Bug 1629453

Summary:	Invalid free in MP4Free()
Product:	[Fedora] Fedora	Reporter:	Ace Team - Loginsoft <researchteam>
Component:	libmp4v2	Assignee:	David King <amigadave>
Status:	CLOSED EOL	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	low	Docs Contact:
Priority:	unspecified
Version:	29	CC:	amigadave, carnil, dominik, matthias, moez.roy, sergio
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-11-27 18:15:19 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Ace Team - Loginsoft 2018-09-16 13:23:21 UTC

Description
The function MP4Free() in mp4property.cpp (libmp4v2 - 2.1.0) internally calls free() on a invalid pointer, raising a SIGABRT signal.


Affected version:
libmp4v2 - 2.1.0 (Tested against - Fedora, EPEL, Debian)


Command:
./mp4art --add image.png --art-any $POC


Debugging:

→ 4392	             free(p);


[#0] 0x7ffff7af8968 → Name: MP4Free(p=0x7ffff74aab78 <main_arena+88>)
[#1] 0x7ffff7b18e8b → Name: mp4v2::impl::MP4StringProperty::~MP4StringProperty(this=0x63a560, __in_chrg=<optimized out>)
[#2] 0x7ffff7b18f12 → Name: mp4v2::impl::MP4StringProperty::~MP4StringProperty(this=0x63a560, __in_chrg=<optimized out>)
[#3] 0x7ffff7af98a0 → Name: mp4v2::impl::MP4Atom::~MP4Atom(this=0x63a470, __in_chrg=<optimized out>)
[#4] 0x7ffff7acf3f2 → Name: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom(this=0x63a470, __in_chrg=<optimized out>)
[#5] 0x7ffff7acf422 → Name: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom(this=0x63a470, __in_chrg=<optimized out>)
[#6] 0x7ffff7afa1b8 → Name: mp4v2::impl::MP4Atom::ReadAtom(file=@0x639990, pParentAtom=0x63a2f0)
[#7] 0x7ffff7afaea6 → Name: mp4v2::impl::MP4Atom::ReadChildAtoms(this=0x63a2f0)
[#8] 0x7ffff7afa361 → Name: mp4v2::impl::MP4Atom::Read(this=0x63a2f0)
[#9] 0x7ffff7b02d3e → Name: mp4v2::impl::MP4File::ReadFromFile(this=0x639990)



[#0] 0x7ffff711b428 → Name: __GI_raise(sig=0x6)
[#1] 0x7ffff711d02a → Name: __GI_abort()
[#2] 0x7ffff715d7ea → Name: __libc_message(do_abort=0x2, fmt=0x7ffff7276ed8 "*** Error in `%s': %s: 0x%s ***\n")
[#3] 0x7ffff716637a → Name: malloc_printerr(ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7ffff7273caf "free(): invalid pointer", action=0x3)
[#4] 0x7ffff716637a → Name: _int_free(av=<optimized out>, p=<optimized out>, have_lock=0x0)
[#5] 0x7ffff716a53c → Name: __GI___libc_free(mem=<optimized out>)
[#6] 0x7ffff7af8974 → Name: MP4Free(p=0x7ffff74aab78 <main_arena+88>)
[#7] 0x7ffff7b18e8b → Name: mp4v2::impl::MP4StringProperty::~MP4StringProperty(this=0x63a560, __in_chrg=<optimized out>)
[#8] 0x7ffff7b18f12 → Name: mp4v2::impl::MP4StringProperty::~MP4StringProperty(this=0x63a560, __in_chrg=<optimized out>)
[#9] 0x7ffff7af98a0 → Name: mp4v2::impl::MP4Atom::~MP4Atom(this=0x63a470, __in_chrg=<optimized out>)

gef➤  p p   //valid pointer
$38 = (void *) 0x63a520


gef➤  p p   //valid pointer
$39 = (void *) 0x63a540


gef➤  p p    //Invalid pointer
$48 = (void *) 0x7ffff74aab78 <main_arena+88>



Valgrind report:

==57947== Invalid read of size 8
==57947==    at 0x4EFEE80: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:338)
==57947==    by 0x4EFEF11: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:340)
==57947==    by 0x4EDF89F: mp4v2::impl::MP4Atom::~MP4Atom() (mp4atom.cpp:66)
==57947==    by 0x4EB53F1: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (in /usr/local/lib/libmp4v2.so.2.1.0)
==57947==    by 0x4EB5421: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (atoms.h:325)
==57947==    by 0x4EE01B7: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:199)
==57947==    by 0x4EE0EA5: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:429)
==57947==    by 0x4EE0360: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:235)
==57947==    by 0x4EE8D3D: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==57947==    by 0x4EE7851: mp4v2::impl::MP4File::Modify(char const*) (mp4file.cpp:166)
==57947==    by 0x4ED333A: MP4Modify (mp4.cpp:231)
==57947==    by 0x406547: mp4v2::util::ArtUtility::actionAdd(mp4v2::util::Utility::JobContext&) (mp4art.cpp:149)
==57947==  Address 0x5e7dff8 is 0 bytes after a block of size 8 alloc'd
==57947==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==57947==    by 0x4C2FDEF: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==57947==    by 0x4EAE618: mp4v2::impl::MP4Realloc(void*, unsigned int) (mp4util.h:80)
==57947==    by 0x4F03DA2: mp4v2::impl::MP4StringArray::Resize(unsigned int) (mp4array.h:136)
==57947==    by 0x4EFEF56: mp4v2::impl::MP4StringProperty::SetCount(unsigned int) (mp4property.cpp:346)
==57947==    by 0x4EFEDE1: mp4v2::impl::MP4StringProperty::MP4StringProperty(mp4v2::impl::MP4Atom&, char const*, bool, bool, bool) (mp4property.cpp:330)
==57947==    by 0x4EB5171: mp4v2::impl::MP4FtypAtom::MP4FtypAtom(mp4v2::impl::MP4File&) (atom_ftyp.cpp:32)
==57947==    by 0x4EE2DBC: mp4v2::impl::MP4Atom::factory(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) (mp4atom.cpp:868)
==57947==    by 0x4EDFA3A: mp4v2::impl::MP4Atom::CreateAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) (mp4atom.cpp:78)
==57947==    by 0x4EDFF89: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:168)
==57947==    by 0x4EE0EA5: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:429)
==57947==    by 0x4EE0360: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:235)
==57947== 
==57947== Invalid free() / delete / delete[] / realloc()
==57947==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==57947==    by 0x4EDE973: MP4Free (mp4.cpp:4392)
==57947==    by 0x4EFEE8A: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:338)
==57947==    by 0x4EFEF11: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:340)
==57947==    by 0x4EDF89F: mp4v2::impl::MP4Atom::~MP4Atom() (mp4atom.cpp:66)
==57947==    by 0x4EB53F1: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (in /usr/local/lib/libmp4v2.so.2.1.0)
==57947==    by 0x4EB5421: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (atoms.h:325)
==57947==    by 0x4EE01B7: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:199)
==57947==    by 0x4EE0EA5: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:429)
==57947==    by 0x4EE0360: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:235)
==57947==    by 0x4EE8D3D: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==57947==    by 0x4EE7851: mp4v2::impl::MP4File::Modify(char const*) (mp4file.cpp:166)
==57947==  Address 0x50 is not stack'd, malloc'd or (recently) free'd
==57947== 
==57947== Mismatched free() / delete / delete []
==57947==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==57947==    by 0x4EDE973: MP4Free (mp4.cpp:4392)
==57947==    by 0x4EFEE8A: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:338)
==57947==    by 0x4EFEF11: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:340)
==57947==    by 0x4EDF89F: mp4v2::impl::MP4Atom::~MP4Atom() (mp4atom.cpp:66)
==57947==    by 0x4EB53F1: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (in /usr/local/lib/libmp4v2.so.2.1.0)
==57947==    by 0x4EB5421: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (atoms.h:325)
==57947==    by 0x4EE01B7: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:199)
==57947==    by 0x4EE0EA5: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:429)
==57947==    by 0x4EE0360: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:235)
==57947==    by 0x4EE8D3D: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==57947==    by 0x4EE7851: mp4v2::impl::MP4File::Modify(char const*) (mp4file.cpp:166)
==57947==  Address 0x5e7df70 is 0 bytes inside a block of size 56 alloc'd
==57947==    at 0x4C2E0EF: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==57947==    by 0x4EB5147: mp4v2::impl::MP4FtypAtom::MP4FtypAtom(mp4v2::impl::MP4File&) (atom_ftyp.cpp:32)
==57947==    by 0x4EE2DBC: mp4v2::impl::MP4Atom::factory(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) (mp4atom.cpp:868)
==57947==    by 0x4EDFA3A: mp4v2::impl::MP4Atom::CreateAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) (mp4atom.cpp:78)
==57947==    by 0x4EDFF89: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:168)
==57947==    by 0x4EE0EA5: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:429)
==57947==    by 0x4EE0360: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:235)
==57947==    by 0x4EE8D3D: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==57947==    by 0x4EE7851: mp4v2::impl::MP4File::Modify(char const*) (mp4file.cpp:166)
==57947==    by 0x4ED333A: MP4Modify (mp4.cpp:231)
==57947==    by 0x406547: mp4v2::util::ArtUtility::actionAdd(mp4v2::util::Utility::JobContext&) (mp4art.cpp:149)
==57947==    by 0x407B13: mp4v2::util::ArtUtility::utility_job(mp4v2::util::Utility::JobContext&) (mp4art.cpp:369)
==57947== 
==57947== Invalid read of size 4
==57947==    at 0x4EADD6D: mp4v2::impl::MP4Array::ValidIndex(unsigned int) (mp4array.h:40)
==57947==    by 0x4EB9A72: mp4v2::impl::MP4StringArray::operator[](unsigned int) (in /usr/local/lib/libmp4v2.so.2.1.0)
==57947==    by 0x4EFEE7F: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:338)
==57947==    by 0x4EFEF11: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:340)
==57947==    by 0x4EDF89F: mp4v2::impl::MP4Atom::~MP4Atom() (mp4atom.cpp:66)
==57947==    by 0x4EB53F1: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (in /usr/local/lib/libmp4v2.so.2.1.0)
==57947==    by 0x4EB5421: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (atoms.h:325)
==57947==    by 0x4EE01B7: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:199)
==57947==    by 0x4EE0EA5: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:429)
==57947==    by 0x4EE0360: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:235)
==57947==    by 0x4EE8D3D: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==57947==    by 0x4EE7851: mp4v2::impl::MP4File::Modify(char const*) (mp4file.cpp:166)
==57947==  Address 0x5e7df98 is 40 bytes inside a block of size 56 free'd
==57947==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==57947==    by 0x4EDE973: MP4Free (mp4.cpp:4392)
==57947==    by 0x4EFEE8A: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:338)
==57947==    by 0x4EFEF11: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:340)
==57947==    by 0x4EDF89F: mp4v2::impl::MP4Atom::~MP4Atom() (mp4atom.cpp:66)
==57947==    by 0x4EB53F1: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (in /usr/local/lib/libmp4v2.so.2.1.0)
==57947==    by 0x4EB5421: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (atoms.h:325)
==57947==    by 0x4EE01B7: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:199)
==57947==    by 0x4EE0EA5: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:429)
==57947==    by 0x4EE0360: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:235)
==57947==    by 0x4EE8D3D: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==57947==    by 0x4EE7851: mp4v2::impl::MP4File::Modify(char const*) (mp4file.cpp:166)
==57947==  Block was alloc'd at
==57947==    at 0x4C2E0EF: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==57947==    by 0x4EB5147: mp4v2::impl::MP4FtypAtom::MP4FtypAtom(mp4v2::impl::MP4File&) (atom_ftyp.cpp:32)
==57947==    by 0x4EE2DBC: mp4v2::impl::MP4Atom::factory(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) (mp4atom.cpp:868)
==57947==    by 0x4EDFA3A: mp4v2::impl::MP4Atom::CreateAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) (mp4atom.cpp:78)
==57947==    by 0x4EDFF89: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:168)
==57947==    by 0x4EE0EA5: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:429)
==57947==    by 0x4EE0360: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:235)
==57947==    by 0x4EE8D3D: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==57947==    by 0x4EE7851: mp4v2::impl::MP4File::Modify(char const*) (mp4file.cpp:166)
==57947==    by 0x4ED333A: MP4Modify (mp4.cpp:231)
==57947==    by 0x406547: mp4v2::util::ArtUtility::actionAdd(mp4v2::util::Utility::JobContext&) (mp4art.cpp:149)
==57947==    by 0x407B13: mp4v2::util::ArtUtility::utility_job(mp4v2::util::Utility::JobContext&) (mp4art.cpp:369)
==57947== 
==57947== Invalid read of size 8
==57947==    at 0x4EB9A7E: mp4v2::impl::MP4StringArray::operator[](unsigned int) (in /usr/local/lib/libmp4v2.so.2.1.0)
==57947==    by 0x4EFEE7F: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:338)
==57947==    by 0x4EFEF11: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:340)
==57947==    by 0x4EDF89F: mp4v2::impl::MP4Atom::~MP4Atom() (mp4atom.cpp:66)
==57947==    by 0x4EB53F1: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (in /usr/local/lib/libmp4v2.so.2.1.0)
==57947==    by 0x4EB5421: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (atoms.h:325)
==57947==    by 0x4EE01B7: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:199)
==57947==    by 0x4EE0EA5: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:429)
==57947==    by 0x4EE0360: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:235)
==57947==    by 0x4EE8D3D: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==57947==    by 0x4EE7851: mp4v2::impl::MP4File::Modify(char const*) (mp4file.cpp:166)
==57947==    by 0x4ED333A: MP4Modify (mp4.cpp:231)
==57947==  Address 0x5e7dfa0 is 48 bytes inside a block of size 56 free'd
==57947==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==57947==    by 0x4EDE973: MP4Free (mp4.cpp:4392)
==57947==    by 0x4EFEE8A: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:338)
==57947==    by 0x4EFEF11: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:340)
==57947==    by 0x4EDF89F: mp4v2::impl::MP4Atom::~MP4Atom() (mp4atom.cpp:66)
==57947==    by 0x4EB53F1: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (in /usr/local/lib/libmp4v2.so.2.1.0)
==57947==    by 0x4EB5421: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (atoms.h:325)
==57947==    by 0x4EE01B7: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:199)
==57947==    by 0x4EE0EA5: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:429)
==57947==    by 0x4EE0360: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:235)
==57947==    by 0x4EE8D3D: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==57947==    by 0x4EE7851: mp4v2::impl::MP4File::Modify(char const*) (mp4file.cpp:166)
==57947==  Block was alloc'd at
==57947==    at 0x4C2E0EF: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==57947==    by 0x4EB5147: mp4v2::impl::MP4FtypAtom::MP4FtypAtom(mp4v2::impl::MP4File&) (atom_ftyp.cpp:32)
==57947==    by 0x4EE2DBC: mp4v2::impl::MP4Atom::factory(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) (mp4atom.cpp:868)
==57947==    by 0x4EDFA3A: mp4v2::impl::MP4Atom::CreateAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) (mp4atom.cpp:78)
==57947==    by 0x4EDFF89: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:168)
==57947==    by 0x4EE0EA5: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:429)
==57947==    by 0x4EE0360: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:235)
==57947==    by 0x4EE8D3D: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==57947==    by 0x4EE7851: mp4v2::impl::MP4File::Modify(char const*) (mp4file.cpp:166)
==57947==    by 0x4ED333A: MP4Modify (mp4.cpp:231)
==57947==    by 0x406547: mp4v2::util::ArtUtility::actionAdd(mp4v2::util::Utility::JobContext&) (mp4art.cpp:149)
==57947==    by 0x407B13: mp4v2::util::ArtUtility::utility_job(mp4v2::util::Utility::JobContext&) (mp4art.cpp:369)
==57947== 
==57947== Conditional jump or move depends on uninitialised value(s)
==57947==    at 0x4EDE966: MP4Free (mp4.cpp:4391)
==57947==    by 0x4EFEE8A: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:338)
==57947==    by 0x4EFEF11: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:340)
==57947==    by 0x4EDF89F: mp4v2::impl::MP4Atom::~MP4Atom() (mp4atom.cpp:66)
==57947==    by 0x4EB53F1: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (in /usr/local/lib/libmp4v2.so.2.1.0)
==57947==    by 0x4EB5421: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (atoms.h:325)
==57947==    by 0x4EE01B7: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:199)
==57947==    by 0x4EE0EA5: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:429)
==57947==    by 0x4EE0360: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:235)
==57947==    by 0x4EE8D3D: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==57947==    by 0x4EE7851: mp4v2::impl::MP4File::Modify(char const*) (mp4file.cpp:166)
==57947==    by 0x4ED333A: MP4Modify (mp4.cpp:231)
==57947== 
==57947== 
==57947== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==57947==  Access not within mapped region at address 0x6234000
==57947==    at 0x4EFEE80: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:338)
==57947==    by 0x4EFEF11: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:340)
==57947==    by 0x4EDF89F: mp4v2::impl::MP4Atom::~MP4Atom() (mp4atom.cpp:66)
==57947==    by 0x4EB53F1: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (in /usr/local/lib/libmp4v2.so.2.1.0)
==57947==    by 0x4EB5421: mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() (atoms.h:325)
==57947==    by 0x4EE01B7: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:199)
==57947==    by 0x4EE0EA5: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:429)
==57947==    by 0x4EE0360: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:235)
==57947==    by 0x4EE8D3D: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==57947==    by 0x4EE7851: mp4v2::impl::MP4File::Modify(char const*) (mp4file.cpp:166)
==57947==    by 0x4ED333A: MP4Modify (mp4.cpp:231)
==57947==    by 0x406547: mp4v2::util::ArtUtility::actionAdd(mp4v2::util::Utility::JobContext&) (mp4art.cpp:149)


Reproducer file - https://github.com/SegfaultMasters/covering360/blob/master/libmp4v2/MP4Free_00

Comment 1 Salvatore Bonaccorso 2018-09-20 19:42:08 UTC

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17236

Comment 2 Ace Team - Loginsoft 2018-10-17 05:37:20 UTC

(In reply to Salvatore Bonaccorso from comment #1)
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17236

Hey there, is anyone going to address this issue? Or do we need to report somewhere else?

Comment 3 Sergio Basto 2018-10-17 09:38:22 UTC

The story of this package in Fedora until 3 year ago we got version 1.5, we updated to 2.0 and after update to trunk version pre 2.1 , I tried keep libmp4v2 alive [2] .
But we don't have any patch to fix and apply to the source .
If you provide some fix by one pull request on github or in https://src.fedoraproject.org/rpms/libmp4v2 , we will updated the package until then I don't know what to do . 


[1]
https://src.fedoraproject.org/rpms/libmp4v2/c/8413e81cc47f60160f70b262a8c096e347845527?branch=master

[2]
https://github.com/sergiomb2/libmp4v2/commits/master

Comment 4 Sergio Basto 2018-10-18 22:05:33 UTC

Hi,

I added some security fixes[2] found in www.openwall.com unfortunately "Fastbin double free in MP4v2 2.0.0"[1] not bring the code solution , can someone review it ? 

Thanks,


[1] 
https://www.openwall.com/lists/oss-security/2018/07/13/1


[2]
https://github.com/sergiomb2/libmp4v2/commits/master

Comment 5 Ben Cotton 2019-10-31 20:38:06 UTC

This message is a reminder that Fedora 29 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '29'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 29 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 6 Fedora Update System 2019-11-02 08:08:08 UTC

FEDORA-2019-eace0e3fce has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-eace0e3fce

Comment 7 Fedora Update System 2019-11-02 08:08:22 UTC

FEDORA-2019-cba94a2e76 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-cba94a2e76

Comment 8 Fedora Update System 2019-11-02 08:08:35 UTC

FEDORA-2019-07598ce28e has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-07598ce28e

Comment 9 Fedora Update System 2019-11-02 08:13:20 UTC

FEDORA-EPEL-2019-ec3a3dac15 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-ec3a3dac15

Comment 10 Ben Cotton 2019-11-27 18:15:19 UTC

Fedora 29 changed to end-of-life (EOL) status on 2019-11-26. Fedora 29 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.