Headline
CVE-2022-47094: Null pointer dereference filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid · Issue #2345 · gpac/gpac
GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Null pointer dereference via filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Description
Null pointer dereference filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid
Version info
MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
compile and run
./configure --enable-sanitizer
make
./MP4Box import -add poc_nderef.avi
Crash reported by sanitizer
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PMT descriptor! size 54, desc size 48 but position 5
MORE sections on pid 4144
Broken PMT descriptor! size 54, desc size 48 but position 10
Broken PMT descriptor! size 54, desc size 48 but position 15
[MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
Broken PMT descriptor! size 54, desc size 48 but position 20
[MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
MORE sections on pid 4144
[MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
[MPEG-2 TS] Invalid PMT es descriptor size for PID 5859
[MPEG-2 TS] TS Packet 3 is scrambled - not supported
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PAT found reserved PID 0, ignoring
Broken PMT descriptor! size 54, desc size 48 but position 5
MORE sections on pid 4144
Broken PMT descriptor! size 54, desc size 48 but position 10
Broken PMT descriptor! size 54, desc size 48 but position 15
[MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
Broken PMT descriptor! size 54, desc size 48 but position 20
[MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
MORE sections on pid 4144
[MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
[MPEG-2 TS] Invalid PMT es descriptor size for PID 5859
[M2TSDmx] Stream type 0x30 not supported - ignoring pid
filters/dmx_m2ts.c:343:51: runtime error: member access within null pointer of type 'struct GF_InitialObjectDescriptor'
POC
poc_nderef.zip
Impact
Potentially causing DoS and RCE
Credit
Xdchase
Related news
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.
Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.