Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-46932: heap-buffer-overflow in str2ulong src/media_tools/avilib.c:137:16 in gpac/MP4Box · Issue #2669 · gpac/gpac

Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671976fcc-master, allows attackers to execute arbitrary code and cause a denial of service (DoS) via str2ulong class in src/media_tools/avilib.c in gpac/MP4Box.

CVE
#vulnerability#ubuntu#linux#dos#js#git#c++#buffer_overflow#ssl

heap-buffer-overflow in str2ulong src/media_tools/avilib.c:137:16 in gpac/MP4Box****Description

Heap-buffer-overflow in MP4Box.
#0 0x7ffff694c441 in str2ulong /afltest/gpac2/src/media_tools/avilib.c:137:16

Version

MP4Box - GPAC version 2.3-DEV-rev617-g671976fcc-master © 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_FFMPEG GPAC_HAS_VORBIS GPAC_HAS_LINUX_DVB

ASAN Log

./MP4Box -dash 500 -check-xml -dm2ts -bin -out /dev/null poc6gpac

================================================================= ==1173259==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001a330 at pc 0x7ffff694c442 bp 0x7ffffffeea70 sp 0x7ffffffeea68 READ of size 1 at 0x62100001a330 thread T0 #0 0x7ffff694c441 in str2ulong /afltest/gpac2/src/media_tools/avilib.c:137:16 #1 0x7ffff694c441 in avi_parse_input_file /afltest/gpac2/src/media_tools/avilib.c:2004:9 #2 0x7ffff694220a in AVI_open_input_file /afltest/gpac2/src/media_tools/avilib.c:1840:2 #3 0x7ffff6f9d3f3 in avidmx_process /afltest/gpac2/src/filters/dmx_avi.c:492:14 #4 0x7ffff6e8f502 in gf_filter_process_task /afltest/gpac2/src/filter_core/filter.c:2971:7 #5 0x7ffff6e62ee9 in gf_fs_thread_proc /afltest/gpac2/src/filter_core/filter_session.c:2105:3 #6 0x7ffff6e6193d in gf_fs_run /afltest/gpac2/src/filter_core/filter_session.c:2405:3 #7 0x7ffff67a625c in gf_dasher_process /afltest/gpac2/src/media_tools/dash_segmenter.c:1236:6 #8 0x50dfc7 in do_dash /afltest/gpac2/applications/mp4box/mp4box.c:4831:15 #9 0x50dfc7 in mp4box_main /afltest/gpac2/applications/mp4box/mp4box.c:6245:7 #10 0x7ffff58cb082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/…/csu/libc-start.c:308:16 #11 0x42adad in _start (/afltest/gpac2/bin/gcc/MP4Box+0x42adad)

0x62100001a330 is located 0 bytes to the right of 4656-byte region [0x621000019100,0x62100001a330) allocated by thread T0 here: #0 0x4a34ed in malloc (/afltest/gpac2/bin/gcc/MP4Box+0x4a34ed) #1 0x7ffff6942aae in avi_parse_input_file /afltest/gpac2/src/media_tools/avilib.c:1944:35 #2 0x7ffff694220a in AVI_open_input_file /afltest/gpac2/src/media_tools/avilib.c:1840:2

SUMMARY: AddressSanitizer: heap-buffer-overflow /afltest/gpac2/src/media_tools/avilib.c:137:16 in str2ulong Shadow bytes around the buggy address: 0x0c427fffb410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffb450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c427fffb460: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa 0x0c427fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffb4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1173259==ABORTING

Reproduction

git clone https://github.com/gpac/gpac.git cd gpac ./configure --enable-sanitizer make -j24

./bin/gcc/MP4Box -dash 500 -check-xml -dm2ts -bin -out /dev/null poc6gpac

Thanks for your time!

PoC

poc6gpac: poc6gpac.zip

****Impact****

This vulnerability is capable of causing crashes, or possible code execution.

Reference

https://github.com/gpac/gpac

Environment

ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09

Credit

Zeng Yunxiang

Song Jiaxuan

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907