Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-46490: Memory leak in afrt_box_read function of box_code_adobe.c:706:35 · Issue #2327 · gpac/gpac

GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the afrt_box_read function at box_code_adobe.c.

CVE
#linux#js#git#c++#auth#ssl

A memory leak has occurred when running program MP4Box, this can reproduce on the lattest commit.

Version

$ ./MP4Box -version                              
MP4Box - GPAC version 2.1-DEV-rev505-gb9577e6ad-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-build --extra-cflags=-fsanitize=address -g --extra-ldflags=-fsanitize=address -g
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB

git log

commit b9577e6ad91ef96decbcd369227ab02b2842c77f (HEAD -> master, origin/master, origin/HEAD)
Author: jeanlf <[email protected]>
Date:   Fri Nov 25 16:53:55 2022 +0100

Verification steps

export CFLAGS='-fsanitize=address -g'
export CC=/usr/bin/clang
export CXX=/usr/bin/clang++ 
git clone https://github.com/gpac/gpac.git
cd gpac
./configure --static-build --extra-cflags="${CFLAGS}" --extra-ldflags="${CFLAGS}"
make
cd bin/gcc
./MP4Box -info $poc

POC file

https://github.com/HotSpurzzZ/testcases/blob/main/gpac/gpac_Direct_leak_afrt_box_read.mp4

AddressSanitizer output

$ ./MP4Box -info gpac_Direct_leak_afrt_box_read.mp4       
[isom] not enough bytes in box afrt: 0 left, reading 1 (file isomedia/box_code_adobe.c, line 713)
[iso file] Read Box "afrt" (start 0) failed (Invalid IsoMedia File) - skipping
Error opening file gpac_Direct_leak_afrt_box_read.mp4: Invalid IsoMedia File

=================================================================
==10525==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x4a186d in malloc (/root/Desktop/gpac/bin/gcc/MP4Box+0x4a186d)
    #1 0x902c18 in afrt_box_read /root/Desktop/gpac/src/isomedia/box_code_adobe.c:706:35

SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s).

Related news

Gentoo Linux Security Advisory 202408-21

Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907