Headline
CVE-2022-47659: stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data · Issue #2354 · gpac/gpac
GPAC MP4box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to Buffer Overflow in gf_bs_read_data
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Description
stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data
Version info
latest version atm
MP4Box - GPAC version 2.1-DEV-rev644-g5c4df2a67-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
compile and run
./configure --enable-sanitizer
make
./MP4Box import -cat poc_bof11.mp4
Crash reported by sanitizer
Track Importing AAC - SampleRate 88200 Num Channels 8
=================================================================
==325854==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc52ec0940 at pc 0x7fa1e477c501 bp 0x7ffc52ebf3a0 sp 0x7ffc52ebf390
WRITE of size 1 at 0x7ffc52ec0940 thread T0
#0 0x7fa1e477c500 in gf_bs_read_data utils/bitstream.c:732
#1 0x7fa1e59d0a8c in latm_dmx_sync_frame_bs filters/reframe_latm.c:170
#2 0x7fa1e59d289f in latm_dmx_sync_frame_bs filters/reframe_latm.c:86
#3 0x7fa1e59d289f in latm_dmx_process filters/reframe_latm.c:526
#4 0x7fa1e55eabac in gf_filter_process_task filter_core/filter.c:2795
#5 0x7fa1e55aa703 in gf_fs_thread_proc filter_core/filter_session.c:1859
#6 0x7fa1e55b700e in gf_fs_run filter_core/filter_session.c:2120
#7 0x7fa1e4ff9a21 in gf_media_import media_tools/media_import.c:1551
#8 0x55a84c1ccb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
#9 0x55a84c1d75d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
#10 0x55a84c181130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
#11 0x55a84c181130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
#12 0x7fa1e2580d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#13 0x7fa1e2580e3f in __libc_start_main_impl ../csu/libc-start.c:392
#14 0x55a84c15dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
Address 0x7ffc52ec0940 is located in stack of thread T0 at offset 5088 in frame
#0 0x7fa1e59d20af in latm_dmx_process filters/reframe_latm.c:456
This frame has 19 object(s):
[48, 52) 'pck_size' (line 461)
[64, 68) 'latm_frame_size' (line 525)
[80, 84) 'dsi_s' (line 312)
[96, 104) 'output' (line 460)
[128, 136) 'dsi_b' (line 311)
[160, 184) '<unknown>'
[224, 248) '<unknown>'
[288, 312) '<unknown>'
[352, 376) '<unknown>'
[416, 440) '<unknown>'
[480, 504) '<unknown>'
[544, 568) '<unknown>'
[608, 632) '<unknown>'
[672, 696) '<unknown>'
[736, 760) '<unknown>'
[800, 824) '<unknown>'
[864, 888) '<unknown>'
[928, 952) '<unknown>'
[992, 5088) 'latm_buffer' (line 524) <== Memory access at offset 5088 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data
Shadow bytes around the buggy address:
0x10000a5d00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a5d00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a5d00f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a5d0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a5d0110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10000a5d0120: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3
0x10000a5d0130: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x10000a5d0140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a5d0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a5d0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a5d0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==325854==ABORTING
POC
poc_bof11.zip
Impact
Potentially causing DoS and RCE
Credit
Xdchase
Related news
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.
Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.