CVE-2022-47087: Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c · Issue #2339 · gpac/gpac

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

• I looked for a similar issue and couldn’t find any.
• I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
• I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Description

buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c

while (nb_ctb_left >= uni_size_ctb) { nb_ctb_left -= uni_size_ctb; pps->tile_rows_height_ctb[pps->num_tile_rows] = uni_size_ctb; // when pps->num_tile_rows == 32, overflow at pps->tile_rows_height_ctb pps->num_tile_rows++; }

Version info

MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

compile and run

./configure --enable-sanitizer
make
./MP4Box import -add poc_bof2.mp4

Crash reported by sanitizer

[Core] exp-golomb read failed, not enough bits in bitstream !
[VVC] Warning: Error parsing NAL unit
media_tools/av_parsers.c:10985:29: runtime error: index 33 out of bounds for type 'u32 [33]'

POC

poc_bof2.zip

Impact

Potentially causing DoS and RCE

Credit

Xdchase