Headline
CVE-2022-47663: buffer overflow in h263dmx_process filters/reframe_h263.c:609 · Issue #2360 · gpac/gpac
GPAC MP4box 2.1-DEV-rev649-ga8f438d20 is vulnerable to buffer overflow in h263dmx_process filters/reframe_h263.c:609
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels,
Description
buffer overflow in h263dmx_process filters/reframe_h263.c:609
Version info
latest version atm
MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
compile and run
./configure --enable-sanitizer
make
./MP4Box import -cat poc_bof13.mp4
Crash reported by sanitizer
[H263Dmx] garbage before first frame!
Track Importing H263 - Width 704 Height 576 FPS 15000/1000
=================================================================
==735609==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000000620 at pc 0x7ff71222b397 bp 0x7ffeaf3c2280 sp 0x7ffeaf3c1a28
READ of size 4294967295 at 0x60e000000620 thread T0
#0 0x7ff71222b396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
#1 0x7ff70fbae101 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
#2 0x7ff70fbae101 in h263dmx_process filters/reframe_h263.c:609
#3 0x7ff70f7a6f1d in gf_filter_process_task filter_core/filter.c:2815
#4 0x7ff70f7665a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
#5 0x7ff70f772ece in gf_fs_run filter_core/filter_session.c:2120
#6 0x7ff70f1b59c1 in gf_media_import media_tools/media_import.c:1551
#7 0x5617e36bfb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
#8 0x5617e36ca5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
#9 0x5617e3674130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
#10 0x5617e3674130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
#11 0x7ff70c73cd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#12 0x7ff70c73ce3f in __libc_start_main_impl ../csu/libc-start.c:392
#13 0x5617e3650cb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
0x60e000000620 is located 0 bytes to the right of 160-byte region [0x60e000000580,0x60e000000620)
allocated by thread T0 here:
#0 0x7ff7122a5867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7ff70f7b4528 in gf_filter_parse_args filter_core/filter.c:2033
#2 0x7ff70f7b5234 in gf_filter_new_finalize filter_core/filter.c:510
#3 0x7ff70f7b65d7 in gf_filter_new filter_core/filter.c:439
#4 0x7ff70f7021c7 in gf_filter_pid_resolve_link_internal filter_core/filter_pid.c:3611
#5 0x7ff70f7258b2 in gf_filter_pid_resolve_link_check_loaded filter_core/filter_pid.c:3711
#6 0x7ff70f7258b2 in gf_filter_pid_init_task filter_core/filter_pid.c:4883
#7 0x7ff70f7665a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
#8 0x7ff70f772ece in gf_fs_run filter_core/filter_session.c:2120
#9 0x7ff70f1b59c1 in gf_media_import media_tools/media_import.c:1551
#10 0x5617e36bfb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
#11 0x5617e36ca5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
#12 0x5617e3674130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
#13 0x5617e3674130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
#14 0x7ff70c73cd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0c1c7fff8070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1c7fff8080: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c1c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c1c7fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1c7fff80c0: 00 00 00 00[fa]fa fa fa fa fa fa fa 00 00 00 00
0x0c1c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff80e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1c7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c1c7fff8100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c7fff8110: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==735609==ABORTING
Looks like the oob read happens in filters/reframe_h263.c
READ of size 4294967295 at 0x60e000000620 thread T0
#0 0x7ff71222b396 in __interceptor_memcpy
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
#1 0x7ff70fbae101 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
#2 0x7ff70fbae101 in h263dmx_process filters/reframe_h263.c:609
if compile without ASAN and run the same poc
./configure --static-bin
make
./MP4Box import -cat poc_bof13.mp4
there will be segment fault
[H263Dmx] garbage before first frame!
Track Importing H263 - Width 704 Height 576 FPS 15000/1000
Segmentation fault= | (50/100)
backtrace atm
pwndbg> bt
#0 0x0000000000afc1cc in __memmove_avx_unaligned_erms ()
#1 0x00000000007f0dbf in h263dmx_process ()
#2 0x00000000006d9c90 in gf_filter_process_task ()
#3 0x00000000006c5dbc in gf_fs_thread_proc ()
#4 0x00000000006cb3bb in gf_fs_run ()
#5 0x00000000006008ed in gf_media_import ()
#6 0x00000000004313d1 in import_file ()
#7 0x00000000004375f1 in cat_isomedia_file ()
#8 0x0000000000411e78 in mp4box_main ()
#9 0x0000000000a8c47a in __libc_start_call_main ()
#10 0x0000000000a8dcd7 in __libc_start_main_impl ()
#11 0x0000000000402c55 in _start ()
POC
poc_bof13.zip
Impact
Potentially causing DoS and RCE
Credit
Xdchase
Related news
Gentoo Linux Security Advisory 202408-21
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.
Debian Security Advisory 5411-1
Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.