Headline
CVE-2022-45283: GPAC-2.0.0 MP4Box: stack overflow with unlimited length and controllable content in smil_parse_time_list · Issue #2295 · gpac/gpac
GPAC MP4box v2.0.0 was discovered to contain a stack overflow in the smil_parse_time_list parameter at /scenegraph/svg_attributes.c.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Description
A fixed length buffer value_string is allocated in smil_parse_time_list, while in the later memcpy, it doesn’t check the length and simply copy content to this buffer, causing overflow.
static void smil_parse_time_list(GF_Node *e, GF_List *values, char *begin_or_end_list) { SMIL_Time *value; char value_string[500]; char *str = begin_or_end_list, *tmp; u32 len;
/\* get rid of leading spaces \*/
while (\*str == ' ') str++;
while (1) {
tmp = strchr(str, ';');
if (tmp) len = (u32) (tmp-str);
else len = (u32) strlen(str);
memcpy(value\_string, str, len);
while ((len > 0) && (value\_string\[len - 1\] == ' '))
Impact
Since the content is absolutely controllable by users, an unlimited length will cause stack overflow, corrupting canary, causing DoS or even Remote Code Execution.
Mitigation
We can just set a length limit to it, making it less than 500 byte.
Reproduce
On Ubuntu 22.04 lts, make with this.
./configure --static-bin
make
Run the following command with POC.svg.
MP4Box -mp4 -sync 0x1000 ./POC.svg
You may get a buffer overflow detected error.
[Parser] SVG Scene Parsing: ../encode_2-gpac-2.0.0/out/default/crashes/0.svg
*** buffer overflow detected ***: terminated | (00/100)
Aborted
GDB info before crash
─────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────────────────
RAX 0x6804
RBX 0x0
RCX 0x1f4
RDX 0x6804
*RDI 0x7fffffff6640 ◂— 0x0
RSI 0xda20cc ◂— 0xff22802d68353548
R8 0x0
R9 0xda08b0 ◂— 0x0
R10 0xda2050 ◂— 0x1790
R11 0xd80c00 (main_arena+96) —▸ 0xdabcf0 ◂— 0x0
R12 0xda08b0 ◂— 0x0
R13 0x7fffffff6640 ◂— 0x0
R14 0xda20cc ◂— 0xff22802d68353548
R15 0xb650c3 ◂— 'wallclock('
RBP 0x6804
RSP 0x7fffffff6600 ◂— 0x0
*RIP 0x4c756b (smil_parse_time_list+123) ◂— call 0xadfe30
──────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────────────────────────────────────
0x4c77e2 <smil_parse_time_list+754> jmp smil_parse_time_list+110 <smil_parse_time_list+110>
↓
0x4c755e <smil_parse_time_list+110> mov edx, ebp
0x4c7560 <smil_parse_time_list+112> mov ecx, 0x1f4
0x4c7565 <smil_parse_time_list+117> mov rsi, r14
0x4c7568 <smil_parse_time_list+120> mov rdi, r13
► 0x4c756b <smil_parse_time_list+123> call __memcpy_chk <__memcpy_chk>
dstpp: 0x7fffffff6640 ◂— 0x0
srcpp: 0xda20cc ◂— 0xff22802d68353548
len: 0x6804
dstlen: 0x1f4
Backtrace
pwndbg> bt
#0 0x0000000000a84c3c in pthread_kill ()
#1 0x0000000000a640d6 in raise ()
#2 0x0000000000402136 in abort ()
#3 0x0000000000a7b476 in __libc_message ()
#4 0x0000000000adfe2a in __fortify_fail ()
#5 0x0000000000adfc46 in __chk_fail ()
#6 0x00000000004c7570 in smil_parse_time_list ()
#7 0x00000000004c965b in gf_svg_parse_attribute ()
#8 0x000000000063d178 in svg_node_start ()
#9 0x0000000000463486 in xml_sax_node_start ()
#10 0x0000000000464629 in xml_sax_parse ()
#11 0x0000000000464e63 in xml_sax_read_file.part ()
#12 0x000000000046515e in gf_xml_sax_parse_file ()
#13 0x000000000063b80a in load_svg_run ()
#14 0x000000000042a5e8 in EncodeFile ()
#15 0x000000000041252c in mp4boxMain ()
#16 0x0000000000a598fa in __libc_start_call_main ()
#17 0x0000000000a5b157 in __libc_start_main_impl ()
#18 0x0000000000402b95 in _start ()
Credit
xdchase
POC
POC-bof.zip
Related news
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.
Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.