Headline
CVE-2022-47659: stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data · Issue #2354 · gpac/gpac
GPAC MP4box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to Buffer Overflow in gf_bs_read_data
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Description
stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data
Version info
latest version atm
MP4Box - GPAC version 2.1-DEV-rev644-g5c4df2a67-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
compile and run
./configure --enable-sanitizer
make
./MP4Box import -cat poc_bof11.mp4
Crash reported by sanitizer
Track Importing AAC - SampleRate 88200 Num Channels 8
=================================================================
==325854==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc52ec0940 at pc 0x7fa1e477c501 bp 0x7ffc52ebf3a0 sp 0x7ffc52ebf390
WRITE of size 1 at 0x7ffc52ec0940 thread T0
#0 0x7fa1e477c500 in gf_bs_read_data utils/bitstream.c:732
#1 0x7fa1e59d0a8c in latm_dmx_sync_frame_bs filters/reframe_latm.c:170
#2 0x7fa1e59d289f in latm_dmx_sync_frame_bs filters/reframe_latm.c:86
#3 0x7fa1e59d289f in latm_dmx_process filters/reframe_latm.c:526
#4 0x7fa1e55eabac in gf_filter_process_task filter_core/filter.c:2795
#5 0x7fa1e55aa703 in gf_fs_thread_proc filter_core/filter_session.c:1859
#6 0x7fa1e55b700e in gf_fs_run filter_core/filter_session.c:2120
#7 0x7fa1e4ff9a21 in gf_media_import media_tools/media_import.c:1551
#8 0x55a84c1ccb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
#9 0x55a84c1d75d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
#10 0x55a84c181130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
#11 0x55a84c181130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
#12 0x7fa1e2580d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#13 0x7fa1e2580e3f in __libc_start_main_impl ../csu/libc-start.c:392
#14 0x55a84c15dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
Address 0x7ffc52ec0940 is located in stack of thread T0 at offset 5088 in frame
#0 0x7fa1e59d20af in latm_dmx_process filters/reframe_latm.c:456
This frame has 19 object(s):
[48, 52) 'pck_size' (line 461)
[64, 68) 'latm_frame_size' (line 525)
[80, 84) 'dsi_s' (line 312)
[96, 104) 'output' (line 460)
[128, 136) 'dsi_b' (line 311)
[160, 184) '<unknown>'
[224, 248) '<unknown>'
[288, 312) '<unknown>'
[352, 376) '<unknown>'
[416, 440) '<unknown>'
[480, 504) '<unknown>'
[544, 568) '<unknown>'
[608, 632) '<unknown>'
[672, 696) '<unknown>'
[736, 760) '<unknown>'
[800, 824) '<unknown>'
[864, 888) '<unknown>'
[928, 952) '<unknown>'
[992, 5088) 'latm_buffer' (line 524) <== Memory access at offset 5088 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data
Shadow bytes around the buggy address:
0x10000a5d00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a5d00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a5d00f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a5d0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a5d0110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10000a5d0120: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3
0x10000a5d0130: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x10000a5d0140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a5d0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a5d0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a5d0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==325854==ABORTING
POC
poc_bof11.zip
Impact
Potentially causing DoS and RCE
Credit
Xdchase
Related news
Gentoo Linux Security Advisory 202408-21
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.
Debian Security Advisory 5411-1
Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.