Headline
CVE-2023-42298: Integer overflow issue in bifs/unquantize.c:298 · Issue #2567 · gpac/gpac
An issue in GPAC GPAC v.2.2.1 and before allows a local attacker to cause a denial of service via the Q_DecCoordOnUnitSphere function of file src/bifs/unquantize.c.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- [Y] I looked for a similar issue and couldn’t find any.
- [Y] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- [Y] I give enough information for contributors to reproduce my issue
Description
There is a integer overflow issue in bifs/unquantize.c:298
System info
Ubuntu 22.04.2 LTS
GPAC-2.2.1
Build command
./configure --enable-sanitizer && make
crash command
/usr/local/bin/MP4Box -xmt poc
poc_file:
poc.zip
Crash output:
[iso file] Unknown box type vref in parent dinf
[iso file] Missing dref box in dinf
[iso file] Incomplete box - start 2637
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Unknown box type vref in parent dinf
[iso file] Missing dref box in dinf
[iso file] Incomplete box - start 2637
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
bifs/unquantize.c:298:43: runtime error: shift exponent 4294967295 is too large for 32-bit type ‘int’
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior bifs/unquantize.c:298:43 in