_manager/scene_dump.c:2291
        #3 0x7f6a20c5020c in gf_sm_dump_command_list scene_manager/scene_dump.c:2901
        #4 0x7f6a20c77d57 in gf_sm_dump scene_manager/scene_dump.c:3519
        #5 0x556786082cef in dump_isom_scene /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/filedump.c:221
        #6 0x55678605d7ff in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6336
        #7 0x7f6a1f3bac86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #8 0x55678602f0a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV scene_manager/scene_dump.c:693 in gf_dump_vrml_sffield
    ==42376==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43045: SEGV scene_manager/scene_dump.c:693 in gf_dump_vrml_sffield · Issue #2277 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_get_meta_item_info at /isomedia/meta.c.

**Description**

SEGV in isomedia/meta.c:177 in gf\_isom\_get\_meta\_item\_info

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -info mp4box-info-segv-1
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-info-segv-1

**ASAN**

    [iso file] Unknown box type i000000 in parent iinf
    [iso file] Unknown top-level box type v000000
    [iso file] Incomplete box v000000 - start 308 size 191662031
    [iso file] Incomplete file while reading for dump - aborting parsing
    # File Meta type: "Meta" - 3 resource item(s)
    ASAN:DEADLYSIGNAL
    =================================================================
    ==52314==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f4d67b428f9 bp 0x000000000000 sp 0x7ffcd749c3c0 T0)
    ==52314==The signal is caused by a READ memory access.
    ==52314==Hint: address points to the zero page.
        #0 0x7f4d67b428f8 in gf_isom_get_meta_item_info isomedia/meta.c:177
        #1 0x55fa2660a89e in DumpMetaItem /gpac/applications/mp4box/filedump.c:2467
        #2 0x55fa26642cc8 in DumpMovieInfo /gpac/applications/mp4box/filedump.c:3820
        #3 0x55fa265efee4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6359
        #4 0x7f4d669cfc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #5 0x55fa265c00a9 in _start (/gpac/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV isomedia/meta.c:177 in gf_isom_get_meta_item_info
    ==52314==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43044: SEGV isomedia/meta.c:177 in gf_isom_get_meta_item_info · Issue #2282 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_meta_restore_items_ref at /isomedia/meta.c.

**Description**

SEGV in isomedia/meta.c:1929 in gf\_isom\_meta\_restore\_items\_ref

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -info mp4box-info-segv-0
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-info-segv-0

**ASAN**

    [iso file] Read Box type 0003E8d (0x0003E864) at position 653 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Missing DataInformationBox
    [iso file] Box "minf" (start 645) has 3400 extra bytes
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [isom] not enough bytes in box A9too: 29 left, reading 41 (file isomedia/box_code_apple.c, line 117)
    [iso file] Read Box "A9too" (start 4122) failed (Invalid IsoMedia File) - skipping
    [iso file] Read Box "ilst" (start 4114) failed (Invalid IsoMedia File) - skipping
    [iso file] Read Box type 000000! (0x00000021) at position 4077 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "meta" (start 4069) has 74 extra bytes
    ASAN:DEADLYSIGNAL
    =================================================================
    ==57686==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000002c (pc 0x7fb4c621a438 bp 0x000000000000 sp 0x7fff370fe330 T0)
    ==57686==The signal is caused by a READ memory access.
    ==57686==Hint: address points to the zero page.
        #0 0x7fb4c621a437 in gf_isom_meta_restore_items_ref isomedia/meta.c:1929
        #1 0x7fb4c60c4127 in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:429
        #2 0x7fb4c60d00e5 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:866
        #3 0x7fb4c60d00e5 in gf_isom_open_file isomedia/isom_intern.c:986
        #4 0x5627a34e0048 in mp4box_main /gpac/applications/mp4box/mp4box.c:6175
        #5 0x7fb4c5089c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #6 0x5627a34b30a9 in _start (/gpac/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV isomedia/meta.c:1929 in gf_isom_meta_restore_items_ref
    ==57686==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43039: SEGV isomedia/meta.c:1929 in gf_isom_meta_restore_items_ref · Issue #2281 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function FixSDTPInTRAF at isomedia/isom_intern.c.

**Description**

Heap-buffer-overflow in isomedia/isom\_intern.c:227 in FixSDTPInTRAF

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -bt mp4box-bt-heap-buffer-over-flow-0
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-bt-heap-buffer-over-flow-0

**ASAN**

    [iso file] Unknown box type sjhm in parent sinf
    [iso file] Unknown box type sgp00 in parent stbl
    [iso file] Read Box type 00000000 (0x00000000) at position 2168 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "traf" (start 2028) has 458 extra bytes
    [iso file] Unknown box type shgp in parent traf
    =================================================================
    ==31145==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001914 at pc 0x7fe0339cbbf8 bp 0x7ffc2041a330 sp 0x7ffc2041a320
    READ of size 1 at 0x602000001914 thread T0
        #0 0x7fe0339cbbf7 in FixSDTPInTRAF isomedia/isom_intern.c:227
        #1 0x7fe0339cbbf7 in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:663
        #2 0x7fe0339ce0e5 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:866
        #3 0x7fe0339ce0e5 in gf_isom_open_file isomedia/isom_intern.c:986
        #4 0x55ec82396048 in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6175
        #5 0x7fe032987c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #6 0x55ec823690a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    0x602000001914 is located 0 bytes to the right of 4-byte region [0x602000001910,0x602000001914)
    allocated by thread T0 here:
        #0 0x7fe035ef3b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7fe0338a4541 in sdtp_box_read isomedia/box_code_base.c:8354
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/isom_intern.c:227 in FixSDTPInTRAF
    Shadow bytes around the buggy address:
      0x0c047fff82d0: fa fa 00 00 fa fa 00 00 fa fa 01 fa fa fa 00 00
      0x0c047fff82e0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa fd fa
      0x0c047fff82f0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff8300: fa fa 00 fa fa fa 00 00 fa fa 00 07 fa fa 00 00
      0x0c047fff8310: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
    =>0x0c047fff8320: fa fa[04]fa fa fa 00 00 fa fa 00 00 fa fa fa fa
      0x0c047fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==31145==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43042: heap-buffer-overflow isomedia/isom_intern.c:227 in FixSDTPInTRAF · Issue #2278 · gpac/gpac

The Winnti APT was spotted dropping several variants of Spyder Loader and other malware as part of the so-called Operation Cuckoobees.

The Winnti cyber-espionage group out of China was discovered deploying the Spyder Loader malware as part of an ongoing campaign to gather intelligence information on government organizations in Hong Kong.

Researchers at Symantec's Threat Hunter Team recently observed malicious activity in which attackers remained active on some targeted networks for more than a year to steal critical data in what they believe is an extension of the group's previously identified Operation Cuckoobees, they said in a blog post published this week.

"While we did not see the ultimate payload in this campaign, based on the previous activity seen alongside the Spyder Loader malware it seems likely the ultimate goal of this activity was intelligence collection," researchers wrote.

Researchers at Cybereason first identified the Cuckoobees campaign in May as a massive cyber-espionage campaign against manufacturing and technology companies in North America and Asia that had been stealing immense stores of intellectual property and other sensitive data for years when it was discovered.

At that time, researchers estimated that Winnti — aka APT41, Wicked Panda, and Barium — so far had stolen hundreds of gigabytes of data, including trade secrets, blueprints, formulas, diagrams, and proprietary manufacturing documents, from more than 30 global organizations. They also harvested details about a target organization's network architecture, user accounts, credentials, customer data, and business units to leverage in future attacks.

The latest activity against Hong Kong organizations appears to be part of that broad campaign, which is likely to continue and ensnare more victims in its cyber-espionage web before it's over, researchers said. "The fact that this campaign has been ongoing for several years … indicates that the actors behind this activity are persistent and focused adversaries, with the ability to carry out stealthy operations on victim networks over a long period of time," they wrote.

**Unpacking a Trojan**

During the activity they observed Symantec researchers got a good look under the hood at Spyder Loader, which Winnti already had been spotted using as the initial payload in previous malicious activity.

Researchers at SonicWall were the first to discuss the malware publicly in March 2021, according to Symantec, which is part of Broadcom Software. At the time researchers identified the malware being used for targeted attacks on information storage systems to collect information about corrupted devices, execute mischievous payloads, coordinate script execution, and communicate with command and control systems, they said in their report.

The malware later was spotted being used in the Cuckoobees campaign and now again against Hong Kong organizations, with various variants being deployed this time around. All of them "displayed largely the same functionality" to load next-stage payloads and perform functions similar to those described by SonicWall, using obfuscation to hide malicious activity, the researchers said.

Winnti is believed to be working on behalf of, or with the support of, the Chinese government since at least 2010. Some security vendors have described Winnti as an umbrella group comprised of multiple threat actors operating under the control of China's state intelligence agencies.

In addition to Cuckoobees, Winnti also has been linked to attacks in 2010 on scores of US firms that included such heavy-hitters as Google and Yahoo. Its activity eventually led the US government to indict five members of the threat group, which in the end did little to stop its malicious activities.

**Technical Details**

Symantec researchers analyzed a sample of Spyder Loader compiled as a 64-bit PE DLL, a modified copy of sqlite3.dll with the addition of a malicious export, sqlite3\_prepare\_v4, which expects a string as its third argument, they said.

"Reportedly, whenever an export is executed by rundll32.exe, the third argument of the called export should contain part of the process command-line," researchers explained. "When this loader is executed, it extracts the file name from its third argument, and the referred file is expected to contain a sequence of records."

The malware executes a created wlbsctrl.dll file that likely acts as a next-stage loader that runs the content of a previously stored blob\_id 2 record — which it encrypts using the AES algorithm in Ciphertext Feedback (CFB) mode with segment\_size of 0x80 bits — from the created FileMapping, researchers explained. The encryption key is based on the name of an affected computer per GetComputerNameW() API, they said.

Spyder Loader also used other obfuscation techniques to prevent its activity from being analyzed, researchers said. In addition to AES encryption, the malware sample also used the ChaCha20 algorithm encryption to obfuscate one of the strings, as well as cleaned up created artifacts by overwriting the content of the dropped wlbsctrl.dll file before deleting it, for example, they said.

There are several similarities between the Spyder Loader activity seen in the Hong Kong campaign and its original functionality as described by Cybereason. They include: use of a modified version of sqlite3.dll; use of the third parameter of its malicious export that's consistent with the rundll32.exe command-line example seen in Cybereason’s research; and use of the CryptoPP C++ library.

In addition to Spyder Loader, credential-stealer Mimikatz and a Trojanized ZLib DLL were among the malware loaded onto victim machines, the researchers said.

The researchers included in their report a list of indicators of compromise for Spyder Loader in the post so enterprises can detect if their systems have been infected. They also encouraged organizations to stay up to date on the latest threats and malware in circulation that may require security updates by referring to Symantec's Protection Bulletins page.

China-Linked Cyber-Espionage Team Homes In on Hong Kong Government Orgs

An advanced persistent threat (APT) group of Chinese origin codenamed DiceyF has been linked to a string of attacks aimed at online casinos in Southeast Asia for years.
Russian cybersecurity company Kaspersky said the activity aligns with another set of intrusions attributed to Earth Berberoka (aka GamblingPuppet) and DRBControl, citing tactical and targeting similarities as well as the abuse of

An advanced persistent threat (APT) group of Chinese origin codenamed **DiceyF** has been linked to a string of attacks aimed at online casinos in Southeast Asia for years.

Russian cybersecurity company Kaspersky said the activity aligns with another set of intrusions attributed to Earth Berberoka (aka GamblingPuppet) and DRBControl, citing tactical and targeting similarities as well as the abuse of secure messaging clients.

"Possibly we have a mix of espionage and \[intellectual property\] theft, but the true motivations remain a mystery," researchers Kurt Baumgartner and Georgy Kucherin said in a technical write-up published this week.

The starting point of the investigation was in November 2021 when Kaspersky said it detected multiple PlugX loaders and other payloads that were deployed via an employee monitoring service and a security package deployment service.

The initial infection method – the distribution of the framework through security solution packages – afforded the threat actor "to perform cyberespionage activities with some level of stealth," the company stated.

Subsequently, the same security package deployment service is said to have been employed to deliver what's called the GamePlayerFramework, a C# variant of a C++-based malware known as PuppetLoader.

"This 'framework' includes downloaders, launchers, and a set of plugins that provide remote access and steal keystrokes and clipboard data," the researchers explained.

Indications are that the DiceyF activity is a follow-on campaign to Earth Berberoka with a retooled malware toolset, even as the framework is maintained through two separate branches dubbed Tifa and Yuna, which come with different modules of varying levels of sophistication.

While the Tifa branch contains a downloader and a core component, Yuna is more complex in terms of functionality, incorporating a downloader, a set of plugins, and at least 12 PuppetLoader modules. That said, both branches are believed to be actively and incrementally updated.

Regardless of the variant employed, the GamePlayerFramework, once launched, connects to a command-and-control (C2) and transmits information about the compromised host and the clipboard contents, after which the C2 responds with one of 15 commands that allow the malware to seize control of the machine.

This also includes launching a plugin on the victim system that can either be downloaded from the C2 server when the framework is instantiated or retrieved using the "InstallPlugin" command sent by the server.

These plugins, in turn, make it possible to steal cookies from Google Chrome and Mozilla Firefox browsers, capture keystroke and clipboard data, set up virtual desktop sessions, and even remotely connect to the machine over SSH.

Kaspersky also pointed to the use of a malicious app that mimics another software called Mango Employee Account Data Synchronizer, a messenger app used at the targeted entities, to drop the GamePlayerFramework within the network.

"There are many interesting characteristics of DiceyF campaigns and TTPs," the researchers said. "The group modifies their codebase over time, and develops functionality in the code throughout their intrusions."

"To make sure that victims did not become suspicious of the disguised implants, attackers obtained information about targeted organizations (such as the floor where the organization's IT department is located) and included it inside graphic windows displayed to victims."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#c++