Headline
CVE-2022-47661: heap-buffer-overflow media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes · Issue #2358 · gpac/gpac
GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 is vulnerable to Buffer Overflow via media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels,
Description
heap-buffer-overflow media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes
Version info
latest version atm
MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
compile and run
./configure --enable-sanitizer
make
./MP4Box import -catx poc_bof14.mp4
Crash reported by sanitizer
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[avc-h264] SEI user message type 71 size error (71 but 27 remain), keeping full SEI untouched
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[avc-h264] SEI user message has less than 2 bytes remaining but no end of sei found
=================================================================
==745696==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000014780 at pc 0x7f373f26d683 bp 0x7ffd5a01c290 sp 0x7ffd5a01c280
WRITE of size 1 at 0x615000014780 thread T0
#0 0x7f373f26d682 in gf_media_nalu_add_emulation_bytes media_tools/av_parsers.c:4988
#1 0x7f373f26d682 in gf_avc_reformat_sei media_tools/av_parsers.c:6355
#2 0x7f373fccee25 in naludmx_push_prefix filters/reframe_nalu.c:2398
#3 0x7f373fcee8ac in naludmx_parse_nal_avc filters/reframe_nalu.c:2821
#4 0x7f373fcee8ac in naludmx_process filters/reframe_nalu.c:3333
#5 0x7f373f8a5f1d in gf_filter_process_task filter_core/filter.c:2815
#6 0x7f373f8655a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
#7 0x7f373f871ece in gf_fs_run filter_core/filter_session.c:2120
#8 0x7f373f2b49c1 in gf_media_import media_tools/media_import.c:1551
#9 0x55b1ec0f1b4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
#10 0x55b1ec0fc5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
#11 0x55b1ec0a6130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
#12 0x55b1ec0a6130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
#13 0x7f373c83bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#14 0x7f373c83be3f in __libc_start_main_impl ../csu/libc-start.c:392
#15 0x55b1ec082cb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
0x615000014780 is located 0 bytes to the right of 512-byte region [0x615000014580,0x615000014780)
allocated by thread T0 here:
#0 0x7f37423a4867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f373ea2c72a in gf_bs_new utils/bitstream.c:154
#2 0x7f373f26c993 in gf_avc_reformat_sei media_tools/av_parsers.c:6227
#3 0x7f373fccee25 in naludmx_push_prefix filters/reframe_nalu.c:2398
#4 0x7f373fcee8ac in naludmx_parse_nal_avc filters/reframe_nalu.c:2821
#5 0x7f373fcee8ac in naludmx_process filters/reframe_nalu.c:3333
#6 0x7f373f8a5f1d in gf_filter_process_task filter_core/filter.c:2815
#7 0x7f373f8655a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
#8 0x7f373f871ece in gf_fs_run filter_core/filter_session.c:2120
#9 0x7f373f2b49c1 in gf_media_import media_tools/media_import.c:1551
#10 0x55b1ec0f1b4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
#11 0x55b1ec0fc5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
#12 0x55b1ec0a6130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
#13 0x55b1ec0a6130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
#14 0x7f373c83bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-buffer-overflow media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes
Shadow bytes around the buggy address:
0x0c2a7fffa8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fffa8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffa8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffa8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fffa8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fffa8f0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fffa910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fffa920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fffa930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fffa940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==745696==ABORTING
if compile without ASAN and run the same poc
./configure --static-bin
make
./MP4Box import -catx poc_bof14.mp4
The crash will happen at another place
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[avc-h264] SEI user message type 71 size error (71 but 27 remain), keeping full SEI untouched
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[avc-h264] SEI user message has less than 2 bytes remaining but no end of sei found
[avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 16962257
[AVC|H264] Error parsing NAL unit type 7
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[avc-h264] SEI user message type 16 size error (45 but 7 remain), keeping full SEI untouched
[avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 32527
[AVC|H264] Error parsing NAL unit type 7
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[AVC|H264] Error parsing NAL unit type 8
[AVC|H264] Error parsing Picture Param Set
[avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 16964897
[AVC|H264] Error parsing NAL unit type 7
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
[avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 63
[AVC|H264] Error parsing NAL unit type 7
[avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
realloc(): invalid next size
Aborted
realloc(): invalid next size indicates that there was a bof on heap indeed, overwriting the size field of a heap chunk.
POC
poc_bof14.zip
Impact
Potentially causing DoS and RCE
Credit
Xdchase
Related news
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.
Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.