Headline
CVE-2022-47086: missing check in gf_sm_load_init_swf, causing Segmentation fault · Issue #2337 · gpac/gpac
GPAC MP4Box v2.1-DEV-rev574-g9d5bb184b contains a segmentation violation via the function gf_sm_load_init_swf at scene_manager/swf_parse.c
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Description
Forget to check the return value of gf_swf_read_header in gf_sm_load_init_swf. gf_swf_read_header should fall fast if error is detected.
gf_swf_read_header(read); load->ctx->scene_width = FIX2INT(read->width); load->ctx->scene_height = FIX2INT(read->height); load->ctx->is_pixel_metrics = 1;
Verison info
MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
compile with
./configure --enable-sanitizer
make
run with poc.swf (in attachment)
./MP4Box import -add poc.swf
crash triggered
[TXTLoad] Unknown text format for poc.swf
Failed to connect filter fin PID poc.swf to filter txtin: Feature Not Supported
Blacklisting txtin as output from fin and retrying connections
AddressSanitizer:DEADLYSIGNAL
=================================================================
==215517==ERROR: AddressSanitizer: SEGV on unknown address 0x615100000035 (pc 0x7f022cad9afb bp 0x7ffdc954ed70 sp 0x7ffdc954dc40 T0)
==215517==The signal is caused by a READ memory access.
#0 0x7f022cad9afb in gf_sm_load_init_swf scene_manager/swf_parse.c:2667
#1 0x7f022ca5125f in gf_sm_load_init scene_manager/scene_manager.c:692
#2 0x7f022d169cea in ctxload_process filters/load_bt_xmt.c:476
#3 0x7f022cecfbcc in gf_filter_process_task filter_core/filter.c:2750
#4 0x7f022ce8faf3 in gf_fs_thread_proc filter_core/filter_session.c:1859
#5 0x7f022ce9c3ee in gf_fs_run filter_core/filter_session.c:2120
#6 0x7f022c8defd1 in gf_media_import media_tools/media_import.c:1551
#7 0x56297ebccaec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
#8 0x56297eb813db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
#9 0x56297eb813db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
#10 0x7f0229e69d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#11 0x7f0229e69e3f in __libc_start_main_impl ../csu/libc-start.c:392
#12 0x56297eb5dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV scene_manager/swf_parse.c:2667 in gf_sm_load_init_swf
==215517==ABORTING
Gdb
Program received signal SIGSEGV, Segmentation fault.
0x00007f2d4fe54afb in gf_sm_load_init_swf (load=load@entry=0x6110000084f0) at scene_manager/swf_parse.c:2667
2667 load->ctx->scene_width = FIX2INT(read->width);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────────────────────────────────
*RAX 0x611000008508 —▸ 0x604000002a90 —▸ 0x616000001280 ◂— 0x0
RBX 0xfffecf4d70a ◂— 0x0
RCX 0xfffecf4d6ea ◂— 0x0
RDX 0x0
*RDI 0x615100000035 ◂— 0x0
RSI 0x0
*R8 0x611000008528 ◂— 0xa9
R9 0x610000000bd0 —▸ 0x200000002 ◂— 0x0
R10 0x610000000bd4 —▸ 0x20000000002 ◂— 0x0
R11 0x610000000bd0 —▸ 0x200000002 ◂— 0x0
R12 0x6110000084f0 ◂— 9 /* '\t' */
*R13 0x6150fffffffd ◂— 0x0
*R14 0x615000013e4c —▸ 0xb40000000a9 ◂— 0x0
*R15 0x611000008508 —▸ 0x604000002a90 —▸ 0x616000001280 ◂— 0x0
*RBP 0x7fff67a6c940 —▸ 0x7fff67a6ca60 —▸ 0x7fff67a6dd60 —▸ 0x7fff67a6ddf0 —▸ 0x7fff67a6def0 ◂— ...
*RSP 0x7fff67a6b810 ◂— 0xf4dc4ae
*RIP 0x7f2d4fe54afb (gf_sm_load_init_swf+747) ◂— cvttss2si ecx, dword ptr [r13 + 0x38]
────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────────────────────────────────
► 0x7f2d4fe54afb <gf_sm_load_init_swf+747> cvttss2si ecx, dword ptr [r13 + 0x38]
0x7f2d4fe54b01 <gf_sm_load_init_swf+753> shr rax, 3
0x7f2d4fe54b05 <gf_sm_load_init_swf+757> cmp byte ptr [rax + 0x7fff8000], 0
0x7f2d4fe54b0c <gf_sm_load_init_swf+764> jne gf_sm_load_init_swf+2550 <gf_sm_load_init_swf+2550>
0x7f2d4fe54b12 <gf_sm_load_init_swf+770> mov rsi, qword ptr [r12 + 0x18]
0x7f2d4fe54b17 <gf_sm_load_init_swf+775> test rsi, rsi
0x7f2d4fe54b1a <gf_sm_load_init_swf+778> je gf_sm_load_init_swf+2570 <gf_sm_load_init_swf+2570>
0x7f2d4fe54b20 <gf_sm_load_init_swf+784> test sil, 7
0x7f2d4fe54b24 <gf_sm_load_init_swf+788> jne gf_sm_load_init_swf+2570 <gf_sm_load_init_swf+2570>
0x7f2d4fe54b2a <gf_sm_load_init_swf+794> lea rdx, [rsi + 0x18]
0x7f2d4fe54b2e <gf_sm_load_init_swf+798> cmp rsi, -0x18
──────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────────────────────────
In file: /home/sumuchuan/Desktop/gpac_fuzz/gpac/src/scene_manager/swf_parse.c
2662 read->flags = load->swf_import_flags;
2663 read->flat_limit = FLT2FIX(load->swf_flatten_limit);
2664 load->loader_priv = read;
2665
2666 gf_swf_read_header(read);
► 2667 load->ctx->scene_width = FIX2INT(read->width);
2668 load->ctx->scene_height = FIX2INT(read->height);
2669 load->ctx->is_pixel_metrics = 1;
2670
2671 if (!(load->swf_import_flags & GF_SM_SWF_SPLIT_TIMELINE) ) {
2672 swf_report(read, GF_OK, "ActionScript disabled");
──────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fff67a6b810 ◂— 0xf4dc4ae
01:0008│ 0x7fff67a6b818 —▸ 0x7fff67a6c910 —▸ 0x7fff67a6c9b0 —▸ 0x60e000667773 ◂— 0x0
02:0010│ 0x7fff67a6b820 —▸ 0x61100000852c —▸ 0x2b000000000 ◂— 0x0
03:0018│ 0x7fff67a6b828 —▸ 0x611000008528 ◂— 0xa9
04:0020│ 0x7fff67a6b830 —▸ 0x7fff67a6b850 ◂— 0x41b58ab3
05:0028│ 0x7fff67a6b838 —▸ 0x611000008530 —▸ 0x6020000002b0 ◂— '/tmp/gpac_cache'
06:0030│ 0x7fff67a6b840 —▸ 0x611000008548 —▸ 0x615000013e00 —▸ 0x6110000084f0 ◂— 9 /* '\t' */
07:0038│ 0x7fff67a6b848 —▸ 0x7fff67a6b850 ◂— 0x41b58ab3
────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────────────────
► f 0 0x7f2d4fe54afb gf_sm_load_init_swf+747
f 1 0x7f2d4fdcc260 gf_sm_load_init+896
f 2 0x7f2d504e4ceb ctxload_process+2283
f 3 0x7f2d5024abcd gf_filter_process_task+3181
f 4 0x7f2d5020aaf4 gf_fs_thread_proc+2244
f 5 0x7f2d502173ef gf_fs_run+447
f 6 0x7f2d4fc59fd2 gf_media_import+16210
f 7 0x565119c9faed import_file+15133
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Backtrace
pwndbg> bt
#0 0x00007f2d4fe54afb in gf_sm_load_init_swf (load=load@entry=0x6110000084f0) at scene_manager/swf_parse.c:2667
#1 0x00007f2d4fdcc260 in gf_sm_load_init (load=load@entry=0x6110000084f0) at scene_manager/scene_manager.c:692
#2 0x00007f2d504e4ceb in ctxload_process (filter=<optimized out>) at filters/load_bt_xmt.c:476
#3 0x00007f2d5024abcd in gf_filter_process_task (task=0x607000001520) at filter_core/filter.c:2750
#4 0x00007f2d5020aaf4 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x616000000410) at filter_core/filter_session.c:1859
#5 0x00007f2d502173ef in gf_fs_run (fsess=fsess@entry=0x616000000380) at filter_core/filter_session.c:2120
#6 0x00007f2d4fc59fd2 in gf_media_import (importer=importer@entry=0x7fff67a6ee20) at media_tools/media_import.c:1551
#7 0x0000565119c9faed in import_file (dest=<optimized out>, inName=inName@entry=0x7fff67a832c8 "fake.swf", import_flags=0, force_fps=..., frames_per_sample=0, fsess=fsess@entry=0x0, mux_args_if_first_pass=<optimized out>, mux_sid_if_first_pass=<optimized out>, tk_idx=<optimized out>) at fileimport.c:1498
#8 0x0000565119c543dc in do_add_cat (argv=<optimized out>, argc=<optimized out>) at mp4box.c:4508
#9 mp4box_main (argc=<optimized out>, argv=<optimized out>) at mp4box.c:6124
#10 0x00007f2d4d1e4d90 in __libc_start_call_main (main=main@entry=0x565119c30bc0 <main>, argc=argc@entry=4, argv=argv@entry=0x7fff67a82d98) at ../sysdeps/nptl/libc_start_call_main.h:58
#11 0x00007f2d4d1e4e40 in __libc_start_main_impl (main=0x565119c30bc0 <main>, argc=4, argv=0x7fff67a82d98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff67a82d88) at ../csu/libc-start.c:392
#12 0x0000565119c30cb5 in _start ()
Credit
xdchase
POC
poc-segfault.zip
Related news
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.
Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.