Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-47663: buffer overflow in h263dmx_process filters/reframe_h263.c:609 · Issue #2360 · gpac/gpac

GPAC MP4box 2.1-DEV-rev649-ga8f438d20 is vulnerable to buffer overflow in h263dmx_process filters/reframe_h263.c:609

CVE
#linux#js#git#c++#rce#buffer_overflow#ssl
  • I looked for a similar issue and couldn’t find any.
  • I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • I give enough information for contributors to reproduce my issue (meaningful title, github labels,

Description

buffer overflow in h263dmx_process filters/reframe_h263.c:609

Version info

latest version atm

MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

compile and run

./configure --enable-sanitizer
make
./MP4Box import -cat poc_bof13.mp4

Crash reported by sanitizer

[H263Dmx] garbage before first frame!
Track Importing H263 - Width 704 Height 576 FPS 15000/1000
=================================================================
==735609==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000000620 at pc 0x7ff71222b397 bp 0x7ffeaf3c2280 sp 0x7ffeaf3c1a28
READ of size 4294967295 at 0x60e000000620 thread T0
    #0 0x7ff71222b396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
    #1 0x7ff70fbae101 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
    #2 0x7ff70fbae101 in h263dmx_process filters/reframe_h263.c:609
    #3 0x7ff70f7a6f1d in gf_filter_process_task filter_core/filter.c:2815
    #4 0x7ff70f7665a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #5 0x7ff70f772ece in gf_fs_run filter_core/filter_session.c:2120
    #6 0x7ff70f1b59c1 in gf_media_import media_tools/media_import.c:1551
    #7 0x5617e36bfb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
    #8 0x5617e36ca5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
    #9 0x5617e3674130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
    #10 0x5617e3674130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
    #11 0x7ff70c73cd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #12 0x7ff70c73ce3f in __libc_start_main_impl ../csu/libc-start.c:392
    #13 0x5617e3650cb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)

0x60e000000620 is located 0 bytes to the right of 160-byte region [0x60e000000580,0x60e000000620)
allocated by thread T0 here:
    #0 0x7ff7122a5867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7ff70f7b4528 in gf_filter_parse_args filter_core/filter.c:2033
    #2 0x7ff70f7b5234 in gf_filter_new_finalize filter_core/filter.c:510
    #3 0x7ff70f7b65d7 in gf_filter_new filter_core/filter.c:439
    #4 0x7ff70f7021c7 in gf_filter_pid_resolve_link_internal filter_core/filter_pid.c:3611
    #5 0x7ff70f7258b2 in gf_filter_pid_resolve_link_check_loaded filter_core/filter_pid.c:3711
    #6 0x7ff70f7258b2 in gf_filter_pid_init_task filter_core/filter_pid.c:4883
    #7 0x7ff70f7665a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #8 0x7ff70f772ece in gf_fs_run filter_core/filter_session.c:2120
    #9 0x7ff70f1b59c1 in gf_media_import media_tools/media_import.c:1551
    #10 0x5617e36bfb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
    #11 0x5617e36ca5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
    #12 0x5617e3674130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
    #13 0x5617e3674130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
    #14 0x7ff70c73cd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
Shadow bytes around the buggy address:
  0x0c1c7fff8070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1c7fff8080: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c1c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c1c7fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1c7fff80c0: 00 00 00 00[fa]fa fa fa fa fa fa fa 00 00 00 00
  0x0c1c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff80e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1c7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c1c7fff8100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff8110: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==735609==ABORTING

Looks like the oob read happens in filters/reframe_h263.c

READ of size 4294967295 at 0x60e000000620 thread T0
   #0 0x7ff71222b396 in __interceptor_memcpy 
   ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
   #1 0x7ff70fbae101 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
   #2 0x7ff70fbae101 in h263dmx_process filters/reframe_h263.c:609

if compile without ASAN and run the same poc

./configure --static-bin
make
./MP4Box import -cat poc_bof13.mp4

there will be segment fault

[H263Dmx] garbage before first frame!
Track Importing H263 - Width 704 Height 576 FPS 15000/1000
Segmentation fault=          | (50/100)

backtrace atm

pwndbg> bt
#0  0x0000000000afc1cc in __memmove_avx_unaligned_erms ()
#1  0x00000000007f0dbf in h263dmx_process ()
#2  0x00000000006d9c90 in gf_filter_process_task ()
#3  0x00000000006c5dbc in gf_fs_thread_proc ()
#4  0x00000000006cb3bb in gf_fs_run ()
#5  0x00000000006008ed in gf_media_import ()
#6  0x00000000004313d1 in import_file ()
#7  0x00000000004375f1 in cat_isomedia_file ()
#8  0x0000000000411e78 in mp4box_main ()
#9  0x0000000000a8c47a in __libc_start_call_main ()
#10 0x0000000000a8dcd7 in __libc_start_main_impl ()
#11 0x0000000000402c55 in _start ()

POC

poc_bof13.zip

Impact

Potentially causing DoS and RCE

Credit

Xdchase

Related news

Gentoo Linux Security Advisory 202408-21

Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.

Debian Security Advisory 5411-1

Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907