Headline
CVE-2022-45202: Stack buffer overflow in function dimC_box_read at isomedia/box_code_3gpp.c:1070 · Issue #2296 · gpac/gpac
GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to contain a stack overflow via the function dimC_box_read at isomedia/box_code_3gpp.c.
···
/MP4Box -version
MP4Box - GPAC version 2.1-DEV-rev428-gcb8ae46c8-master
© 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB
···
[AV1] Error parsing tile group, tile 0 start 58 + size 17220 exceeds OBU length 3
[AV1] Frame parsing did not consume the right number of bytes !
[AV1] could not parse AV1 OBU at position 42. Leaving parsing.
[ISOBMFF] AV1ConfigurationBox overflow read 17 bytes, of box size 16.
[iso file] Box "av1C" size 24 (start 20) invalid (read 25)
=================================================================
==22786==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff0c1f8a40 at pc 0x7f7bb77cb3ad bp 0x7fff0c1f85d0 sp 0x7fff0c1f7d78
READ of size 1031 at 0x7fff0c1f8a40 thread T0
#0 0x7f7bb77cb3ac in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cc:443
#1 0x7f7bb43ee2dd in dimC_box_read isomedia/box_code_3gpp.c:1070
#2 0x7f7bb44aca33 in gf_isom_box_read isomedia/box_funcs.c:1866
#3 0x7f7bb44aca33 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
#4 0x7f7bb44ade85 in gf_isom_parse_root_box isomedia/box_funcs.c:38
#5 0x7f7bb44d6efc in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:378
#6 0x7f7bb44dd111 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:868
#7 0x7f7bb44dd111 in gf_isom_open_file isomedia/isom_intern.c:988
#8 0x55829fb43139 in mp4box_main /home/fuzz/gpac/applications/mp4box/mp4box.c:6211
#9 0x7f7bb1a59082 in __libc_start_main ../csu/libc-start.c:308
#10 0x55829fb1ecbd in _start (/home/fuzz/gpac/bin/gcc/MP4Box+0xa3cbd)
Address 0x7fff0c1f8a40 is located in stack of thread T0 at offset 1056 in frame
#0 0x7f7bb43edeff in dimC_box_read isomedia/box_code_3gpp.c:1048
This frame has 1 object(s):
[32, 1056) 'str' (line 1049) <== Memory access at offset 1056 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/asan/asan_interceptors.cc:443 in __interceptor_strdup
Shadow bytes around the buggy address:
0x1000618370f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100061837100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100061837110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100061837120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100061837130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100061837140: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3
0x100061837150: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x100061837160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100061837170: f1 f1 f1 f1 f1 f1 f8 f2 00 f2 f2 f2 00 00 f3 f3
0x100061837180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100061837190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==22786==ABORTING
This is capable of causing crashes and allowing modification of stack memory which could lead to remote code execution.
GF_Err dimC_box_read(GF_Box *s, GF_BitStream *bs)
{
char str[1024];
u32 i;
GF_DIMSSceneConfigBox *p = (GF_DIMSSceneConfigBox *)s;
ISOM_DECREASE_SIZE(p, 3);
p->profile = gf_bs_read_u8(bs);
p->level = gf_bs_read_u8(bs);
p->pathComponents = gf_bs_read_int(bs, 4);
p->fullRequestHost = gf_bs_read_int(bs, 1);
p->streamType = gf_bs_read_int(bs, 1);
p->containsRedundant = gf_bs_read_int(bs, 2);
i=0;
str[0]=0;
while (i < GF_ARRAY_LENGTH(str)) {
str[i] = gf_bs_read_u8(bs);
if (!str[i]) break;
i++;
}
ISOM_DECREASE_SIZE(p, i);
**p->textEncoding = gf_strdup(str);** //line:1070 this issue
i=0;
str[0]=0;
while (i < GF_ARRAY_LENGTH(str)) {
str[i] = gf_bs_read_u8(bs);
if (!str[i]) break;
i++;
}
ISOM_DECREASE_SIZE(p, i);
p->contentEncoding = gf_strdup(str); //line:1081 issue 2294 related
return GF_OK;
}
Related news
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.
Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.