Headline
CVE-2023-48039: memory leaks in gf_mpd_parse_string media_tools/mpd.c:75 · Issue #2679 · gpac/gpac
GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak in gf_mpd_parse_string media_tools/mpd.c:75.
1.Version
./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev617-g671976fcc-master
© 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io/
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
2.ASAN
[DASH] Updated manifest:
P#1: start 0 - duration 0 - xlink none
[DASH] Manifest after update:
P#1: start 0 - duration 0 - xlink none
[DASH] Setting up period start 0 duration 0 xlink none ID DID1
[DASH] AS#1 changed quality to bitrate 10 kbps - Width 1280 Height 720 FPS 30/1 (playback speed 1)
[DASH] AS#2 changed quality to bitrate 120 kbps - Width 384 Height 256 FPS 30/1 (playback speed 1)
[DASH] No ROUTE entity on HTTP request
[DASH] Segment duration unknown - cannot estimate current startNumber
[DASH] Cannot try to download (null)… out of memory ?
[DASH] AS#3 changed quality to bitrate 120 kbps - Width 448 Height 256 FPS 30/1 (playback speed 1)
[DASH] AS#4 changed quality to bitrate 120 kbps - Width 448 Height 256 FPS 30/1 (playback speed 1)
[DASH] AS#5 changed quality to bitrate 120 kbps - Width 384 Height 256 FPS 30/1 (playback speed 1)
[DASH] Adaptation 16: non-video in a video group - disabling it
[DASH] AS#6 changed quality to bitrate 31 kbps (playback speed 1)
[DASH] AS#6 changed quality to bitrate 120 kbps - Width 448 Height 256 FPS 30/1 (playback speed 1)
[DASH] AS#7 changed quality to bitrate 120 kbps - Width 448 Height 256 FPS 30/1 (playback speed 1)
[DASH] AS#8 changed quality to bitrate 120 kbps - Width 384 Height 208 FPS 30/1 (playback speed 1)
[DASH] AS#9 changed quality to bitrate 120 kbps - Width 448 Height 208 FPS 30/1 (playback speed 1)
[DASH] AS#10 changed quality to bitrate 120 kbps - Width 448 Height 208 FPS 30/1 (playback speed 1)
[DASH] No ROUTE entity on HTTP request
[DASH] AST at init 1621274304781
[DASH] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)
[DASH] No ROUTE entity on HTTP request
[DASH] AST at init 1621274304781
[DASH] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)
[DASH] No ROUTE entity on HTTP request
[DASH] Segment duration unknown - cannot estimate current startNumber
[DASH] No ROUTE entity on HTTP request
[DASH] AST at init 1621274304781
[DASH] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)
[DASH] No ROUTE entity on HTTP request
[DASH] AST at init 1621274304781
[DASH] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)
[DASH] No ROUTE entity on HTTP request
[DASH] AST at init 1621274304781
[DASH] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)
[DASH] No ROUTE entity on HTTP request
[DASH] AST at init 1621274304781
[DASH] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)
[DASH] No ROUTE entity on HTTP request
[DASH] AST at init 1621274304781
[DASH] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)
[DASH] No ROUTE entity on HTTP request
[DASH] AST at init 1621274304781
[DASH] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)
[DASH] No ROUTE entity on HTTP request
[DASH] AST at init 1621274304781
[DASH] At current time 78047975763 ms: Initializing Timeline: startNumber=1 segmentNumber=78047975 segmentDuration=1.000000 - 0.000 seconds in segment (start range 7.8048e+07)
[DASHDmx] group 0 error locating plugin for segment - mime type video/mp4 name crashes/live_dash_track1_init.mp4: Requested URL is not valid or cannot be found
Filters not connected:
fout (dst=id_000070,sig_06,src_000600,time_26661155,execs_144902,op_havoc,rep_1_dash.mpd:gpac:segdur=10000/1000:profile=full:!sap:buf=1500:!check_dur:pssh=v:subs_sidx=0) (idx=1)
Arg segdur set but not used
Arg profile set but not used
Arg !sap set but not used
Arg buf set but not used
Arg !check_dur set but not used
Arg pssh set but not used
Arg subs_sidx set but not used
=================================================================
==2943152==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 20 byte(s) in 2 object(s) allocated from:
#0 0x7fb5f41339a7 in __interceptor_strdup …/…/…/…/src/libsanitizer/asan/asan_interceptors.cpp:454
#1 0x7fb5f2fd4bbc in gf_mpd_parse_string media_tools/mpd.c:75
#2 0x7fb5f2fd4bbc in gf_mpd_parse_common_representation_attr media_tools/mpd.c:665
SUMMARY: AddressSanitizer: 20 byte(s) leaked in 2 allocation(s).
3.Reproduction
./MP4Box -dash 10000 $poc
4.POC file
crash.zip
5.Impact
Malicious files that are opened may cause a crash
6.Credit
LOVERJIE