Headline
CVE-2022-47093: heap-use-after-free filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid · Issue #2344 · gpac/gpac
GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to heap use-after-free via filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Description
heap-use-after-free filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid
Version info
MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
compile and run
./configure --enable-sanitizer
make
./MP4Box import -add poc_uaf.avi
Crash reported by sanitizer
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
[MPEG-2 TS] PID 1863: Bad Adaptation Descriptor found (tag 100) size is 100 but only 93 bytes available
stream type DSM CC user private sections on pid 32
[MPEG-2 TS] Invalid PMT es descriptor size for PID 32
[MPEG-2 TS] Invalid PMT es descriptor size for PID 5364
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
[MPEG-2 TS] PID 1863: Bad Adaptation Descriptor found (tag 100) size is 100 but only 93 bytes available
stream type DSM CC user private sections on pid 32
[MPEG-2 TS] Invalid PMT es descriptor size for PID 32
[MPEG-2 TS] Invalid PMT es descriptor size for PID 5364
=================================================================
==583780==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000004548 at pc 0x7fa6cb05f685 bp 0x7ffc93e21020 sp 0x7ffc93e21010
READ of size 8 at 0x607000004548 thread T0
#0 0x7fa6cb05f684 in m2tsdmx_declare_pid filters/dmx_m2ts.c:470
#1 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
#2 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
#3 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
#4 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
#5 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
#6 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
#7 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
#8 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
#9 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
#10 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
#11 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
#12 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
#13 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
#14 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
#15 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
#16 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
#17 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#18 0x7fa6c7ec3e3f in __libc_start_main_impl ../csu/libc-start.c:392
#19 0x55f87201ecb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
0x607000004548 is located 8 bytes inside of 80-byte region [0x607000004540,0x607000004590)
freed by thread T0 here:
#0 0x7fa6cda1ec18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
#1 0x7fa6ca0aff20 in realloc_chain utils/list.c:621
#2 0x7fa6ca0aff20 in gf_list_add utils/list.c:630
#3 0x7fa6caed06d0 in gf_props_set_property filter_core/filter_props.c:1098
#4 0x7fa6cae8a35d in gf_filter_pid_set_property_full filter_core/filter_pid.c:5411
#5 0x7fa6cae8a35d in gf_filter_pid_set_property filter_core/filter_pid.c:5418
#6 0x7fa6cb05c6b3 in m2tsdmx_declare_pid filters/dmx_m2ts.c:454
#7 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
#8 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
#9 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
#10 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
#11 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
#12 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
#13 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
#14 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
#15 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
#16 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
#17 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
#18 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
#19 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
#20 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
#21 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
#22 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
#23 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 0x7fa6cda1ec18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
#1 0x7fa6ca0aff20 in realloc_chain utils/list.c:621
#2 0x7fa6ca0aff20 in gf_list_add utils/list.c:630
#3 0x7fa6caed0d5f in gf_props_merge_property filter_core/filter_props.c:1199
#4 0x7fa6cae9661b in gf_filter_pid_new filter_core/filter_pid.c:5258
#5 0x7fa6cb05adf9 in m2tsdmx_declare_pid filters/dmx_m2ts.c:411
#6 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
#7 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
#8 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
#9 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
#10 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
#11 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
#12 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
#13 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
#14 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
#15 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
#16 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
#17 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
#18 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
#19 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
#20 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
#21 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
#22 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-use-after-free filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid
Shadow bytes around the buggy address:
0x0c0e7fff8850: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
0x0c0e7fff8860: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0e7fff8870: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
0x0c0e7fff8880: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
0x0c0e7fff8890: 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 00 00
=>0x0c0e7fff88a0: 00 00 00 00 fa fa fa fa fd[fd]fd fd fd fd fd fd
0x0c0e7fff88b0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff88c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff88d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff88e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==583780==ABORTING
POC
poc_uaf.zip
Impact
Potentially causing DoS and RCE
Credit
Xdchase
Related news
Gentoo Linux Security Advisory 202408-21
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.