Headline
CVE-2022-47653: buffer overflow in eac3_update_channels function of media_tools/av_parsers.c:9113 · Issue #2349 · gpac/gpac
GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in eac3_update_channels function of media_tools/av_parsers.c:9113
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Description
buffer overflow in eac3_update_channels function of media_tools/av_parsers.c:9113
static void eac3_update_channels(GF_AC3Config *hdr) { u32 i; for (i=0; i<hdr->nb_streams; i++) { u32 nb_ch = ac3_mod_to_total_chans[hdr->streams[i].acmod]; // overflow if (hdr->streams[i].nb_dep_sub) { hdr->streams[i].chan_loc = eac3_chanmap_to_chan_loc(hdr->streams[i].chan_loc); nb_ch += gf_eac3_get_chan_loc_count(hdr->streams[i].chan_loc); } if (hdr->streams[i].lfon) nb_ch++; hdr->streams[i].channels = nb_ch; hdr->streams[i].surround_channels = ac3_mod_to_surround_chans[hdr->streams[i].acmod]; } }
Version info
latest version
MP4Box - GPAC version 2.1-DEV-rev593-g007bf61a0-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
compile and run
./configure --enable-sanitizer
make
./MP4Box import -add poc_bof7.swf
Crash reported by sanitizer
[iso file] Unknown box type dvbs in parent stsd
Track Importing EAC-3 - SampleRate 32000 Num Channels 6
[AC3Dmx] 24 bytes unrecovered before sync word
[AC3Dmx] 13 bytes unrecovered before sync word
media_tools/av_parsers.c:9113:50: runtime error: index 8 out of bounds for type 'GF_AC3StreamInfo [8]'
POC
poc_bof7.zip
Impact
Potentially causing DoS and RCE
Credit
Xdchase
Related news
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.