Headline
CVE-2023-37767: SEGV on unknown address 0x000000000000 · Issue #2514 · gpac/gpac
GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a segmentation violation in the BM_ParseIndexValueReplace function at /lib/libgpac.so.
Hello,I use the fuzzer(AFL) to fuzz binary gpac and got some crashes.
The following is the details.
Title: SEGV on unknown address 0x000000000000
1. Description
A SEGV on unknown address 0x000000000000 has occurred in function dump_isom_scene /root/gpac/applications/mp4box/filedump.c:209:14
when running program MP4Box, this can reproduce on the lattest commit.
2. Software version info
fuzz@ubuntu:~/gpac2.1/gpac/bin/gcc$ MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev381-g817a848f6-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
3. System version info
./uname -a
Linux ouc7 5.4.0-150-generic #167-Ubuntu SMP Mon May 15 17:35:05 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
4. Command
5. Result
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808363764
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808363764
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[ODF] Reading bifs config: shift in sizes (not supported)
UndefinedBehaviorSanitizer:DEADLYSIGNAL/100)
==3773381==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f064cc53d31 bp 0x000000000000 sp 0x7ffe4c9c9210 T3773381)
==3773381==The signal is caused by a READ memory access.
==3773381==Hint: address points to the zero page.
#0 0x7f064cc53d31 in BM_ParseIndexValueReplace (/usr/local/lib/libgpac.so.12+0x259d31)
#1 0x7f064cc544b1 in BM_ParseCommand (/usr/local/lib/libgpac.so.12+0x25a4b1)
#2 0x7f064cc54b50 in gf_bifs_decode_command_list (/usr/local/lib/libgpac.so.12+0x25ab50)
#3 0x7f064ceaebbb in gf_sm_load_run_isom (/usr/local/lib/libgpac.so.12+0x4b4bbb)
#4 0x450461 in dump_isom_scene /root/gpac/applications/mp4box/filedump.c:209:14
#5 0x4478b0 in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6461:7
#6 0x7f064c68d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#7 0x41304d in _start (/usr/local/bin/MP4Box+0x41304d)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV (/usr/local/lib/libgpac.so.12+0x259d31) in BM_ParseIndexValueReplace
==3773381==ABORTING
6. Impact
This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.
7. POC
POC file
poc1.zip
Report of the Information Security Laboratory of Ocean University of China @OUC_ISLOUC @OUC_Blue_Whale