Headline
CVE-2022-47663: buffer overflow in h263dmx_process filters/reframe_h263.c:609 · Issue #2360 · gpac/gpac
GPAC MP4box 2.1-DEV-rev649-ga8f438d20 is vulnerable to buffer overflow in h263dmx_process filters/reframe_h263.c:609
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels,
Description
buffer overflow in h263dmx_process filters/reframe_h263.c:609
Version info
latest version atm
MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
compile and run
./configure --enable-sanitizer
make
./MP4Box import -cat poc_bof13.mp4
Crash reported by sanitizer
[H263Dmx] garbage before first frame!
Track Importing H263 - Width 704 Height 576 FPS 15000/1000
=================================================================
==735609==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000000620 at pc 0x7ff71222b397 bp 0x7ffeaf3c2280 sp 0x7ffeaf3c1a28
READ of size 4294967295 at 0x60e000000620 thread T0
#0 0x7ff71222b396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
#1 0x7ff70fbae101 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
#2 0x7ff70fbae101 in h263dmx_process filters/reframe_h263.c:609
#3 0x7ff70f7a6f1d in gf_filter_process_task filter_core/filter.c:2815
#4 0x7ff70f7665a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
#5 0x7ff70f772ece in gf_fs_run filter_core/filter_session.c:2120
#6 0x7ff70f1b59c1 in gf_media_import media_tools/media_import.c:1551
#7 0x5617e36bfb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
#8 0x5617e36ca5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
#9 0x5617e3674130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
#10 0x5617e3674130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
#11 0x7ff70c73cd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#12 0x7ff70c73ce3f in __libc_start_main_impl ../csu/libc-start.c:392
#13 0x5617e3650cb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
0x60e000000620 is located 0 bytes to the right of 160-byte region [0x60e000000580,0x60e000000620)
allocated by thread T0 here:
#0 0x7ff7122a5867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7ff70f7b4528 in gf_filter_parse_args filter_core/filter.c:2033
#2 0x7ff70f7b5234 in gf_filter_new_finalize filter_core/filter.c:510
#3 0x7ff70f7b65d7 in gf_filter_new filter_core/filter.c:439
#4 0x7ff70f7021c7 in gf_filter_pid_resolve_link_internal filter_core/filter_pid.c:3611
#5 0x7ff70f7258b2 in gf_filter_pid_resolve_link_check_loaded filter_core/filter_pid.c:3711
#6 0x7ff70f7258b2 in gf_filter_pid_init_task filter_core/filter_pid.c:4883
#7 0x7ff70f7665a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
#8 0x7ff70f772ece in gf_fs_run filter_core/filter_session.c:2120
#9 0x7ff70f1b59c1 in gf_media_import media_tools/media_import.c:1551
#10 0x5617e36bfb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
#11 0x5617e36ca5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
#12 0x5617e3674130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
#13 0x5617e3674130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
#14 0x7ff70c73cd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0c1c7fff8070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1c7fff8080: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c1c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c1c7fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1c7fff80c0: 00 00 00 00[fa]fa fa fa fa fa fa fa 00 00 00 00
0x0c1c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff80e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1c7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c1c7fff8100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff8110: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==735609==ABORTING
Looks like the oob read happens in filters/reframe_h263.c
READ of size 4294967295 at 0x60e000000620 thread T0
#0 0x7ff71222b396 in __interceptor_memcpy
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
#1 0x7ff70fbae101 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
#2 0x7ff70fbae101 in h263dmx_process filters/reframe_h263.c:609
if compile without ASAN and run the same poc
./configure --static-bin
make
./MP4Box import -cat poc_bof13.mp4
there will be segment fault
[H263Dmx] garbage before first frame!
Track Importing H263 - Width 704 Height 576 FPS 15000/1000
Segmentation fault= | (50/100)
backtrace atm
pwndbg> bt
#0 0x0000000000afc1cc in __memmove_avx_unaligned_erms ()
#1 0x00000000007f0dbf in h263dmx_process ()
#2 0x00000000006d9c90 in gf_filter_process_task ()
#3 0x00000000006c5dbc in gf_fs_thread_proc ()
#4 0x00000000006cb3bb in gf_fs_run ()
#5 0x00000000006008ed in gf_media_import ()
#6 0x00000000004313d1 in import_file ()
#7 0x00000000004375f1 in cat_isomedia_file ()
#8 0x0000000000411e78 in mp4box_main ()
#9 0x0000000000a8c47a in __libc_start_call_main ()
#10 0x0000000000a8dcd7 in __libc_start_main_impl ()
#11 0x0000000000402c55 in _start ()
POC
poc_bof13.zip
Impact
Potentially causing DoS and RCE
Credit
Xdchase
Related news
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.
Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.