CVE-2022-47661: heap-buffer-overflow media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes · Issue #2358 · gpac/gpac

• I looked for a similar issue and couldn’t find any.
• I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
• I give enough information for contributors to reproduce my issue (meaningful title, github labels,

Description

heap-buffer-overflow media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes

Version info

latest version atm

MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

compile and run

./configure --enable-sanitizer
make
./MP4Box import -catx poc_bof14.mp4

Crash reported by sanitizer

[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[avc-h264] SEI user message type 71 size error (71 but 27 remain), keeping full SEI untouched
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[avc-h264] SEI user message has less than 2 bytes remaining but no end of sei found
=================================================================
==745696==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000014780 at pc 0x7f373f26d683 bp 0x7ffd5a01c290 sp 0x7ffd5a01c280
WRITE of size 1 at 0x615000014780 thread T0
    #0 0x7f373f26d682 in gf_media_nalu_add_emulation_bytes media_tools/av_parsers.c:4988
    #1 0x7f373f26d682 in gf_avc_reformat_sei media_tools/av_parsers.c:6355
    #2 0x7f373fccee25 in naludmx_push_prefix filters/reframe_nalu.c:2398
    #3 0x7f373fcee8ac in naludmx_parse_nal_avc filters/reframe_nalu.c:2821
    #4 0x7f373fcee8ac in naludmx_process filters/reframe_nalu.c:3333
    #5 0x7f373f8a5f1d in gf_filter_process_task filter_core/filter.c:2815
    #6 0x7f373f8655a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #7 0x7f373f871ece in gf_fs_run filter_core/filter_session.c:2120
    #8 0x7f373f2b49c1 in gf_media_import media_tools/media_import.c:1551
    #9 0x55b1ec0f1b4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
    #10 0x55b1ec0fc5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
    #11 0x55b1ec0a6130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
    #12 0x55b1ec0a6130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
    #13 0x7f373c83bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #14 0x7f373c83be3f in __libc_start_main_impl ../csu/libc-start.c:392
    #15 0x55b1ec082cb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)

0x615000014780 is located 0 bytes to the right of 512-byte region [0x615000014580,0x615000014780)
allocated by thread T0 here:
    #0 0x7f37423a4867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7f373ea2c72a in gf_bs_new utils/bitstream.c:154
    #2 0x7f373f26c993 in gf_avc_reformat_sei media_tools/av_parsers.c:6227
    #3 0x7f373fccee25 in naludmx_push_prefix filters/reframe_nalu.c:2398
    #4 0x7f373fcee8ac in naludmx_parse_nal_avc filters/reframe_nalu.c:2821
    #5 0x7f373fcee8ac in naludmx_process filters/reframe_nalu.c:3333
    #6 0x7f373f8a5f1d in gf_filter_process_task filter_core/filter.c:2815
    #7 0x7f373f8655a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #8 0x7f373f871ece in gf_fs_run filter_core/filter_session.c:2120
    #9 0x7f373f2b49c1 in gf_media_import media_tools/media_import.c:1551
    #10 0x55b1ec0f1b4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
    #11 0x55b1ec0fc5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
    #12 0x55b1ec0a6130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
    #13 0x55b1ec0a6130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
    #14 0x7f373c83bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes
Shadow bytes around the buggy address:
  0x0c2a7fffa8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffa8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffa8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffa8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fffa8f0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==745696==ABORTING

if compile without ASAN and run the same poc

./configure --static-bin
make
./MP4Box import -catx poc_bof14.mp4

The crash will happen at another place

[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[avc-h264] SEI user message type 71 size error (71 but 27 remain), keeping full SEI untouched
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[avc-h264] SEI user message has less than 2 bytes remaining but no end of sei found
[avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 16962257
[AVC|H264] Error parsing NAL unit type 7
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[avc-h264] SEI user message type 16 size error (45 but 7 remain), keeping full SEI untouched
[avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 32527
[AVC|H264] Error parsing NAL unit type 7
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 16964897
[AVC|H264] Error parsing NAL unit type 7
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 63
[AVC|H264] Error parsing NAL unit type 7
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
realloc(): invalid next size
Aborted

realloc(): invalid next size indicates that there was a bof on heap indeed, overwriting the size field of a heap chunk.

POC

poc_bof14.zip

Impact

Potentially causing DoS and RCE

Credit

Xdchase