Headline
CVE-2023-46871: Memory leaks in NewSFDouble scenegraph/vrml_tools.c:300 · Issue #2658 · gpac/gpac
GPAC version 2.3-DEV-rev602-ged8424300-master in MP4Box contains a memory leak in NewSFDouble scenegraph/vrml_tools.c:300. This vulnerability may lead to a denial of service.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/bug-reporting/
1、version
./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev602-ged8424300-master
© 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
2、platform
uname -a
Linux returnzero-virtual-machine 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
3、Reproduce
./MP4Box -bt $poc
4、ASCAN
./MP4Box -bt ‘/home/returnzero/gpac/out/default/crashes/id:000000,sig:06,src:000008,time:167295,execs:4216,op:havoc,rep:6’
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type traI in parent moov
[iso file] Box “stss” (start 9939) has 32 extra bytes
[iso file] extra box maxr found in hinf, deleting
[iso file] Track with no sample description box !
[iso file] Incomplete box mdat - start 11495 size 861217
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type traI in parent moov
[iso file] Box “stss” (start 9939) has 32 extra bytes
[iso file] extra box maxr found in hinf, deleting
[iso file] Track with no sample description box !
[iso file] Incomplete box mdat - start 11495 size 861217
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[MP4 Loading] decoding sample 1 from track ID 8 failed
Error loading scene: BitStream Not Compliant
Error: BitStream Not Compliant
=================================================================
==3703==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x7f0d974b4887 in __interceptor_malloc …/…/…/…/src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f0d95d38b3b in NewSFDouble scenegraph/vrml_tools.c:300
#2 0x7f0d95d38b3b in gf_sg_vrml_field_pointer_new scenegraph/vrml_tools.c:558
SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s).
5、Impact
This vulnerability allows a remote attacker to cause a denial of service on an affected gpac MP4Box. Exploiting this vulnerability requires user interaction, as the target must access a malicious page or open a malicious file.
6、poc
https://github.com/ReturnHere/CrashReport/blob/main/id%5E%25000000%2Csig%5E%2506%2Csrc%5E%25000008%2Ctime%5E%25167295%2Cexecs%5E%254216%2Cop%5E%25havoc%2Crep%5E%256