Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-47086: missing check in gf_sm_load_init_swf, causing Segmentation fault · Issue #2337 · gpac/gpac

GPAC MP4Box v2.1-DEV-rev574-g9d5bb184b contains a segmentation violation via the function gf_sm_load_init_swf at scene_manager/swf_parse.c

CVE
#linux#js#git#php#c++#perl#ssl

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

  • I looked for a similar issue and couldn’t find any.
  • I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Description

Forget to check the return value of gf_swf_read_header in gf_sm_load_init_swf. gf_swf_read_header should fall fast if error is detected.

gf_swf_read_header(read); load->ctx->scene_width = FIX2INT(read->width); load->ctx->scene_height = FIX2INT(read->height); load->ctx->is_pixel_metrics = 1;

Verison info

MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

compile with

./configure --enable-sanitizer
make

run with poc.swf (in attachment)

./MP4Box import -add poc.swf

crash triggered

[TXTLoad] Unknown text format for poc.swf
Failed to connect filter fin PID poc.swf to filter txtin: Feature Not Supported
Blacklisting txtin as output from fin and retrying connections
AddressSanitizer:DEADLYSIGNAL
=================================================================
==215517==ERROR: AddressSanitizer: SEGV on unknown address 0x615100000035 (pc 0x7f022cad9afb bp 0x7ffdc954ed70 sp 0x7ffdc954dc40 T0)
==215517==The signal is caused by a READ memory access.
    #0 0x7f022cad9afb in gf_sm_load_init_swf scene_manager/swf_parse.c:2667
    #1 0x7f022ca5125f in gf_sm_load_init scene_manager/scene_manager.c:692
    #2 0x7f022d169cea in ctxload_process filters/load_bt_xmt.c:476
    #3 0x7f022cecfbcc in gf_filter_process_task filter_core/filter.c:2750
    #4 0x7f022ce8faf3 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #5 0x7f022ce9c3ee in gf_fs_run filter_core/filter_session.c:2120
    #6 0x7f022c8defd1 in gf_media_import media_tools/media_import.c:1551
    #7 0x56297ebccaec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
    #8 0x56297eb813db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
    #9 0x56297eb813db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
    #10 0x7f0229e69d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x7f0229e69e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #12 0x56297eb5dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV scene_manager/swf_parse.c:2667 in gf_sm_load_init_swf
==215517==ABORTING

Gdb

Program received signal SIGSEGV, Segmentation fault.
0x00007f2d4fe54afb in gf_sm_load_init_swf (load=load@entry=0x6110000084f0) at scene_manager/swf_parse.c:2667
2667        load->ctx->scene_width = FIX2INT(read->width);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────────────────────────────────
*RAX  0x611000008508 —▸ 0x604000002a90 —▸ 0x616000001280 ◂— 0x0
 RBX  0xfffecf4d70a ◂— 0x0
 RCX  0xfffecf4d6ea ◂— 0x0
 RDX  0x0
*RDI  0x615100000035 ◂— 0x0
 RSI  0x0
*R8   0x611000008528 ◂— 0xa9
 R9   0x610000000bd0 —▸ 0x200000002 ◂— 0x0
 R10  0x610000000bd4 —▸ 0x20000000002 ◂— 0x0
 R11  0x610000000bd0 —▸ 0x200000002 ◂— 0x0
 R12  0x6110000084f0 ◂— 9 /* '\t' */
*R13  0x6150fffffffd ◂— 0x0
*R14  0x615000013e4c —▸ 0xb40000000a9 ◂— 0x0
*R15  0x611000008508 —▸ 0x604000002a90 —▸ 0x616000001280 ◂— 0x0
*RBP  0x7fff67a6c940 —▸ 0x7fff67a6ca60 —▸ 0x7fff67a6dd60 —▸ 0x7fff67a6ddf0 —▸ 0x7fff67a6def0 ◂— ...
*RSP  0x7fff67a6b810 ◂— 0xf4dc4ae
*RIP  0x7f2d4fe54afb (gf_sm_load_init_swf+747) ◂— cvttss2si ecx, dword ptr [r13 + 0x38]
────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────────────────────────────────
 ► 0x7f2d4fe54afb <gf_sm_load_init_swf+747>    cvttss2si ecx, dword ptr [r13 + 0x38]
   0x7f2d4fe54b01 <gf_sm_load_init_swf+753>    shr    rax, 3
   0x7f2d4fe54b05 <gf_sm_load_init_swf+757>    cmp    byte ptr [rax + 0x7fff8000], 0
   0x7f2d4fe54b0c <gf_sm_load_init_swf+764>    jne    gf_sm_load_init_swf+2550                <gf_sm_load_init_swf+2550>
 
   0x7f2d4fe54b12 <gf_sm_load_init_swf+770>    mov    rsi, qword ptr [r12 + 0x18]
   0x7f2d4fe54b17 <gf_sm_load_init_swf+775>    test   rsi, rsi
   0x7f2d4fe54b1a <gf_sm_load_init_swf+778>    je     gf_sm_load_init_swf+2570                <gf_sm_load_init_swf+2570>
 
   0x7f2d4fe54b20 <gf_sm_load_init_swf+784>    test   sil, 7
   0x7f2d4fe54b24 <gf_sm_load_init_swf+788>    jne    gf_sm_load_init_swf+2570                <gf_sm_load_init_swf+2570>
 
   0x7f2d4fe54b2a <gf_sm_load_init_swf+794>    lea    rdx, [rsi + 0x18]
   0x7f2d4fe54b2e <gf_sm_load_init_swf+798>    cmp    rsi, -0x18
──────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────────────────────────
In file: /home/sumuchuan/Desktop/gpac_fuzz/gpac/src/scene_manager/swf_parse.c
   2662         read->flags = load->swf_import_flags;
   2663         read->flat_limit = FLT2FIX(load->swf_flatten_limit);
   2664         load->loader_priv = read;
   2665 
   2666         gf_swf_read_header(read);
 ► 2667         load->ctx->scene_width = FIX2INT(read->width);
   2668         load->ctx->scene_height = FIX2INT(read->height);
   2669         load->ctx->is_pixel_metrics = 1;
   2670 
   2671         if (!(load->swf_import_flags & GF_SM_SWF_SPLIT_TIMELINE) ) {
   2672                 swf_report(read, GF_OK, "ActionScript disabled");
──────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fff67a6b810 ◂— 0xf4dc4ae
01:0008│     0x7fff67a6b818 —▸ 0x7fff67a6c910 —▸ 0x7fff67a6c9b0 —▸ 0x60e000667773 ◂— 0x0
02:0010│     0x7fff67a6b820 —▸ 0x61100000852c —▸ 0x2b000000000 ◂— 0x0
03:0018│     0x7fff67a6b828 —▸ 0x611000008528 ◂— 0xa9
04:0020│     0x7fff67a6b830 —▸ 0x7fff67a6b850 ◂— 0x41b58ab3
05:0028│     0x7fff67a6b838 —▸ 0x611000008530 —▸ 0x6020000002b0 ◂— '/tmp/gpac_cache'
06:0030│     0x7fff67a6b840 —▸ 0x611000008548 —▸ 0x615000013e00 —▸ 0x6110000084f0 ◂— 9 /* '\t' */
07:0038│     0x7fff67a6b848 —▸ 0x7fff67a6b850 ◂— 0x41b58ab3
────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0   0x7f2d4fe54afb gf_sm_load_init_swf+747
   f 1   0x7f2d4fdcc260 gf_sm_load_init+896
   f 2   0x7f2d504e4ceb ctxload_process+2283
   f 3   0x7f2d5024abcd gf_filter_process_task+3181
   f 4   0x7f2d5020aaf4 gf_fs_thread_proc+2244
   f 5   0x7f2d502173ef gf_fs_run+447
   f 6   0x7f2d4fc59fd2 gf_media_import+16210
   f 7   0x565119c9faed import_file+15133
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Backtrace

pwndbg> bt
#0  0x00007f2d4fe54afb in gf_sm_load_init_swf (load=load@entry=0x6110000084f0) at scene_manager/swf_parse.c:2667
#1  0x00007f2d4fdcc260 in gf_sm_load_init (load=load@entry=0x6110000084f0) at scene_manager/scene_manager.c:692
#2  0x00007f2d504e4ceb in ctxload_process (filter=<optimized out>) at filters/load_bt_xmt.c:476
#3  0x00007f2d5024abcd in gf_filter_process_task (task=0x607000001520) at filter_core/filter.c:2750
#4  0x00007f2d5020aaf4 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x616000000410) at filter_core/filter_session.c:1859
#5  0x00007f2d502173ef in gf_fs_run (fsess=fsess@entry=0x616000000380) at filter_core/filter_session.c:2120
#6  0x00007f2d4fc59fd2 in gf_media_import (importer=importer@entry=0x7fff67a6ee20) at media_tools/media_import.c:1551
#7  0x0000565119c9faed in import_file (dest=<optimized out>, inName=inName@entry=0x7fff67a832c8 "fake.swf", import_flags=0, force_fps=..., frames_per_sample=0, fsess=fsess@entry=0x0, mux_args_if_first_pass=<optimized out>, mux_sid_if_first_pass=<optimized out>, tk_idx=<optimized out>) at fileimport.c:1498
#8  0x0000565119c543dc in do_add_cat (argv=<optimized out>, argc=<optimized out>) at mp4box.c:4508
#9  mp4box_main (argc=<optimized out>, argv=<optimized out>) at mp4box.c:6124
#10 0x00007f2d4d1e4d90 in __libc_start_call_main (main=main@entry=0x565119c30bc0 <main>, argc=argc@entry=4, argv=argv@entry=0x7fff67a82d98) at ../sysdeps/nptl/libc_start_call_main.h:58
#11 0x00007f2d4d1e4e40 in __libc_start_main_impl (main=0x565119c30bc0 <main>, argc=4, argv=0x7fff67a82d98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff67a82d88) at ../csu/libc-start.c:392
#12 0x0000565119c30cb5 in _start ()

Credit

xdchase

POC

poc-segfault.zip

Related news

Gentoo Linux Security Advisory 202408-21

Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.

Debian Security Advisory 5411-1

Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907