Headline
CVE-2023-46001: SEGV in gpac/src/isomedia/isom_read.c:2807:51 in gf_isom_get_user_data · Issue #2629 · gpac/gpac
Buffer Overflow vulnerability in gpac MP4Box v.2.3-DEV-rev573-g201320819-master allows a local attacker to cause a denial of service via the gpac/src/isomedia/isom_read.c:2807:51 function in gf_isom_get_user_data.
Version
root@4dd48d09e778:~/gpac/bin/gcc# ./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev573-g201320819-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Platform
root@4dd48d09e778:~/gpac/bin/gcc# uname -a
Linux 4dd48d09e778 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Poc
Pocgpac:https://github.com/S0ngJX/Poc/blob/main/Pocgpac
Asan
root@4dd48d09e778:~/gpac/bin/gcc# ./MP4Box -dash 1000 -profile live -out session.mpd Pocgpac:@reframer:sap=1 Pocgpac
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4066570==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff5cc2ed0 bp 0x7ffffffeaf40 sp 0x7ffffffea6d8 T0)
==4066570==The signal is caused by a READ memory access.
==4066570==Hint: address points to the zero page.
#0 0x7ffff5cc2ed0 (/lib/x86_64-linux-gnu/libc.so.6+0x184ed0)
#1 0x441f94 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/root/gpac/bin/gcc/MP4Box+0x441f94)
#2 0x44236a in bcmp (/root/gpac/bin/gcc/MP4Box+0x44236a)
#3 0x7ffff681ed6d in gf_isom_get_user_data /root/gpac/src/isomedia/isom_read.c:2807:51
#4 0x7ffff71e9acb in isor_declare_track /root/gpac/src/filters/isoffin_load.c:696:5
#5 0x7ffff71fb2f6 in isor_declare_objects /root/gpac/src/filters/isoffin_load.c:1728:3
#6 0x7ffff72023e7 in isoffin_setup /root/gpac/src/filters/isoffin_read.c:181:6
#7 0x7ffff71ffb66 in isoffin_configure_pid /root/gpac/src/filters/isoffin_read.c:477:9
#8 0x7ffff6f1abed in gf_filter_pid_configure /root/gpac/src/filter_core/filter_pid.c:876:6
#9 0x7ffff6f367b6 in gf_filter_pid_connect_task /root/gpac/src/filter_core/filter_pid.c:1230:3
#10 0x7ffff6f85478 in gf_fs_thread_proc /root/gpac/src/filter_core/filter_session.c:2105:3
#11 0x7ffff6f83fed in gf_fs_run /root/gpac/src/filter_core/filter_session.c:2405:3
#12 0x7ffff69bd98c in gf_dasher_process /root/gpac/src/media_tools/dash_segmenter.c:1236:6
#13 0x50dfc7 in do_dash /root/gpac/applications/mp4box/mp4box.c:4831:15
#14 0x50dfc7 in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6245:7
#15 0x7ffff5b62082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#16 0x42adad in _start (/root/gpac/bin/gcc/MP4Box+0x42adad)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x184ed0)
==4066570==ABORTING
Reproduce
./MP4Box -dash 1000 -profile live -out session.mpd Pocgpac:@reframer:sap=1 Pocgpac
Credit
Song Jiaxuan (Huazhong University of Science and Technology)
Zeng Yunxiang (Huazhong University of Science and Technology)