Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-44924: Infinite loop in gf_log() · Issue #1959 · gpac/gpac

An infinite loop vulnerability exists in gpac 1.1.0 in the gf_log function, which causes a Denial of Service.

CVE
Open in Source
#vulnerability#ubuntu#linux#dos#js#git

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

  • I looked for a similar issue and couldn’t find any.
  • I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An infinite loop was discovered in gf_log().

Version:

MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG G
[poc_hang.zip](https://github.com/gpac/gpac/files/7691188/poc_hang.zip)
PAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

command:

./MP4Box -info ./poc_hang

poc_hang.zip

Result

...
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
...

gdb

bt
#0  0x00007ffff764d1e7 in __GI___libc_write (fd=2, buf=0x7ffffffebeb0, nbytes=62) at ../sysdeps/unix/sysv/linux/write.c:26
#1  0x00007ffff75ce00d in _IO_new_file_write (f=0x7ffff77285c0 <_IO_2_1_stderr_>, data=0x7ffffffebeb0, n=62) at fileops.c:1176
#2  0x00007ffff75ce928 in new_do_write (to_do=<optimized out>, data=0x7ffffffebeb0 "[Core] exp-golomb read failed, not enough bits in bitstream !\nn [0;31])\n", fp=0x7ffff77285c0 <_IO_2_1_stderr_>) at libioP.h:948
#3  _IO_new_file_xsputn (n=62, data=<optimized out>, f=<optimized out>) at fileops.c:1255
#4  _IO_new_file_xsputn (f=0x7ffff77285c0 <_IO_2_1_stderr_>, data=<optimized out>, n=62) at fileops.c:1197
#5  0x00007ffff75b90d3 in buffered_vfprintf (s=s@entry=0x7ffff77285c0 <_IO_2_1_stderr_>, format=format@entry=0x7ffff7e2cf98 "[Core] exp-golomb read failed, not enough bits in bitstream !\n", args=args@entry=0x7ffffffee4a0, mode_flags=mode_flags@entry=2) at ../libio/libioP.h:948
#6  0x00007ffff75b5ea4 in __vfprintf_internal (s=0x7ffff77285c0 <_IO_2_1_stderr_>, format=0x7ffff7e2cf98 "[Core] exp-golomb read failed, not enough bits in bitstream !\n", ap=0x7ffffffee4a0, mode_flags=2) at vfprintf-internal.c:1346
#7  0x00007ffff77f8a21 in default_log_callback_color () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#8  0x00007ffff77f8cc9 in gf_log () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#9  0x00007ffff79f4c95 in avc_parse_hrd_parameters () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#10 0x00007ffff79f7c09 in gf_avc_read_sps_bs_internal () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#11 0x00007ffff7a0b149 in gf_avc_read_sps () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#12 0x00007ffff792b724 in avcc_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#13 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#14 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#15 0x00007ffff793c2a3 in video_sample_entry_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#16 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#17 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#18 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#19 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#20 0x00007ffff793e083 in stbl_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#21 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#22 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#23 0x00007ffff793a3d0 in minf_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#24 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#25 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#26 0x00007ffff79394e9 in mdia_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#27 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#28 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#29 0x00007ffff794189a in trak_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#30 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#31 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#32 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#33 0x00007ffff796b410 in gf_isom_parse_root_box () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#34 0x00007ffff79737ec in gf_isom_parse_movie_boxes_internal () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#35 0x00007ffff7974f67 in gf_isom_open_file () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#36 0x000055555557dc14 in mp4boxMain ()
#37 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1e8) at ../csu/libc-start.c:308
#38 0x000055555556c45e in _start ()

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE