Headline
CVE-2023-47384: Memory Leak in gf_isom_add_chapter isomedia/isom_write.c:3182 · Issue #2672 · gpac/gpac
MP4Box GPAC v2.3-DEV-rev617-g671976fcc-master was discovered to contain a memory leak in the function gf_isom_add_chapter at /isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
1、Version
./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev617-g671976fcc-master
© 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
2、ASAN Log
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[IsoMedia] Failed to fetch initial sample 1 for track 1
[IsoMedia] Failed to fetch initial sample 1 for track 1
AddressSanitizer:DEADLYSIGNAL
==3416==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f340d3b22bc bp 0x7fff33ecd7f0 sp 0x7fff33eccf78 T0)
==3416==The signal is caused by a READ memory access.
==3416==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.
#0 0x7f340d3b22bc (/lib/x86_64-linux-gnu/libc.so.6+0x1b22bc)
#1 0x7f340f85b8ce in __interceptor_strdup …/…/…/…/src/libsanitizer/asan/asan_interceptors.cpp:450
#2 0x7f340e473095 in gf_isom_add_chapter isomedia/isom_write.c:3182
#3 0x7f340ee901db in mp4_mux_setup_pid filters/mux_isom.c:3763
#4 0x7f340eb04d02 in gf_filter_pid_configure filter_core/filter_pid.c:876
#5 0x7f340eb09a3c in gf_filter_pid_connect_task filter_core/filter_pid.c:1230
#6 0x7f340eb4642f in gf_fs_thread_proc filter_core/filter_session.c:2105
#7 0x7f340eb4d74e in gf_fs_run filter_core/filter_session.c:2405
#8 0x7f340e5b8626 in gf_dasher_process media_tools/dash_segmenter.c:1236
#9 0x560c71d604d9 in do_dash /home/returnzero/gpac/applications/mp4box/mp4box.c:4831
#10 0x560c71d604d9 in mp4box_main /home/returnzero/gpac/applications/mp4box/mp4box.c:6245
#11 0x7f340d229d8f in __libc_start_call_main …/sysdeps/nptl/libc_start_call_main.h:58
#12 0x7f340d229e3f in __libc_start_main_impl …/csu/libc-start.c:392
#13 0x560c71cf6214 in _start (/home/returnzero/gpac/bin/gcc/MP4Box+0x4e214)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x1b22bc)
==3416==ABORTING
3、Reproduction
./MP4Box -dash 10000 $poc
4、poc
crash65.zip
5、Impact
This vulnerability is capable of causing crashes, or lead to dos.
6、 Env
Linux returnzero-virtual-machine 6.2.0-36-generic #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 9 15:34:04 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
AFL++ 4.09a
7、Credit
ReturnZero