An issue in AP4_SgpdAtom::AP4_SgpdAtom() of Bento4-1.6.0-639 allows attackers to cause a Denial of Service (DoS) via a crafted mp4 input.

**Vulnerability description**

**version:** Bento4-1.6.0-639  
**command:** ./mp42aac $POC /dev/null  
**Download:** poc

Here is the trace reported by ASAN:

    $ mp42aac poc /dev/null
    
    AddressSanitizer: Out of memory. The process has exhausted 65536MB for size class 48.
    =================================================================
    ==29843==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x18 bytes
        #0 0x7ffff769b947 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
        #1 0x555555911f52 in AP4_List<AP4_DataBuffer>::Add(AP4_DataBuffer*) /path_to_Bento4/Source/C++/Core/Ap4List.h:160
        #2 0x5555559114bd in AP4_SgpdAtom::AP4_SgpdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /path_to_Bento4/Source/C++/Core/Ap4SgpdAtom.cpp:111
        #3 0x555555910da4 in AP4_SgpdAtom::Create(unsigned int, AP4_ByteStream&) /path_to_Bento4/Source/C++/Core/Ap4SgpdAtom.cpp:54
        #4 0x55555589399c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:729
        #5 0x555555890224 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:233
        #6 0x5555558b9c5f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #7 0x5555558b96c2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #8 0x5555558b9229 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
        #9 0x555555893d26 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:796
        #10 0x555555890224 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:233
        #11 0x5555558c7b47 in AP4_DrefAtom::AP4_DrefAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4DrefAtom.cpp:84
        #12 0x5555558c768b in AP4_DrefAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4DrefAtom.cpp:50
        #13 0x555555892ccd in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:560
        #14 0x555555890224 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:233
        #15 0x5555558b9c5f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #16 0x5555558b96c2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #17 0x5555558b9229 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
        #18 0x555555893d26 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:796
        #19 0x555555890224 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:233
        #20 0x5555558b9c5f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #21 0x5555558b96c2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #22 0x5555558b9229 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
        #23 0x555555893d26 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:796
        #24 0x555555890224 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:233
        #25 0x5555558b9c5f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
        #26 0x5555558b96c2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
        #27 0x5555558b9229 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /path_to_Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
        #28 0x555555893d26 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:796
        #29 0x555555890224 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /path_to_Bento4/Source/C++/Core/Ap4AtomFactory.cpp:233
    
    ==29843==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory (/lib/x86_64-linux-gnu/libasan.so.5+0x10f947) in operator new(unsigned long)
    ==29843==ABORTING
    

**Vulnerability analysis**

AP4\_UI32 entry\_count = 0;

AP4\_Result result = stream.ReadUI32(entry\_count);

if (AP4\_FAILED(result)) return;

bytes\_available -= 4;

// read all entries

for (unsigned int i=0; i<entry\_count; i++) {

AP4\_UI32 description\_length = m\_DefaultLength;

if (m\_Version == 0) {

// entry size unknown, read the whole thing

description\_length = bytes\_available;

} else {

if (m\_DefaultLength == 0) {

description\_length = stream.ReadUI32(description\_length);

}

}

if (description\_length <= bytes\_available) {

AP4\_DataBuffer\* payload = new AP4\_DataBuffer();

if (description\_length) {

payload->SetDataSize(description\_length);

stream.Read(payload->UseData(), description\_length);

}

m\_Entries.Add(payload);

}

}

}

    pwndbg> p entry_count
    $1 = 4278190081
    pwndbg> p m_DefaultLength
    $2 = 20
    pwndbg> p m_Version
    $3 = 1 '\001'
    pwndbg> p bytes_available
    $4 = 20
    

The possible cause of this issue is that a crafted input can set entry_count to a large value (4,278,190,081) in line 90. Such a long loop (line 95-114) will allocate a lot of memory in line 106 and line 111, which eventually exhausts the memory. Since the return value of stream.Read is not checked in line 109, the loop will not terminate at the end of the input file.

CVE-2022-35165: Possible memory exhuastion in AP4_SgpdAtom::AP4_SgpdAtom(). The process has exhausted 65536MB memory. · Issue #712 · axiomatic-systems/Bento4

A heap-buffer-overflow had occurred in function gf_isom_dovi_config_get of isomedia/avc_ext.c:2490, as demonstrated by MP4Box. This vulnerability was fixed in commit fef6242.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/  
**Description**  
A heap-buffer-overflow has occurred in function gf\_isom\_dovi\_config\_get of isomedia/avc\_ext.c:2490 when running program MP4Box,this can reproduce on the lattest commit.

**version info**

    fuzz@ubuntu:~/gpac2.1/gpac/bin/gcc$ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-revUNKNOWN-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    
    

**crash command**

 ./MP4Box -info poc1

**crash output**

    [iso file] Unknown box type 00000200 in parent stsd
    # Movie Info - 1 track - TimeScale 1000
    Duration 00:00:10.000 (recomputed 4 Days, 14:43:47.879)
    Fragmented: no
    Major Brand mp4@ - version 0 - compatible brands: mp42 mp41 isom iso2
    Created: GMT Thu Apr 26 09:02:13 2012
    
    
    # Track 1 Info - ID 1 - TimeScale 3000
    Media Duration 00:00:10.000  (recomputed 4 Days, 14:43:47.879)
    Track flags: Enabled In Movie In Preview
    Media Info: Language "Undetermined (und)" - Type "vide:00000200" - 300 samples
    Visual Sample Entry Info: width=320 height=240 (depth=24 bits)
    Visual Track layout: x=0 y=0 width=320 height=240
    =================================================================
    ==2235126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f000000130 at pc 0x7ff2a69b3bc0 bp 0x7fff43da89f0 sp 0x7fff43da89e0
    READ of size 8 at 0x60f000000130 thread T0
        #0 0x7ff2a69b3bbf in gf_isom_dovi_config_get isomedia/avc_ext.c:2490
        #1 0x56165102107a in DumpTrackInfo /home/fuzz/gpac2.1/gpac/applications/mp4box/filedump.c:2862
        #2 0x56165102ea17 in DumpMovieInfo /home/fuzz/gpac2.1/gpac/applications/mp4box/filedump.c:3994
        #3 0x561651002ad0 in mp4box_main /home/fuzz/gpac2.1/gpac/applications/mp4box/mp4box.c:6367
        #4 0x7ff2a4071082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x561650fd7afd in _start (/home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box+0xa2afd)
    
    Address 0x60f000000130 is a wild pointer.
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/avc_ext.c:2490 in gf_isom_dovi_config_get
    Shadow bytes around the buggy address:
      0x0c1e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
    =>0x0c1e7fff8020: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2235126==ABORTING
    

**source code**

    2481 GF_DOVIDecoderConfigurationRecord *gf_isom_dovi_config_get(GF_ISOFile* the_file, u32 trackNumber, u32 DescriptionIndex)
    2482 {
    2483 	GF_TrackBox* trak;
    2484 	GF_MPEGVisualSampleEntryBox *entry;
    2485 	trak = gf_isom_get_track_from_file(the_file, trackNumber);
    2486 	if (!trak || !trak->Media || !DescriptionIndex) return NULL;
    2487 	entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex - 1);
    2488	if (!entry) return NULL;
    2489 	if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return NULL;
    2490 	if (!entry->dovi_config) return NULL;          /**here**/
    2491 	return DOVI_DuplicateConfig(&entry->dovi_config->DOVIConfig);
    2492 }
    
    

**sample poc:**

poc1.zip

ps: it is similar with the issue which occured in older gpac version ( #1846) . The bug was not patched . It still occured in the newest version.

CVE-2022-36191: heap-buffer-overflow in function gf_isom_dovi_config_get  · Issue #2218 · gpac/gpac

A Null Pointer dereference vulnerability exists in GPAC 2.1-DEV-revUNKNOWN-master via the function gf_filter_pid_set_property_full () at filter_core/filter_pid.c:5250,which causes a Denial of Service (DoS). This vulnerability was fixed in commit b43f9d1.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description:**  
\`A crash happened on MP4Box(GPAC version 2.1-DEV-revUNKNOWN-master) due to a null pointer dereference vulnerability in gf\_filter\_pid\_set\_property\_full function (filter\_core/filter\_pid.c:5250) .

\`  
**MP4Box version**

    ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-revUNKNOWN-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**poc**  
poc.zip

**command**  
./MP4Box -info poc

**crash output**

    [AVC|H264] Warning: Error parsing NAL unit
    filter_core/filter_pid.c:5250:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'
    

**gdb output**

    pwndbg> r
    Starting program: /home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box -info ../../../test/segv2/poc
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    [AVC|H264] Warning: Error parsing NAL unit
    filter_core/filter_pid.c:5250:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'
    [Inferior 1 (process 2239153) exited with code 01]
    pwndbg> b filter_pid.c:5250
    Breakpoint 1 at 0x7ffff4b829f6: filter_pid.c:5250. (6 locations)
    pwndbg> r
    Starting program: /home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box -info ../../../test/segv2/poc
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    
    Breakpoint 1, gf_filter_pid_set_property_full (is_info=GF_FALSE, value=0x7ffffffe9150, dyn_name=0x0, prop_name=0x0, prop_4cc=1347244884, pid=0x613000000040) at filter_core/filter_pid.c:5301
    5301		return gf_filter_pid_set_property_full(pid, prop_4cc, NULL, NULL, value, GF_FALSE);
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     RAX  0x0
     RBX  0x7ffffffe8f50 ◂— 0x41b58ab3
     RCX  0xfffffffd22a ◂— 0x0
     RDX  0x7ffffffe9150 ◂— 0x2
     RDI  0x613000000040 ◂— 0x613000000040 /* '@' */
     RSI  0x504d5354
     R8   0x0
     R9   0x7ffff58cb4f0 (global_log_tools+496) ◂— 0x2
     R10  0x7ffff24ab3f1 ◂— 'gf_filter_pid_set_property'
     R11  0x7ffff4b84110 (gf_filter_pid_set_property) ◂— endbr64 
     R12  0x613000000040 ◂— 0x613000000040 /* '@' */
     R13  0x7ffffffe9150 ◂— 0x2
     R14  0x504d5354
     R15  0xfffffffd1ea ◂— 0x0
     RBP  0x7ffffffe9060 —▸ 0x7ffffffe9380 —▸ 0x7ffffffea0d0 —▸ 0x7ffffffea170 —▸ 0x7ffffffea280 ◂— ...
     RSP  0x7ffffffe8f30 ◂— 0x0
     RIP  0x7ffff4b841c6 (gf_filter_pid_set_property+182) ◂— test   r12, r12
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     ► 0x7ffff4b841c6 <gf_filter_pid_set_property+182>    test   r12, r12
       0x7ffff4b841c9 <gf_filter_pid_set_property+185>    je     gf_filter_pid_set_property+1477                <gf_filter_pid_set_property+1477>
     
       0x7ffff4b841cf <gf_filter_pid_set_property+191>    test   r12b, 7
       0x7ffff4b841d3 <gf_filter_pid_set_property+195>    jne    gf_filter_pid_set_property+1477                <gf_filter_pid_set_property+1477>
     
       0x7ffff4b841d9 <gf_filter_pid_set_property+201>    mov    rax, r12
       0x7ffff4b841dc <gf_filter_pid_set_property+204>    shr    rax, 3
       0x7ffff4b841e0 <gf_filter_pid_set_property+208>    cmp    byte ptr [rax + 0x7fff8000], 0
       0x7ffff4b841e7 <gf_filter_pid_set_property+215>    jne    gf_filter_pid_set_property+1447                <gf_filter_pid_set_property+1447>
     
       0x7ffff4b841ed <gf_filter_pid_set_property+221>    cmp    r12, qword ptr [r12]
       0x7ffff4b841f1 <gf_filter_pid_set_property+225>    jne    gf_filter_pid_set_property+1016                <gf_filter_pid_set_property+1016>
     
       0x7ffff4b841f7 <gf_filter_pid_set_property+231>    mov    esi, r14d
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    In file: /home/fuzz/gpac2.1/gpac/src/filter_core/filter_pid.c
       5296 
       5297 GF_EXPORT
       5298 GF_Err gf_filter_pid_set_property(GF_FilterPid *pid, u32 prop_4cc, const GF_PropertyValue *value)
       5299 {
       5300 	if (!prop_4cc) return GF_BAD_PARAM;
     ► 5301 	return gf_filter_pid_set_property_full(pid, prop_4cc, NULL, NULL, value, GF_FALSE);
       5302 }
       5303 
       5304 GF_EXPORT
       5305 GF_Err gf_filter_pid_set_property_str(GF_FilterPid *pid, const char *name, const GF_PropertyValue *value)
       5306 {
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsp 0x7ffffffe8f30 ◂— 0x0
    01:0008│     0x7ffffffe8f38 ◂— 0x0
    02:0010│     0x7ffffffe8f40 —▸ 0x7ffffffe9030 —▸ 0x7ffff54af2c0 ◂— 0x6372636170672e /* '.gpacrc' */
    03:0018│     0x7ffffffe8f48 —▸ 0x7ffffffe8f50 ◂— 0x41b58ab3
    04:0020│ rbx 0x7ffffffe8f50 ◂— 0x41b58ab3
    05:0028│     0x7ffffffe8f58 —▸ 0x7ffff5640eff ◂— '1 48 100 11 szName:5290'
    06:0030│     0x7ffffffe8f60 —▸ 0x7ffff4b84110 (gf_filter_pid_set_property) ◂— endbr64 
    07:0038│     0x7ffffffe8f68 —▸ 0x618000000c80 —▸ 0x7ffff6de03e0 (FileInRegister) —▸ 0x7ffff56a6580 ◂— 0x6e6966 /* 'fin' */
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     ► f 0   0x7ffff4b841c6 gf_filter_pid_set_property+182
       f 1   0x7ffff4b841c6 gf_filter_pid_set_property+182
       f 2   0x7ffff4c06993 gf_filter_pid_raw_new+595
       f 3   0x7ffff4dc30b1 filein_process+2721
       f 4   0x7ffff4c0eb6d gf_filter_process_task+3581
       f 5   0x7ffff4bd4953 gf_fs_thread_proc+2275
       f 6   0x7ffff4be0c67 gf_fs_run+455
       f 7   0x7ffff462a677 gf_media_import+10263
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  gf_filter_pid_set_property_full (is_info=GF_FALSE, value=0x7ffffffe9150, dyn_name=0x0, prop_name=0x0, prop_4cc=1347244884, pid=0x613000000040) at filter_core/filter_pid.c:5301
    #1  gf_filter_pid_set_property (pid=pid@entry=0x613000000040, prop_4cc=prop_4cc@entry=1347244884, value=0x7ffffffe9150) at filter_core/filter_pid.c:5301
    #2  0x00007ffff4c06993 in gf_filter_pid_raw_new (filter=filter@entry=0x618000000c80, url=0x603000000f40 "../../../test/segv2/poc", local_file=<optimized out>, mime_type=<optimized out>, fext=<optimized out>, probe_data=<optimized out>, probe_size=<optimized out>, trust_mime=<optimized out>, out_pid=<optimized out>) at filter_core/filter.c:3891
    #3  0x00007ffff4dc30b1 in filein_process (filter=<optimized out>) at filters/in_file.c:481
    #4  0x00007ffff4c0eb6d in gf_filter_process_task (task=0x607000000b10) at filter_core/filter.c:2639
    #5  0x00007ffff4bd4953 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x616000000110) at filter_core/filter_session.c:1857
    #6  0x00007ffff4be0c67 in gf_fs_run (fsess=fsess@entry=0x616000000080) at filter_core/filter_session.c:2118
    #7  0x00007ffff462a677 in gf_media_import (importer=importer@entry=0x7ffffffeaa50) at media_tools/media_import.c:1226
    #8  0x0000555555651a12 in convert_file_info (inName=<optimized out>, track_id=0x555555764fb0 <info_track_id>) at fileimport.c:130
    #9  0x000055555562279f in mp4box_main (argc=<optimized out>, argv=<optimized out>) at mp4box.c:6265
    #10 0x00007ffff1949083 in __libc_start_main (main=0x5555555f6a00 <main>, argc=3, argv=0x7fffffffe488, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe478) at ../csu/libc-start.c:308
    #11 0x00005555555f6afe in _start () at mp4box.c:6811
    pwndbg> p pid
    $2 = (GF_FilterPid *) 0x613000000040
    pwndbg> c
    Continuing.
    [AVC|H264] Warning: Error parsing NAL unit
    
    Breakpoint 1, gf_filter_pid_set_property_full (is_info=GF_FALSE, value=0x7ffffffe9810, dyn_name=0x0, prop_name=0x0, prop_4cc=1146050121, pid=0x0) at filter_core/filter_pid.c:5301
    5301		return gf_filter_pid_set_property_full(pid, prop_4cc, NULL, NULL, value, GF_FALSE);
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ............
    until.......
    
    pwndbg> p pid
    $3 = (GF_FilterPid *) 0x0
    pwndbg> i b
    Num     Type           Disp Enb Address            What
    1       breakpoint     keep y   <MULTIPLE>         
    	breakpoint already hit 9 times
    1.1                         y   0x00007ffff4b829f6 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.2                         y   0x00007ffff4b8314e in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.3                         y   0x00007ffff4b834d1 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.4                         y   0x00007ffff4b8393e in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.5                         y   0x00007ffff4b83cc1 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    1.6                         y   0x00007ffff4b841c6 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
    pwndbg> n
    filter_core/filter_pid.c:5250:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'
    [Inferior 1 (process 2239158) exited with code 01]
    
    

**source code**

    5246 static GF_Err gf_filter_pid_set_property_full(GF_FilterPid *pid, u32 prop_4cc, const char *prop_name, char *dyn_name, const GF_PropertyValue *value, Bool is_info)
    5247 {
    5248 	GF_PropertyMap *map;
    5249 	const GF_PropertyValue *oldp;
    5250	if (PID_IS_INPUT(pid)) {    //**here**//
    5251		GF_LOG(GF_LOG_ERROR, GF_LOG_FILTER, ("Attempt to write property on input PID in filter %s - ignoring\n", pid->filter->name));
    5252		return GF_BAD_PARAM;
    5253	}

CVE-2022-36186: A NULL pointer dereference in gf_filter_pid_set_property_full  · Issue #2223 · gpac/gpac

GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerability in function gf_isom_dovi_config_get. This vulnerability was fixed in commit fef6242.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Heap use after free in fuction gf_isom_dovi_config_get located in isomedia/avc_ext.c:2490

**System info**

ubuntu 20.04 lts

**version info:**

     ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-revUNKNOWN-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**compile**

    ./configure --enable-sanitizer 
    make
    

**crash command:**  
./MP4Box -info  poc

**poc :**  
poc.zip

**Crash output:**

    
    [iso file] Unknown box type mp4u in parent stsd
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Unknown box type drzf in parent dinf
    [iso file] Missing dref box in dinf
    [iso file] Incomplete box mdat - start 11495 size 853076
    [iso file] Incomplete file while reading for dump - aborting parsing
    # Movie Info - 5 tracks - TimeScale 90000
    Duration 00:00:22.839 (recomputed 00:00:22.848)
    Fragmented: no
    Progressive (moov before mdat)
    Major Brand isom - version 1 - compatible brands:
    Created: GMT Wed Sep 14 06:08:31 2078
    Modified: GMT Wed Sep 14 06:08:33 2078
    
    File has root IOD (96 bytes)
    Scene PL 0xff - Graphics PL 0xff - OD PL 0xff
    Visual PL: Simple Profile @ Level 1 (0x01)
    Audio PL: High Quality Audio Profile @ Level 2 (0x0f)
    1 UDTA types: 
    	hnti: 
    
    # Track 1 Info - ID 1 - TimeScale 90000
    Media Duration 00:00:22.800 
    Track flags: Enabled
    Media Info: Language "Undetermined (und)" - Type "vide:mp4u" - 342 samples
    Visual Sample Entry Info: width=176 height=144 (depth=24 bits)
    Visual Track layout: x=0 y=0 width=176 height=144
    =================================================================
    ==2234976==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000000130 at pc 0x7fbba822fbc0 bp 0x7ffe87b46740 sp 0x7ffe87b46730
    READ of size 8 at 0x60f000000130 thread T0
        #0 0x7fbba822fbbf in gf_isom_dovi_config_get isomedia/avc_ext.c:2490
        #1 0x55f3db03107a in DumpTrackInfo /home/fuzz/gpac2.1/gpac/applications/mp4box/filedump.c:2862
        #2 0x55f3db03ea17 in DumpMovieInfo /home/fuzz/gpac2.1/gpac/applications/mp4box/filedump.c:3994
        #3 0x55f3db012ad0 in mp4box_main /home/fuzz/gpac2.1/gpac/applications/mp4box/mp4box.c:6367
        #4 0x7fbba58ed082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x55f3dafe7afd in _start (/home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box+0xa2afd)
    
    0x60f000000130 is located 0 bytes inside of 168-byte region [0x60f000000130,0x60f0000001d8)
    freed by thread T0 here:
        #0 0x7fbbab63440f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
        #1 0x7fbba825252d in unkn_box_read isomedia/box_code_base.c:793
        #2 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #3 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #4 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #5 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #6 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #7 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #8 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #9 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #10 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #11 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #12 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #13 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #14 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #15 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #16 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #17 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #18 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #19 0x7fbba8302a35 in gf_isom_parse_root_box isomedia/box_funcs.c:38
        #20 0x7fbba832babc in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:373
        #21 0x7fbba8331c2f in gf_isom_parse_movie_boxes isomedia/isom_intern.c:860
        #22 0x7fbba8331c2f in gf_isom_open_file isomedia/isom_intern.c:980
        #23 0x55f3db00c549 in mp4box_main /home/fuzz/gpac2.1/gpac/applications/mp4box/mp4box.c:6181
        #24 0x7fbba58ed082 in __libc_start_main ../csu/libc-start.c:308
    
    previously allocated by thread T0 here:
        #0 0x7fbbab634808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x7fbba82521ef in unkn_box_read isomedia/box_code_base.c:768
        #2 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #3 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #4 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #5 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #6 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #7 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #8 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #9 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #10 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #11 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #12 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #13 0x7fbba82524fb in unkn_box_read isomedia/box_code_base.c:789
        #14 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #15 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #16 0x7fbba830615a in gf_isom_box_array_read isomedia/box_funcs.c:1753
        #17 0x7fbba83015e3 in gf_isom_box_read isomedia/box_funcs.c:1860
        #18 0x7fbba83015e3 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
        #19 0x7fbba8302a35 in gf_isom_parse_root_box isomedia/box_funcs.c:38
        #20 0x7fbba832babc in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:373
        #21 0x7fbba8331c2f in gf_isom_parse_movie_boxes isomedia/isom_intern.c:860
        #22 0x7fbba8331c2f in gf_isom_open_file isomedia/isom_intern.c:980
        #23 0x55f3db00c549 in mp4box_main /home/fuzz/gpac2.1/gpac/applications/mp4box/mp4box.c:6181
        #24 0x7fbba58ed082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-use-after-free isomedia/avc_ext.c:2490 in gf_isom_dovi_config_get
    Shadow bytes around the buggy address:
      0x0c1e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1e7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1e7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
    =>0x0c1e7fff8020: fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd
      0x0c1e7fff8030: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
      0x0c1e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2234976==ABORTING
    
    

**Impact**

can cause a program to crash, use unexpected values, or execute code.

Occurrences:  
avc\_ext.c:2490

ps: this test was still based on the newest mp4box+asan. The bug happened in avc\_ext.c:2490 which was the same location with the other issue i submitted (#2218). Maybe asan mistakenly reports "heap-use-after-free" instead of "heap-buffer-overflow". Pls check it again.

CVE-2022-36190: Heap Use After Free in function gf_isom_dovi_config_get  · Issue #2220 · gpac/gpac

tifig v0.2.2 was discovered to contain a memory leak via operator new[](unsigned long) at /asan/asan_new_delete.cpp.

**crash sample**

id0\_memory\_leakF9.zip

**command to reproduce**

../tifig -v -p [crash sample] /dev/null

**crash detail**

    ==74044==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 10 byte(s) in 1 object(s) allocated from:
        #0 0x4fab78 in operator new[](unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x4fe324 in sanityCheck(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/tifig/src/main.cpp:19:19
        #2 0x4fe810 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:46:5
        #3 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #4 0x7fbe4f6c3c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: 10 byte(s) leaked in 1 allocation(s).
    
    

\### crash sample

id27\_memory\_leak\_F7.zip

**command to reproduce**

../tifig -v -p [crash sample] /dev/null

**crash detail**

    ==74125==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 17301504 byte(s) in 22 object(s) allocated from:
        #0 0x4b4e50 in malloc /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x501db8 in decodeFrame(std::vector<unsigned char, std::allocator<unsigned char> >) /home/bupt/Desktop/tifig/src/hevc_decode.hpp:107:31
    
    Direct leak of 1145232 byte(s) in 88 object(s) allocated from:
        #0 0x4b5a9d in posix_memalign /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:226
        #1 0x7f1462f396d2 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x316d2)
    
    Direct leak of 5632 byte(s) in 22 object(s) allocated from:
        #0 0x4fab78 in operator new[](unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x501d15 in decodeFrame(std::vector<unsigned char, std::allocator<unsigned char> >) /home/bupt/Desktop/tifig/src/hevc_decode.hpp:87:30
    
    Direct leak of 1936 byte(s) in 22 object(s) allocated from:
        #0 0x4b5a9d in posix_memalign /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:226
        #1 0x7f1462f396d2 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x316d2)
        #2 0x5b8b48 in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<RgbData>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<RgbData (*)(std::vector<unsigned char, std::allocator<unsigned char> >), std::vector<unsigned char, std::allocator<unsigned char> > > >, RgbData> >::_M_invoke(std::_Any_data const&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:301:9
        #3 0x5b86b5 in std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>::operator()() const /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:706:14
        #4 0x5b86b5 in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/future:561:27
        #5 0x7f14648c6906 in __pthread_once_slow /build/glibc-CVJwZb/glibc-2.27/nptl/pthread_once.c:116
    
    Direct leak of 10 byte(s) in 1 object(s) allocated from:
        #0 0x4fab78 in operator new[](unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x4fe324 in sanityCheck(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/tifig/src/main.cpp:19:19
        #2 0x4fe810 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:46:5
        #3 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #4 0x7f1460d4cc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    Indirect leak of 9347778 byte(s) in 572 object(s) allocated from:
        #0 0x4b5a9d in posix_memalign /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:226
        #1 0x7f1462f396d2 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x316d2)
    
    SUMMARY: AddressSanitizer: 27802092 byte(s) leaked in 727 allocation(s).

CVE-2022-36152: Issues in this repor about memory leak · Issue #72 · monostream/tifig

tifig v0.2.2 was discovered to contain a segmentation violation via std::vector<unsigned int, std::allocator<unsigned int> >::size() const at /bits/stl_vector.h.

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==74081==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x0000006c2382 bp 0x000000000038 sp 0x7ffe63ff83a0 T0)
    ==74081==The signal is caused by a READ memory access.
    ==74081==Hint: address points to the zero page.
        #0 0x6c2382 in std::vector<unsigned int, std::allocator<unsigned int> >::size() const /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h
        #1 0x6c2382 in std::vector<unsigned int, std::allocator<unsigned int> >::vector(std::vector<unsigned int, std::allocator<unsigned int> > const&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:327:19
        #2 0x6c2382 in SingleItemTypeReferenceBox::getToItemIds() const /home/bupt/Desktop/tifig/lib/heif/Srcs/common/itemreferencebox.cpp:84:12
        #3 0x5efc25 in HevcImageFileReader::readItem(MetaBox const&, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) const /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:2028:47
        #4 0x5ee016 in HevcImageFileReader::getItemData(unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:475:13
        #5 0x5fd6b3 in HevcImageFileReader::getItemDataWithDecoderParameters(unsigned int, unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:770:5
        #6 0x5075ca in getImage(HevcImageFileReader&, unsigned int, unsigned int, Opts&) /home/bupt/Desktop/tifig/src/loader.hpp:65:16
        #7 0x4feaf9 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:79:17
        #8 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #9 0x7f3180c46c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #10 0x422889 in _start (/home/bupt/Desktop/tifig/build/tifig+0x422889)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h in std::vector<unsigned int, std::allocator<unsigned int> >::size() const
    ==74081==ABORTING

CVE-2022-36153: SEGV in this repo · Issue #71 · monostream/tifig

tifig v0.2.2 was discovered to contain a resource allocation issue via operator new(unsigned long) at asan_new_delete.cpp.

**carsh sample**

id41\_allocation\_too\_big.zip

**command to reproduce**

../tifig -v -p [crash sample ] /dev/null

**crash detail**

    ==74167==ERROR: AddressSanitizer: requested allocation size 0xffffffffffffffff (0x800 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    [hevc @ 0x61a000000080] PPS id out of range: 0
    [hevc @ 0x61a000000080] Error parsing NAL unit #0.
    Error sending packet to HEVC decoder: Invalid data found when processing input
        #0 0x4faa18 in operator new(unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x5b3b01 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:111:27
        #2 0x5b3b01 in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:436:20
        #3 0x5b3b01 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:172:20
        #4 0x5b3b01 in void std::vector<unsigned char, std::allocator<unsigned char> >::_M_range_insert<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::forward_iterator_tag) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/vector.tcc:673:29
    
    ==74167==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: allocation-size-too-big /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99 in operator new(unsigned long)
    ==74167==ABORTING

CVE-2022-36155: Issue about resources allocate · Issue #73 · monostream/tifig

tifig v0.2.2 was discovered to contain a heap-buffer overflow via __asan_memmove at /asan/asan_interceptors_memintrinsics.cpp.

Hi, by testing this repo, i found something unusual.

**crash sample**

id0\_heap\_buffer\_overflow\_in \_\_asan\_memmove.zip

**command to reproduce**

./tifig -p -v [sample file] /dev/null

**crash detail**

    ==29736==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000d4687 at pc 0x0000004b4535 bp 0x7ffc7c0154e0 sp 0x7ffc7c014c90
    READ of size 2891617427 at 0x6110000d4687 thread T0
        #0 0x4b4534 in __asan_memmove /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:30
        #1 0x5b3d50 in unsigned char* std::__copy_move<false, true, std::random_access_iterator_tag>::__copy_m<unsigned char>(unsigned char const*, unsigned char const*, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algobase.h:368:6
        #2 0x5b3d50 in unsigned char* std::__copy_move_a<false, unsigned char*, unsigned char*>(unsigned char*, unsigned char*, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algobase.h:385:14
        #3 0x5b3d50 in unsigned char* std::__copy_move_a2<false, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algobase.h:422:18
        #4 0x5b3d50 in unsigned char* std::copy<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algobase.h:454:15
        #5 0x5b3d50 in unsigned char* std::__uninitialized_copy<true>::__uninit_copy<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_uninitialized.h:101:18
        #6 0x5b3d50 in unsigned char* std::uninitialized_copy<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*>(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_uninitialized.h:131:14
        #7 0x5b3d50 in unsigned char* std::__uninitialized_copy_a<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*, unsigned char>(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned char*, std::allocator<unsigned char>&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_uninitialized.h:289:14
        #8 0x5b3d50 in void std::vector<unsigned char, std::allocator<unsigned char> >::_M_range_insert<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::forward_iterator_tag) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/vector.tcc:682:11
        #9 0x67e24d in void std::vector<unsigned char, std::allocator<unsigned char> >::_M_insert_dispatch<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > >(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, std::__false_type) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:1411:4
        #10 0x67e24d in __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > > std::vector<unsigned char, std::allocator<unsigned char> >::insert<__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, void>(__gnu_cxx::__normal_iterator<unsigned char const*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:1132:4
        #11 0x67e24d in BitStream::read8BitsArray(std::vector<unsigned char, std::allocator<unsigned char> >&, unsigned int) /home/bupt/Desktop/tifig/lib/heif/Srcs/common/bitstream.cpp:269:10
        #12 0x5f4b66 in HevcImageFileReader::getHevcItemData(std::vector<unsigned char, std::allocator<unsigned char> > const&, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:1584:19
        #13 0x5ee77b in HevcImageFileReader::getItemData(unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:508:13
        #14 0x5fd6b3 in HevcImageFileReader::getItemDataWithDecoderParameters(unsigned int, unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> >&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:770:5
        #15 0x5075ca in getImage(HevcImageFileReader&, unsigned int, unsigned int, Opts&) /home/bupt/Desktop/tifig/src/loader.hpp:65:16
        #16 0x4feaf9 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:79:17
        #17 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #18 0x7fd207d3ac86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #19 0x422889 in _start (/home/bupt/Desktop/tifig/build/tifig+0x422889)
    
    0x6110000d4687 is located 0 bytes to the right of 199-byte region [0x6110000d45c0,0x6110000d4687)
    allocated by thread T0 here:
        #0 0x4faa18 in operator new(unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x678295 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:111:27
        #2 0x678295 in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:436:20
        #3 0x678295 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:172:20
        #4 0x678295 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:187:33
        #5 0x678295 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:138:9
        #6 0x678295 in std::vector<unsigned char, std::allocator<unsigned char> >::vector(std::vector<unsigned char, std::allocator<unsigned char> > const&) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:327:9
        #7 0x678295 in BitStream::BitStream(std::vector<unsigned char, std::allocator<unsigned char> > const&) /home/bupt/Desktop/tifig/lib/heif/Srcs/common/bitstream.cpp:28:5
        #8 0x6110000d4546  (<unknown module>)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:30 in __asan_memmove
    Shadow bytes around the buggy address:
      0x0c2280012880: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2280012890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c22800128a0: 00 00 00 00 00 00 00 00 07 fa fa fa fa fa fa fa
      0x0c22800128b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c22800128c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c22800128d0:[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c22800128e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c22800128f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2280012900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2280012910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2280012920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==29736==ABORTING

CVE-2022-36150: Heap buffer overflow  · Issue #68 · monostream/tifig

tifig v0.2.2 was discovered to contain a heap-use-after-free via temInfoEntry().

    ==53276==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000000ac0 at pc 0x0000006a7b1c bp 0x7fff8406b050 sp 0x7fff8406b048
    READ of size 8 at 0x60c000000ac0 thread T0
        #0 0x6a7b1b in ItemInfoEntry::~ItemInfoEntry() /home/bupt/Desktop/tifig/lib/heif/Srcs/common/iteminfobox.cpp:170:5
        #1 0x6a6899 in std::pair<unsigned int, ItemInfoEntry>::~pair() /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_pair.h:208:12
        #2 0x6a6899 in ItemInfoBox::addItemInfoEntry(ItemInfoEntry const&) /home/bupt/Desktop/tifig/lib/heif/Srcs/common/iteminfobox.cpp:47:5
        #3 0x6a6899 in ItemInfoBox::parseBox(BitStream&) /home/bupt/Desktop/tifig/lib/heif/Srcs/common/iteminfobox.cpp:109:9
        #4 0x6d3eb1 in MetaBox::parseBox(BitStream&) /home/bupt/Desktop/tifig/lib/heif/Srcs/common/metabox.cpp:242:26
        #5 0x5dbc4e in HevcImageFileReader::readStream() /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:1119:21
        #6 0x5cc52f in HevcImageFileReader::initialize(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/bupt/Desktop/tifig/lib/heif/Srcs/reader/hevcimagefilereader.cpp:65:5
        #7 0x4fe834 in convert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Opts&) /home/bupt/Desktop/tifig/src/main.cpp:49:12
        #8 0x518b1a in main /home/bupt/Desktop/tifig/src/main.cpp:179:22
        #9 0x7ff5564e3c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #10 0x422889 in _start (/home/bupt/Desktop/tifig/build/tifig+0x422889)
    
    0x60c000000ac0 is located 0 bytes inside of 120-byte region [0x60c000000ac0,0x60c000000b38)
    freed by thread T0 here:
        #0 0x4fb410 in operator delete(void*) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:160
        #1 0x6a781a in ItemInfoEntry::~ItemInfoEntry() /home/bupt/Desktop/tifig/lib/heif/Srcs/common/iteminfobox.cpp:170:5
    
    previously allocated by thread T0 here:
        #0 0x4faa18 in operator new(unsigned long) /home/bupt/Desktop/tools/llvm-12.0.1/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x6a6d99 in ItemInfoEntry::parseBox(BitStream&) /home/bupt/Desktop/tifig/lib/heif/Srcs/common/iteminfobox.cpp:339:48
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/bupt/Desktop/tifig/lib/heif/Srcs/common/iteminfobox.cpp:170:5 in ItemInfoEntry::~ItemInfoEntry()
    Shadow bytes around the buggy address:
      0x0c187fff8100: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
      0x0c187fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c187fff8120: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c187fff8130: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
      0x0c187fff8140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
    =>0x0c187fff8150: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
      0x0c187fff8160: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
      0x0c187fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c187fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c187fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c187fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==53276==ABORTING

CVE-2022-36149: heap-use-after-free in ~ItemInfoEntry() · Issue #70 · monostream/tifig

SWFTools commit 772e55a2 was discovered to contain a segmentation violation via gfxline_getbbox at /lib/gfxtools.c.

Tag

#c++