Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-46489: Memory leak in gf_isom_box_parse_ex function of box_funcs.c:166:13 · Issue #2328 · gpac/gpac

GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the gf_isom_box_parse_ex function at box_funcs.c.

CVE
#linux#js#git#c++#auth#ssl

A memory leak has occurred when running program MP4Box, this can reproduce on the lattest commit.

Version

$ ./MP4Box -version                              
MP4Box - GPAC version 2.1-DEV-rev505-gb9577e6ad-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-build --extra-cflags=-fsanitize=address -g --extra-ldflags=-fsanitize=address -g
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB

git log

commit b9577e6ad91ef96decbcd369227ab02b2842c77f (HEAD -> master, origin/master, origin/HEAD)
Author: jeanlf <[email protected]>
Date:   Fri Nov 25 16:53:55 2022 +0100

Verification steps

export CFLAGS='-fsanitize=address -g'
export CC=/usr/bin/clang
export CXX=/usr/bin/clang++ 
git clone https://github.com/gpac/gpac.git
cd gpac
./configure --static-build --extra-cflags="${CFLAGS}" --extra-ldflags="${CFLAGS}"
make
cd bin/gcc
./MP4Box -info $poc

POC file

https://github.com/HotSpurzzZ/testcases/blob/main/gpac/gpac_Direct_leak_gf_isom_box_parse_ex.mp4

AddressSanitizer output

$ ./MP4Box -info gpac_Direct_leak_gf_isom_box_parse_ex.mp4
[iso file] Failed to uncompress payload for box type !ssx (0x21737378)
Error opening file gpac_Direct_leak_gf_isom_box_parse_ex.mp4: BitStream Not Compliant

=================================================================
==10575==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 1718840668 byte(s) in 1 object(s) allocated from:
    #0 0x4a186d in malloc (/root/Desktop/gpac/bin/gcc/MP4Box+0x4a186d)
    #1 0x7dfc41 in gf_isom_box_parse_ex /root/Desktop/gpac/src/isomedia/box_funcs.c:166:13
    #2 0x7df29c in gf_isom_parse_root_box /root/Desktop/gpac/src/isomedia/box_funcs.c:38:8

Direct leak of 4096 byte(s) in 1 object(s) allocated from:
    #0 0x4a186d in malloc (/root/Desktop/gpac/bin/gcc/MP4Box+0x4a186d)
    #1 0x599d69 in gf_gz_decompress_payload /root/Desktop/gpac/src/utils/base_encoding.c:257:31
    #2 0x7dfc66 in gf_isom_box_parse_ex /root/Desktop/gpac/src/isomedia/box_funcs.c:170:9
    #3 0x7df29c in gf_isom_parse_root_box /root/Desktop/gpac/src/isomedia/box_funcs.c:38:8

SUMMARY: AddressSanitizer: 1718844764 byte(s) leaked in 2 allocation(s).

Related news

Gentoo Linux Security Advisory 202408-21

Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907