Headline
CVE-2022-47662: Infinite recursion in Media_GetSample isomedia/media.c:662 · Issue #2359 · gpac/gpac
GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 has a segment fault (/stack overflow) due to infinite recursion in Media_GetSample isomedia/media.c:662
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels,
Description
segment fault (/stack overflow) due to infinite recursion in Media_GetSample isomedia/media.c:662
Version info
latest version atm
MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
compile and run
./configure --enable-sanitizer
make
./MP4Box import -cat poc_segfault2.mp4
Crash reported by sanitizer
[HEVC] Error parsing NAL unit type 63
Track Importing L-HEVC - Width 1 Height 6 FPS 25000/1000
[HEVC] NAL Unit type 26 not handled - adding
[HEVC] xPS changed but could not flush frames before signaling state change !
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing NAL unit type 32
[HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing Sequence Param Set
[HEVC] Error parsing NAL unit type 34
[HEVC] Error parsing NAL unit type 0
[HEVC] Error parsing NAL unit type 32
[HEVC] Error parsing NAL unit type 32
HEVC Import results: 7 samples (39 NALUs) - Slices: 0 I 0 P 1 B - 0 SEI - 0 IDR - 0 CRA
HEVC L-HEVC Import results: Slices: 3 I 0 P 2 B
HEVC Stream uses forward prediction - stream CTS offset: 6 frames
HEVC Max NALU size is 106 - stream could be optimized by setting nal_length=1
Appending file /home/sumuchuan/Desktop/gpac_fuzz/cat_gpac/bin/gcc/out/default/crashes/160.mp4
No suitable destination track found - creating new one (type vide)
AddressSanitizer:DEADLYSIGNAL | (57/100)
=================================================================
==738673==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdae782bc0 (pc 0x7f415d384491 bp 0x7ffdae783400 sp 0x7ffdae782bc0 T0)
#0 0x7f415d384491 in __sanitizer::StackTrace::StackTrace(unsigned long const*, unsigned int) ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:52
#1 0x7f415d384491 in __sanitizer::BufferedStackTrace::BufferedStackTrace() ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:105
#2 0x7f415d384491 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#3 0x7f415787f858 in __GI__IO_free_backup_area libio/genops.c:190
#4 0x7f415787cae3 in _IO_new_file_seekoff libio/fileops.c:975
#5 0x7f415787ad52 in __fseeko libio/fseeko.c:40
#6 0x7f4159a1536a in BS_SeekIntern utils/bitstream.c:1338
#7 0x7f4159a1536a in gf_bs_seek utils/bitstream.c:1373
#8 0x7f4159fbbfc9 in gf_isom_fdm_get_data isomedia/data_map.c:501
#9 0x7f4159fbbfc9 in gf_isom_datamap_get_data isomedia/data_map.c:279
#10 0x7f415a0a1f40 in Media_GetSample isomedia/media.c:641
#11 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
#12 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
#13 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
#14 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
#15 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
#16 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
#17 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
#18 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
#19 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
#20 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
#21 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
#22 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
#23 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
#24 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
...
looks like an infinite recursion
Media_GetSample isomedia/media.c:662
-> gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
-> gf_isom_get_sample_ex isomedia/isom_read.c:1916
-> Media_GetSample isomedia/media.c:662
if compile without ASAN and run the same poc
./configure --static-bin
make
./MP4Box import -cat poc_segfault2.mp4
there will be a segment fault
[HEVC] Error parsing NAL unit type 63
Track Importing L-HEVC - Width 1 Height 6 FPS 25000/1000
[HEVC] NAL Unit type 26 not handled - adding
[HEVC] xPS changed but could not flush frames before signaling state change !
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing NAL unit type 32
[HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing Sequence Param Set
[HEVC] Error parsing NAL unit type 34
[HEVC] Error parsing NAL unit type 0
[HEVC] Error parsing NAL unit type 32
[HEVC] Error parsing NAL unit type 32
HEVC Import results: 7 samples (39 NALUs) - Slices: 0 I 0 P 1 B - 0 SEI - 0 IDR - 0 CRA
HEVC L-HEVC Import results: Slices: 3 I 0 P 2 B
HEVC Stream uses forward prediction - stream CTS offset: 6 frames
HEVC Max NALU size is 106 - stream could be optimized by setting nal_length=1
Appending file /home/sumuchuan/Desktop/gpac_fuzz/cat_gpac/bin/gcc/out/default/crashes/160.mp4
No suitable destination track found - creating new one (type vide)
Segmentation fault===== | (57/100)
Because it ran out of stack space, making rsp and rbp point to an unmapped memory, causing seg fault. backtrace atm
pwndbg> bt
...
#16487 0x000000000054d599 in gf_isom_get_sample_ex ()
#16488 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
#16489 0x0000000000570e13 in Media_GetSample ()
#16490 0x000000000054d599 in gf_isom_get_sample_ex ()
#16491 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
#16492 0x0000000000570e13 in Media_GetSample ()
#16493 0x000000000054d599 in gf_isom_get_sample_ex ()
#16494 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
#16495 0x0000000000570e13 in Media_GetSample ()
...
POC
poc-segfault2.zip
Impact
Potentially causing DoS
Credit
Xdchase
Related news
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.
Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.