Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-47654: buffer overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8261 · Issue #2350 · gpac/gpac

GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8261

CVE
#linux#js#git#php#rce#perl#buffer_overflow#ssl

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

  • I looked for a similar issue and couldn’t find any.
  • I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Description

buffer overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8261

//sps\_rep\_format\_idx = 0;
if (multiLayerExtSpsFlag) {
    sps->update\_rep\_format\_flag = gf\_bs\_read\_int\_log(bs, 1, "update\_rep\_format\_flag");
    if (sps->update\_rep\_format\_flag) {
        sps->rep\_format\_idx = gf\_bs\_read\_int\_log(bs, 8, "rep\_format\_idx");
        if (sps->rep\_format\_idx\>15) {
            return -1;
        }
    } else {
        sps->rep\_format\_idx = vps->rep\_format\_idx\[layer\_id\]; // overflow
    }

Version info

latest version

MP4Box - GPAC version 2.1-DEV-rev593-g007bf61a0-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

compile and run

./configure --enable-sanitizer
make
./MP4Box import -add poc_bof8.mov

Crash reported by sanitizer

[iso file] Unknown box type dvbs in parent stsd
[HEVC] Error parsing NAL unit type 16
[Core] exp-golomb read failed, not enough bits in bitstream !
[HEVC] Error parsing NAL unit type 32
[Core] exp-golomb read failed, not enough bits in bitstream !
[HEVC] Error parsing NAL unit type 33
[HEVC] Error parsing NAL unit type 16
Track Importing HEVC - Width -10 Height -20316159 FPS 25000/1000
[HEVC] Error parsing NAL Unit 8 (size 0 type 0 frame 0 last POC 0) - skipping
[HEVC] Error parsing NAL unit type 16
[HEVC] Error parsing NAL unit type 0
[Core] exp-golomb read failed, not enough bits in bitstream !
[HEVC] Error parsing NAL unit type 32
[Core] exp-golomb read failed, not enough bits in bitstream !
[HEVC] Error parsing NAL unit type 33
[Core] exp-golomb read failed, not enough bits in bitstream !
[HEVC] Error parsing NAL unit type 34
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[HEVC] Wrong number of layer sets in VPS 5
[HEVC] Error parsing NAL unit type 32
[HEVC] Error parsing Video Param Set
[Core] exp-golomb read failed, not enough bits in bitstream !
[HEVC] Error parsing NAL unit type 32
[Core] exp-golomb read failed, not enough bits in bitstream !
[HEVC] Error parsing NAL unit type 33
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[HEVC] Error parsing NAL unit type 34
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[HEVC] Error parsing NAL unit type 34
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[Core] exp-golomb read failed, not enough bits in bitstream !
[HEVC] sorry, 11 layers in VPS but only 4 supported
[HEVC] Error parsing NAL unit type 32
[HEVC] Error parsing Video Param Set
media_tools/av_parsers.c:8261:45: runtime error: index 45 out of bounds for type 'u32 [16]'

POC

poc_bof8.zip

Impact

Potentially causing DoS and RCE

Credit

Xdchase

Related news

Gentoo Linux Security Advisory 202408-21

Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907