Headline
CVE-2019-20208: There is a stack-buffer-overflow in the dimC_Read function of box_code_3gpp.c:1000 · Issue #1348 · gpac/gpac
dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-based buffer overflow.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
A crafted input will lead to crash in box_code_3gpp.c at gpac 0.8.0.
./MP4Box -diso 011-stack-dimC_Read1000 -out /dev/null
=================================================================
==3045==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff6e0d88d0 at pc 0x564b9b2d69fb bp 0x7fff6e0d8480 sp 0x7fff6e0d8470
WRITE of size 1 at 0x7fff6e0d88d0 thread T0
#0 0x564b9b2d69fa in dimC_Read isomedia/box_code_3gpp.c:1000
#1 0x564b9ae5bb35 in gf_isom_box_read isomedia/box_funcs.c:1528
#2 0x564b9ae5bb35 in gf_isom_box_parse_ex isomedia/box_funcs.c:208
#3 0x564b9ae5c1e4 in gf_isom_parse_root_box isomedia/box_funcs.c:42
#4 0x564b9ae72f44 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:206
#5 0x564b9ae75bca in gf_isom_open_file isomedia/isom_intern.c:615
#6 0x564b9abbe852 in mp4boxMain /home/liuz/gpac-master/applications/mp4box/main.c:4767
#7 0x7f4b5d817b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#8 0x564b9abafb19 in _start (/usr/local/gpac-asan3/bin/MP4Box+0x163b19)
Address 0x7fff6e0d88d0 is located in stack of thread T0 at offset 1056 in frame
#0 0x564b9b2d641f in dimC_Read isomedia/box_code_3gpp.c:983
This frame has 1 object(s):
[32, 1056) 'str' <== Memory access at offset 1056 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow isomedia/box_code_3gpp.c:1000 in dimC_Read
Shadow bytes around the buggy address:
0x10006dc130c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006dc130d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006dc130e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006dc130f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006dc13100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10006dc13110: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 00 00
0x10006dc13120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006dc13130: 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 00 00 00 00
0x10006dc13140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006dc13150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006dc13160: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3045==ABORTING