Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-48014: stack-buffer-overflow in /gpac/src/media_tools/av_parsers.c:7735:42 in hevc_parse_vps_extension · Issue #2613 · gpac/gpac

GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a stack overflow via the hevc_parse_vps_extension function at /media_tools/av_parsers.c.

CVE
Open in Source
#ubuntu#linux#git#c++

Version

$ ./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master

Platform

$ uname -a
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Asan

/home/user/vul/MP4Box_crash/id000085sig06src003627time38285673execs366724ophavocrep8
[31m[HEVC] Error parsing NAL unit type 2
[0m=================================================================
==833362==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdcf3828d0 at pc 0x7f6e8e6ab0c1 bp 0x7ffdcf382870 sp 0x7ffdcf382868
WRITE of size 1 at 0x7ffdcf3828d0 thread T0
    #0 0x7f6e8e6ab0c0 in hevc_parse_vps_extension /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:7735:42
    #1 0x7f6e8e66492e in gf_hevc_read_vps_bs_internal /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:8095:9
    #2 0x7f6e8e66b0e5 in gf_hevc_parse_nalu_bs /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:8756:30
    #3 0x7f6e8f25c2ca in naludmx_check_dur /home/user/fuzzing_gpac/gpac/src/filters/reframe_nalu.c:576:10
    #4 0x7f6e8f264622 in naludmx_check_pid /home/user/fuzzing_gpac/gpac/src/filters/reframe_nalu.c:1826:3
    #5 0x7f6e8f252dc5 in naludmx_process /home/user/fuzzing_gpac/gpac/src/filters/reframe_nalu.c:3370:4
    #6 0x7f6e8edafa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7
    #7 0x7f6e8ed7d47b in gf_fs_thread_proc /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2105:3
    #8 0x7f6e8ed7b5cf in gf_fs_run /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2405:3
    #9 0x7f6e8e62ac6a in gf_dasher_process /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:1236:6
    #10 0x5572d97a66dc in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4831:15
    #11 0x5572d9797b6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
    #12 0x7f6e8d629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x7f6e8d629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #14 0x5572d96bfdd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)

Address 0x7ffdcf3828d0 is located in stack of thread T0 at offset 80 in frame
    #0 0x7f6e8e6a4abf in hevc_parse_vps_extension /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:7690

  This frame has 12 object(s):
    [32, 48) 'dimension_id_len' (line 7693)
    [64, 80) 'dim_bit_offset' (line 7693) <== Memory access at offset 80 overflows this variable
    [96, 100) 'layer_set_idx_for_ols_minus1' (line 7695)
    [112, 117) 'nb_output_layers_in_output_layer_set' (line 7696)
    [144, 149) 'ols_highest_output_layer_id' (line 7697)
    [176, 240) 'num_direct_ref_layers' (line 7700)
    [272, 336) 'num_pred_layers' (line 7700)
    [368, 372) 'num_layers_in_tree_partition' (line 7700)
    [384, 400) 'dependency_flag' (line 7701)
    [416, 672) 'id_pred_layers' (line 7701)
    [736, 800) 'layer_id_in_list_flag' (line 7706)
    [832, 896) 'OutputLayerFlag' (line 7707)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:7735:42 in hevc_parse_vps_extension
Shadow bytes around the buggy address:
  0x100039e684c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039e684d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039e684e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039e684f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039e68500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100039e68510: f1 f1 f1 f1 00 00 f2 f2 00 00[f2]f2 04 f2 05 f2
  0x100039e68520: f2 f2 05 f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2
  0x100039e68530: f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 04 f2
  0x100039e68540: 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039e68550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039e68560: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==833362==ABORTING

Reproduce****POC File

https://github.com/gandalf4a/crash_report/blob/main/gpac/MP4Box/sbo_7735

Credit

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE