Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-47662: Infinite recursion in Media_GetSample isomedia/media.c:662 · Issue #2359 · gpac/gpac

GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 has a segment fault (/stack overflow) due to infinite recursion in Media_GetSample isomedia/media.c:662

CVE
#linux#js#git#c++#ssl
  • I looked for a similar issue and couldn’t find any.
  • I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • I give enough information for contributors to reproduce my issue (meaningful title, github labels,

Description

segment fault (/stack overflow) due to infinite recursion in Media_GetSample isomedia/media.c:662

Version info

latest version atm

MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

compile and run

./configure --enable-sanitizer
make
./MP4Box import -cat poc_segfault2.mp4

Crash reported by sanitizer

[HEVC] Error parsing NAL unit type 63
Track Importing L-HEVC - Width 1 Height 6 FPS 25000/1000
[HEVC] NAL Unit type 26 not handled - adding
[HEVC] xPS changed but could not flush frames before signaling state change !
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing NAL unit type 32
[HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing Sequence Param Set
[HEVC] Error parsing NAL unit type 34
[HEVC] Error parsing NAL unit type 0
[HEVC] Error parsing NAL unit type 32         
[HEVC] Error parsing NAL unit type 32
HEVC Import results: 7 samples (39 NALUs) - Slices: 0 I 0 P 1 B - 0 SEI - 0 IDR - 0 CRA
HEVC L-HEVC Import results: Slices: 3 I 0 P 2 B
HEVC Stream uses forward prediction - stream CTS offset: 6 frames
HEVC Max NALU size is 106 - stream could be optimized by setting nal_length=1
Appending file /home/sumuchuan/Desktop/gpac_fuzz/cat_gpac/bin/gcc/out/default/crashes/160.mp4
No suitable destination track found - creating new one (type vide)
AddressSanitizer:DEADLYSIGNAL   | (57/100)
=================================================================
==738673==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdae782bc0 (pc 0x7f415d384491 bp 0x7ffdae783400 sp 0x7ffdae782bc0 T0)
    #0 0x7f415d384491 in __sanitizer::StackTrace::StackTrace(unsigned long const*, unsigned int) ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:52
    #1 0x7f415d384491 in __sanitizer::BufferedStackTrace::BufferedStackTrace() ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:105
    #2 0x7f415d384491 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #3 0x7f415787f858 in __GI__IO_free_backup_area libio/genops.c:190
    #4 0x7f415787cae3 in _IO_new_file_seekoff libio/fileops.c:975
    #5 0x7f415787ad52 in __fseeko libio/fseeko.c:40
    #6 0x7f4159a1536a in BS_SeekIntern utils/bitstream.c:1338
    #7 0x7f4159a1536a in gf_bs_seek utils/bitstream.c:1373
    #8 0x7f4159fbbfc9 in gf_isom_fdm_get_data isomedia/data_map.c:501
    #9 0x7f4159fbbfc9 in gf_isom_datamap_get_data isomedia/data_map.c:279
    #10 0x7f415a0a1f40 in Media_GetSample isomedia/media.c:641
    #11 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
    #12 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
    #13 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
    #14 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
    #15 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
    #16 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
    #17 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
    #18 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
    #19 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
    #20 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
    #21 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
    #22 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
    #23 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
    #24 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
    ...

looks like an infinite recursion

Media_GetSample isomedia/media.c:662
 -> gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
 -> gf_isom_get_sample_ex isomedia/isom_read.c:1916
 -> Media_GetSample isomedia/media.c:662

if compile without ASAN and run the same poc

./configure --static-bin
make
./MP4Box import -cat poc_segfault2.mp4

there will be a segment fault

[HEVC] Error parsing NAL unit type 63
Track Importing L-HEVC - Width 1 Height 6 FPS 25000/1000
[HEVC] NAL Unit type 26 not handled - adding
[HEVC] xPS changed but could not flush frames before signaling state change !
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing NAL unit type 32
[HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing Sequence Param Set
[HEVC] Error parsing NAL unit type 34
[HEVC] Error parsing NAL unit type 0
[HEVC] Error parsing NAL unit type 32         
[HEVC] Error parsing NAL unit type 32
HEVC Import results: 7 samples (39 NALUs) - Slices: 0 I 0 P 1 B - 0 SEI - 0 IDR - 0 CRA
HEVC L-HEVC Import results: Slices: 3 I 0 P 2 B
HEVC Stream uses forward prediction - stream CTS offset: 6 frames
HEVC Max NALU size is 106 - stream could be optimized by setting nal_length=1
Appending file /home/sumuchuan/Desktop/gpac_fuzz/cat_gpac/bin/gcc/out/default/crashes/160.mp4
No suitable destination track found - creating new one (type vide)
Segmentation fault=====         | (57/100)

Because it ran out of stack space, making rsp and rbp point to an unmapped memory, causing seg fault. backtrace atm

pwndbg> bt
...
#16487 0x000000000054d599 in gf_isom_get_sample_ex ()
#16488 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
#16489 0x0000000000570e13 in Media_GetSample ()
#16490 0x000000000054d599 in gf_isom_get_sample_ex ()
#16491 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
#16492 0x0000000000570e13 in Media_GetSample ()
#16493 0x000000000054d599 in gf_isom_get_sample_ex ()
#16494 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
#16495 0x0000000000570e13 in Media_GetSample ()
...

POC

poc-segfault2.zip

Impact

Potentially causing DoS

Credit

Xdchase

Related news

Gentoo Linux Security Advisory 202408-21

Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.

Debian Security Advisory 5411-1

Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907