Headline
CVE-2022-47086: missing check in gf_sm_load_init_swf, causing Segmentation fault · Issue #2337 · gpac/gpac
GPAC MP4Box v2.1-DEV-rev574-g9d5bb184b contains a segmentation violation via the function gf_sm_load_init_swf at scene_manager/swf_parse.c
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Description
Forget to check the return value of gf_swf_read_header in gf_sm_load_init_swf. gf_swf_read_header should fall fast if error is detected.
gf_swf_read_header(read); load->ctx->scene_width = FIX2INT(read->width); load->ctx->scene_height = FIX2INT(read->height); load->ctx->is_pixel_metrics = 1;
Verison info
MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
compile with
./configure --enable-sanitizer
make
run with poc.swf (in attachment)
./MP4Box import -add poc.swf
crash triggered
[TXTLoad] Unknown text format for poc.swf
Failed to connect filter fin PID poc.swf to filter txtin: Feature Not Supported
Blacklisting txtin as output from fin and retrying connections
AddressSanitizer:DEADLYSIGNAL
=================================================================
==215517==ERROR: AddressSanitizer: SEGV on unknown address 0x615100000035 (pc 0x7f022cad9afb bp 0x7ffdc954ed70 sp 0x7ffdc954dc40 T0)
==215517==The signal is caused by a READ memory access.
#0 0x7f022cad9afb in gf_sm_load_init_swf scene_manager/swf_parse.c:2667
#1 0x7f022ca5125f in gf_sm_load_init scene_manager/scene_manager.c:692
#2 0x7f022d169cea in ctxload_process filters/load_bt_xmt.c:476
#3 0x7f022cecfbcc in gf_filter_process_task filter_core/filter.c:2750
#4 0x7f022ce8faf3 in gf_fs_thread_proc filter_core/filter_session.c:1859
#5 0x7f022ce9c3ee in gf_fs_run filter_core/filter_session.c:2120
#6 0x7f022c8defd1 in gf_media_import media_tools/media_import.c:1551
#7 0x56297ebccaec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
#8 0x56297eb813db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
#9 0x56297eb813db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
#10 0x7f0229e69d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#11 0x7f0229e69e3f in __libc_start_main_impl ../csu/libc-start.c:392
#12 0x56297eb5dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV scene_manager/swf_parse.c:2667 in gf_sm_load_init_swf
==215517==ABORTING
Gdb
Program received signal SIGSEGV, Segmentation fault.
0x00007f2d4fe54afb in gf_sm_load_init_swf (load=load@entry=0x6110000084f0) at scene_manager/swf_parse.c:2667
2667 load->ctx->scene_width = FIX2INT(read->width);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────────────────────────────────
*RAX 0x611000008508 —▸ 0x604000002a90 —▸ 0x616000001280 ◂— 0x0
RBX 0xfffecf4d70a ◂— 0x0
RCX 0xfffecf4d6ea ◂— 0x0
RDX 0x0
*RDI 0x615100000035 ◂— 0x0
RSI 0x0
*R8 0x611000008528 ◂— 0xa9
R9 0x610000000bd0 —▸ 0x200000002 ◂— 0x0
R10 0x610000000bd4 —▸ 0x20000000002 ◂— 0x0
R11 0x610000000bd0 —▸ 0x200000002 ◂— 0x0
R12 0x6110000084f0 ◂— 9 /* '\t' */
*R13 0x6150fffffffd ◂— 0x0
*R14 0x615000013e4c —▸ 0xb40000000a9 ◂— 0x0
*R15 0x611000008508 —▸ 0x604000002a90 —▸ 0x616000001280 ◂— 0x0
*RBP 0x7fff67a6c940 —▸ 0x7fff67a6ca60 —▸ 0x7fff67a6dd60 —▸ 0x7fff67a6ddf0 —▸ 0x7fff67a6def0 ◂— ...
*RSP 0x7fff67a6b810 ◂— 0xf4dc4ae
*RIP 0x7f2d4fe54afb (gf_sm_load_init_swf+747) ◂— cvttss2si ecx, dword ptr [r13 + 0x38]
────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────────────────────────────────
► 0x7f2d4fe54afb <gf_sm_load_init_swf+747> cvttss2si ecx, dword ptr [r13 + 0x38]
0x7f2d4fe54b01 <gf_sm_load_init_swf+753> shr rax, 3
0x7f2d4fe54b05 <gf_sm_load_init_swf+757> cmp byte ptr [rax + 0x7fff8000], 0
0x7f2d4fe54b0c <gf_sm_load_init_swf+764> jne gf_sm_load_init_swf+2550 <gf_sm_load_init_swf+2550>
0x7f2d4fe54b12 <gf_sm_load_init_swf+770> mov rsi, qword ptr [r12 + 0x18]
0x7f2d4fe54b17 <gf_sm_load_init_swf+775> test rsi, rsi
0x7f2d4fe54b1a <gf_sm_load_init_swf+778> je gf_sm_load_init_swf+2570 <gf_sm_load_init_swf+2570>
0x7f2d4fe54b20 <gf_sm_load_init_swf+784> test sil, 7
0x7f2d4fe54b24 <gf_sm_load_init_swf+788> jne gf_sm_load_init_swf+2570 <gf_sm_load_init_swf+2570>
0x7f2d4fe54b2a <gf_sm_load_init_swf+794> lea rdx, [rsi + 0x18]
0x7f2d4fe54b2e <gf_sm_load_init_swf+798> cmp rsi, -0x18
──────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────────────────────────
In file: /home/sumuchuan/Desktop/gpac_fuzz/gpac/src/scene_manager/swf_parse.c
2662 read->flags = load->swf_import_flags;
2663 read->flat_limit = FLT2FIX(load->swf_flatten_limit);
2664 load->loader_priv = read;
2665
2666 gf_swf_read_header(read);
► 2667 load->ctx->scene_width = FIX2INT(read->width);
2668 load->ctx->scene_height = FIX2INT(read->height);
2669 load->ctx->is_pixel_metrics = 1;
2670
2671 if (!(load->swf_import_flags & GF_SM_SWF_SPLIT_TIMELINE) ) {
2672 swf_report(read, GF_OK, "ActionScript disabled");
──────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fff67a6b810 ◂— 0xf4dc4ae
01:0008│ 0x7fff67a6b818 —▸ 0x7fff67a6c910 —▸ 0x7fff67a6c9b0 —▸ 0x60e000667773 ◂— 0x0
02:0010│ 0x7fff67a6b820 —▸ 0x61100000852c —▸ 0x2b000000000 ◂— 0x0
03:0018│ 0x7fff67a6b828 —▸ 0x611000008528 ◂— 0xa9
04:0020│ 0x7fff67a6b830 —▸ 0x7fff67a6b850 ◂— 0x41b58ab3
05:0028│ 0x7fff67a6b838 —▸ 0x611000008530 —▸ 0x6020000002b0 ◂— '/tmp/gpac_cache'
06:0030│ 0x7fff67a6b840 —▸ 0x611000008548 —▸ 0x615000013e00 —▸ 0x6110000084f0 ◂— 9 /* '\t' */
07:0038│ 0x7fff67a6b848 —▸ 0x7fff67a6b850 ◂— 0x41b58ab3
────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────────────────
► f 0 0x7f2d4fe54afb gf_sm_load_init_swf+747
f 1 0x7f2d4fdcc260 gf_sm_load_init+896
f 2 0x7f2d504e4ceb ctxload_process+2283
f 3 0x7f2d5024abcd gf_filter_process_task+3181
f 4 0x7f2d5020aaf4 gf_fs_thread_proc+2244
f 5 0x7f2d502173ef gf_fs_run+447
f 6 0x7f2d4fc59fd2 gf_media_import+16210
f 7 0x565119c9faed import_file+15133
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Backtrace
pwndbg> bt
#0 0x00007f2d4fe54afb in gf_sm_load_init_swf (load=load@entry=0x6110000084f0) at scene_manager/swf_parse.c:2667
#1 0x00007f2d4fdcc260 in gf_sm_load_init (load=load@entry=0x6110000084f0) at scene_manager/scene_manager.c:692
#2 0x00007f2d504e4ceb in ctxload_process (filter=<optimized out>) at filters/load_bt_xmt.c:476
#3 0x00007f2d5024abcd in gf_filter_process_task (task=0x607000001520) at filter_core/filter.c:2750
#4 0x00007f2d5020aaf4 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x616000000410) at filter_core/filter_session.c:1859
#5 0x00007f2d502173ef in gf_fs_run (fsess=fsess@entry=0x616000000380) at filter_core/filter_session.c:2120
#6 0x00007f2d4fc59fd2 in gf_media_import (importer=importer@entry=0x7fff67a6ee20) at media_tools/media_import.c:1551
#7 0x0000565119c9faed in import_file (dest=<optimized out>, inName=inName@entry=0x7fff67a832c8 "fake.swf", import_flags=0, force_fps=..., frames_per_sample=0, fsess=fsess@entry=0x0, mux_args_if_first_pass=<optimized out>, mux_sid_if_first_pass=<optimized out>, tk_idx=<optimized out>) at fileimport.c:1498
#8 0x0000565119c543dc in do_add_cat (argv=<optimized out>, argc=<optimized out>) at mp4box.c:4508
#9 mp4box_main (argc=<optimized out>, argv=<optimized out>) at mp4box.c:6124
#10 0x00007f2d4d1e4d90 in __libc_start_call_main (main=main@entry=0x565119c30bc0 <main>, argc=argc@entry=4, argv=argv@entry=0x7fff67a82d98) at ../sysdeps/nptl/libc_start_call_main.h:58
#11 0x00007f2d4d1e4e40 in __libc_start_main_impl (main=0x565119c30bc0 <main>, argc=4, argv=0x7fff67a82d98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff67a82d88) at ../csu/libc-start.c:392
#12 0x0000565119c30cb5 in _start ()
Credit
xdchase
POC
poc-segfault.zip
Related news
Gentoo Linux Security Advisory 202408-21
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.
Debian Security Advisory 5411-1
Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.