Memory corruption due to stack-based buffer overflow in Core

CVE-2022-40520

By Deeba Ahmed
In total 22 proprietary software vulnerabilities were identified in the firmware, which Qualcomm addressed in its January 2023…
This is a post from HackRead.com Read the original post: Chip Vulnerabilities Impacting Microsoft, Lenovo, and Samsung Devices

In total 22 proprietary software vulnerabilities were identified in the firmware, which Qualcomm addressed in its January 2023 security bulletin.

Firmware attacks are increasingly common nowadays as cybercriminals are focusing more on the lower-level embedded code, which supports hardware. **Qualcomm**’s hardware is the latest target in this regard.

Reportedly, the company was notified about the presence of nearly 2 dozen security vulnerabilities in its flagship chipset suite, Snapdragon.

**Vulnerabilities Details**

These vulnerabilities were discovered by Binarly AI-powered firmware protection company. In total 22 proprietary software issues were identified in the firmware, which Qualcomm addressed in its January 2023 security bulletin.

These include 2 bugs in automotive tracked as CVE-2022-33218 and CVE-2022-33219 and one bug in powerline communication firmware tracked as CVE-2022-33265. These bugs were rated critical or high severity and their patching was quite complex.

Additionally, five major vulnerabilities in UEFI firmware on ARM were identified and tracked as CVE-2022-40516 to CVE-2022-40520. These vulnerabilities impacted the whole infrastructure of ARM-based devices and laptops.

Binarly discovered two types of vulnerabilities, including out-of-bounds read issued and stack-based buffer overflows. Both were connected to the DXE driver and could be exploited by whoever gained elevated privileges.

The company has released patches for the vulnerabilities in its latest security advisory, including patches for five connectivity and boot issues.

**Which Devices are at Risk?**

Devices made by Lenovo, Microsoft, and Samsung are at risk due to using Snapdragon chipsets. However, the scope of impact is highly diverse as the vulnerabilities may affect vehicles to powerline communications. For your information, the Snapdragon CPU uses the ARM architecture.

Therefore, apart from Lenovo and other manufacturers, ARM-based Microsoft Surface and Windows Dev Kit 2023/Project Volterra computers were also affected by the vulnerabilities. Some vulnerabilities could lead to arbitrary code execution and be exploited for a Secure Boot bypass, allowing an attacker to gain persistence on a device by gaining privileges to write to the file system.

**How the Flaws Were Discovered?**

Binarly founder and CEO, Alex Matrosov revealed that they discovered around nine security vulnerabilities while examining the Lenovo Thinkpad X13s firmware powered by the Snapdragon system-on-a-chip.

Further probe revealed that some vulnerabilities were specific to Lenovo devices and five impacted Qualcomm reference codes. This means the vulnerabilities were impacting laptops and all other devices having Snapdragon chips installed.

Matrosov clarified that this was the first time UEFI firmware vulnerabilities connected to the ARM device architecture were disclosed at such a scale. The CEO also noted that the number of affected chipsets is “massive.”

The good news is that Lenovo has addressed the issue and its advisory is available here.

1.  Alert: New Bluetooth flaw lets attackers monitor traffic
2.  Source code of over 50 top organizations leaked online
3.  Hackers Exploiting MSI Afterburner to Deliver Coin Miner
4.  400 chip flaws turn 3 billion Android phones into spying tool
5.  Microsoft hopes Windows PCs protection with Pluton security chip

Chip Vulnerabilities Impacting Microsoft, Lenovo, and Samsung Devices

Ubuntu Security Notice 5789-1 - It was discovered that the NFSD implementation in the Linux kernel did not properly handle some RPC messages, leading to a buffer overflow. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code. Jann Horn discovered that the Linux kernel did not properly track memory allocations for anonymous VMA mappings in some situations, leading to potential data structure reuse. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5789-1  
January 05, 2023

linux-oem-5.14 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-oem-5.14: Linux kernel for OEM systems

Details:

It was discovered that the NFSD implementation in the Linux kernel did not  
properly handle some RPC messages, leading to a buffer overflow. A remote  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-43945)

Jann Horn discovered that the Linux kernel did not properly track memory  
allocations for anonymous VMA mappings in some situations, leading to  
potential data structure reuse. A local attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-42703)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux  
kernel did not properly initialize memory pages to be used for shared  
communication with the backend. A local attacker could use this to expose  
sensitive information (guest kernel memory). (CVE-2022-26365)

Jan Beulich discovered that the Xen network device frontend driver in the  
Linux kernel incorrectly handled socket buffers (skb) references when  
communicating with certain backends. A local attacker could use this to  
cause a denial of service (guest crash). (CVE-2022-33743)

It was discovered that a memory leak existed in the IPv6 implementation of  
the Linux kernel. A local attacker could use this to cause a denial of  
service (memory exhaustion). (CVE-2022-3524)

It was discovered that a race condition existed in the Bluetooth subsystem  
in the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-3564)

It was discovered that the TCP implementation in the Linux kernel contained  
a data race condition. An attacker could possibly use this to cause  
undesired behaviors. (CVE-2022-3566)

It was discovered that the IPv6 implementation in the Linux kernel  
contained a data race condition. An attacker could possibly use this to  
cause undesired behaviors. (CVE-2022-3567)

It was discovered that the Realtek RTL8152 USB Ethernet adapter driver in  
the Linux kernel did not properly handle certain error conditions. A local  
attacker with physical access could plug in a specially crafted USB device  
to cause a denial of service (memory exhaustion). (CVE-2022-3594)

It was discovered that a null pointer dereference existed in the NILFS2  
file system implementation in the Linux kernel. A local attacker could use  
this to cause a denial of service (system crash). (CVE-2022-3621)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.14.0-1055-oem     5.14.0-1055.62  
   linux-image-oem-20.04           5.14.0.1055.53  
   linux-image-oem-20.04b          5.14.0.1055.53  
   linux-image-oem-20.04c          5.14.0.1055.53  
   linux-image-oem-20.04d          5.14.0.1055.53

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5789-1  
   CVE-2022-26365, CVE-2022-33743, CVE-2022-3524, CVE-2022-3564,  
   CVE-2022-3566, CVE-2022-3567, CVE-2022-3594, CVE-2022-3621,  
   CVE-2022-42703, CVE-2022-43945

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-oem-5.14/5.14.0-1055.62

Ubuntu Security Notice USN-5789-1

GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to buffer overflow in function hevc_parse_vps_extension of media_tools/av_parsers.c:7662

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

buffer overflow in function hevc\_parse\_vps\_extension of media\_tools/av\_parsers.c:7662

    MP4Box - GPAC version 2.1-DEV-rev644-g5c4df2a67-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof12.mp4
    

    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] 51 layers in VPS but only 4 supported in GPAC
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    Track Importing HEVC - Width 1 Height 6 FPS 25000/1000
    [HEVC] 56 layers in VPS but only 4 supported in GPAC
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    media_tools/av_parsers.c:7662:23: runtime error: index 56 out of bounds for type 'u32 [4]'

CVE-2022-47657: buffer overflow in function hevc_parse_vps_extension of media_tools/av_parsers.c:7662 · Issue #2355 · gpac/gpac

GPAC MP4box 2.1-DEV-rev649-ga8f438d20 is vulnerable to buffer overflow in h263dmx_process filters/reframe_h263.c:609

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels,

**Description**

buffer overflow in h263dmx\_process filters/reframe\_h263.c:609

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof13.mp4
    

Crash reported by sanitizer

    [H263Dmx] garbage before first frame!
    Track Importing H263 - Width 704 Height 576 FPS 15000/1000
    =================================================================
    ==735609==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000000620 at pc 0x7ff71222b397 bp 0x7ffeaf3c2280 sp 0x7ffeaf3c1a28
    READ of size 4294967295 at 0x60e000000620 thread T0
        #0 0x7ff71222b396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
        #1 0x7ff70fbae101 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
        #2 0x7ff70fbae101 in h263dmx_process filters/reframe_h263.c:609
        #3 0x7ff70f7a6f1d in gf_filter_process_task filter_core/filter.c:2815
        #4 0x7ff70f7665a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #5 0x7ff70f772ece in gf_fs_run filter_core/filter_session.c:2120
        #6 0x7ff70f1b59c1 in gf_media_import media_tools/media_import.c:1551
        #7 0x5617e36bfb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #8 0x5617e36ca5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #9 0x5617e3674130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #10 0x5617e3674130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #11 0x7ff70c73cd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #12 0x7ff70c73ce3f in __libc_start_main_impl ../csu/libc-start.c:392
        #13 0x5617e3650cb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    0x60e000000620 is located 0 bytes to the right of 160-byte region [0x60e000000580,0x60e000000620)
    allocated by thread T0 here:
        #0 0x7ff7122a5867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x7ff70f7b4528 in gf_filter_parse_args filter_core/filter.c:2033
        #2 0x7ff70f7b5234 in gf_filter_new_finalize filter_core/filter.c:510
        #3 0x7ff70f7b65d7 in gf_filter_new filter_core/filter.c:439
        #4 0x7ff70f7021c7 in gf_filter_pid_resolve_link_internal filter_core/filter_pid.c:3611
        #5 0x7ff70f7258b2 in gf_filter_pid_resolve_link_check_loaded filter_core/filter_pid.c:3711
        #6 0x7ff70f7258b2 in gf_filter_pid_init_task filter_core/filter_pid.c:4883
        #7 0x7ff70f7665a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #8 0x7ff70f772ece in gf_fs_run filter_core/filter_session.c:2120
        #9 0x7ff70f1b59c1 in gf_media_import media_tools/media_import.c:1551
        #10 0x5617e36bfb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #11 0x5617e36ca5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #12 0x5617e3674130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #13 0x5617e3674130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #14 0x7ff70c73cd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
    Shadow bytes around the buggy address:
      0x0c1c7fff8070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1c7fff8080: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
      0x0c1c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c1c7fff80c0: 00 00 00 00[fa]fa fa fa fa fa fa fa 00 00 00 00
      0x0c1c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff80e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1c7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
      0x0c1c7fff8100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff8110: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==735609==ABORTING
    

Looks like the oob read happens in filters/reframe\_h263.c

    READ of size 4294967295 at 0x60e000000620 thread T0
       #0 0x7ff71222b396 in __interceptor_memcpy 
       ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
       #1 0x7ff70fbae101 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
       #2 0x7ff70fbae101 in h263dmx_process filters/reframe_h263.c:609
    

if compile without ASAN and run the same poc

    ./configure --static-bin
    make
    ./MP4Box import -cat poc_bof13.mp4
    

there will be segment fault

    [H263Dmx] garbage before first frame!
    Track Importing H263 - Width 704 Height 576 FPS 15000/1000
    Segmentation fault=          | (50/100)
    

backtrace atm

    pwndbg> bt
    #0  0x0000000000afc1cc in __memmove_avx_unaligned_erms ()
    #1  0x00000000007f0dbf in h263dmx_process ()
    #2  0x00000000006d9c90 in gf_filter_process_task ()
    #3  0x00000000006c5dbc in gf_fs_thread_proc ()
    #4  0x00000000006cb3bb in gf_fs_run ()
    #5  0x00000000006008ed in gf_media_import ()
    #6  0x00000000004313d1 in import_file ()
    #7  0x00000000004375f1 in cat_isomedia_file ()
    #8  0x0000000000411e78 in mp4box_main ()
    #9  0x0000000000a8c47a in __libc_start_call_main ()
    #10 0x0000000000a8dcd7 in __libc_start_main_impl ()
    #11 0x0000000000402c55 in _start ()
    

**POC**

poc\_bof13.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47663: buffer overflow in h263dmx_process filters/reframe_h263.c:609 · Issue #2360 · gpac/gpac

GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to buffer overflow in function gf_hevc_read_vps_bs_internal of media_tools/av_parsers.c:8039

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

buffer overflow in function gf\_hevc\_read\_vps\_bs\_internal of media\_tools/av\_parsers.c:8039

    MP4Box - GPAC version 2.1-DEV-rev644-g5c4df2a67-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof10.mp4
    

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 32
    [HEVC] 8 layers in VPS but only 4 supported in GPAC
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    [HEVC] Error parsing NAL unit type 33
    Track Importing HEVC - Width 1 Height 6 FPS 488447261/488447261
    [HEVC] Error parsing NAL unit type 390)
    [HEVC] SEI user message type 249 size error (109 but 15 remain), skipping SEI message
    media_tools/av_parsers.c:8039:32: runtime error: index 4 out of bounds for type 'u8 [4]'

CVE-2022-47658: buffer overflow in function gf_hevc_read_vps_bs_internal of media_tools/av_parsers.c:8039 · Issue #2356 · gpac/gpac

GPAC MP4box 2.1-DEV-rev617-g85ce76efd is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8273

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

buffer overflow in gf\_hevc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c:8273

    MP4Box - GPAC version 2.1-DEV-rev617-g85ce76efd-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof9.mp4
    

    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    media_tools/av_parsers.c:8273:32: runtime error: index 159 out of bounds for type 'HEVC_RepFormat [16]'

CVE-2022-47656: buffer overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8273 · Issue #2353 · gpac/gpac

GPAC MP4box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to Buffer Overflow in gf_bs_read_data

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

stack-buffer-overflow utils/bitstream.c:732 in gf\_bs\_read\_data

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev644-g5c4df2a67-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof11.mp4
    

Crash reported by sanitizer

    Track Importing AAC  - SampleRate 88200 Num Channels 8
    =================================================================
    ==325854==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc52ec0940 at pc 0x7fa1e477c501 bp 0x7ffc52ebf3a0 sp 0x7ffc52ebf390
    WRITE of size 1 at 0x7ffc52ec0940 thread T0
        #0 0x7fa1e477c500 in gf_bs_read_data utils/bitstream.c:732
        #1 0x7fa1e59d0a8c in latm_dmx_sync_frame_bs filters/reframe_latm.c:170
        #2 0x7fa1e59d289f in latm_dmx_sync_frame_bs filters/reframe_latm.c:86
        #3 0x7fa1e59d289f in latm_dmx_process filters/reframe_latm.c:526
        #4 0x7fa1e55eabac in gf_filter_process_task filter_core/filter.c:2795
        #5 0x7fa1e55aa703 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #6 0x7fa1e55b700e in gf_fs_run filter_core/filter_session.c:2120
        #7 0x7fa1e4ff9a21 in gf_media_import media_tools/media_import.c:1551
        #8 0x55a84c1ccb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #9 0x55a84c1d75d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #10 0x55a84c181130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #11 0x55a84c181130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #12 0x7fa1e2580d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #13 0x7fa1e2580e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #14 0x55a84c15dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    Address 0x7ffc52ec0940 is located in stack of thread T0 at offset 5088 in frame
        #0 0x7fa1e59d20af in latm_dmx_process filters/reframe_latm.c:456
    
      This frame has 19 object(s):
        [48, 52) 'pck_size' (line 461)
        [64, 68) 'latm_frame_size' (line 525)
        [80, 84) 'dsi_s' (line 312)
        [96, 104) 'output' (line 460)
        [128, 136) 'dsi_b' (line 311)
        [160, 184) '<unknown>'
        [224, 248) '<unknown>'
        [288, 312) '<unknown>'
        [352, 376) '<unknown>'
        [416, 440) '<unknown>'
        [480, 504) '<unknown>'
        [544, 568) '<unknown>'
        [608, 632) '<unknown>'
        [672, 696) '<unknown>'
        [736, 760) '<unknown>'
        [800, 824) '<unknown>'
        [864, 888) '<unknown>'
        [928, 952) '<unknown>'
        [992, 5088) 'latm_buffer' (line 524) <== Memory access at offset 5088 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data
    Shadow bytes around the buggy address:
      0x10000a5d00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d00f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10000a5d0120: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3
      0x10000a5d0130: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
      0x10000a5d0140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==325854==ABORTING
    

**POC**

poc\_bof11.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47659: stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data · Issue #2354 · gpac/gpac

GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8261

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_hevc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c:8261

	//sps\_rep\_format\_idx = 0;
	if (multiLayerExtSpsFlag) {
		sps->update\_rep\_format\_flag = gf\_bs\_read\_int\_log(bs, 1, "update\_rep\_format\_flag");
		if (sps->update\_rep\_format\_flag) {
			sps->rep\_format\_idx = gf\_bs\_read\_int\_log(bs, 8, "rep\_format\_idx");
			if (sps->rep\_format\_idx\>15) {
				return -1;
			}
		} else {
			sps->rep\_format\_idx = vps->rep\_format\_idx\[layer\_id\]; // overflow
		}

**Version info**

latest version

    MP4Box - GPAC version 2.1-DEV-rev593-g007bf61a0-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof8.mov
    

Crash reported by sanitizer

    [iso file] Unknown box type dvbs in parent stsd
    [HEVC] Error parsing NAL unit type 16
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 32
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing NAL unit type 16
    Track Importing HEVC - Width -10 Height -20316159 FPS 25000/1000
    [HEVC] Error parsing NAL Unit 8 (size 0 type 0 frame 0 last POC 0) - skipping
    [HEVC] Error parsing NAL unit type 16
    [HEVC] Error parsing NAL unit type 0
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 32
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 34
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Wrong number of layer sets in VPS 5
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 32
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 34
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 34
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] sorry, 11 layers in VPS but only 4 supported
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    media_tools/av_parsers.c:8261:45: runtime error: index 45 out of bounds for type 'u32 [16]'
    

**POC**

poc\_bof8.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47654: buffer overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8261 · Issue #2350 · gpac/gpac

GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in eac3_update_channels function of media_tools/av_parsers.c:9113

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in eac3\_update\_channels function of media\_tools/av\_parsers.c:9113

static void eac3\_update\_channels(GF\_AC3Config \*hdr)
{
	u32 i;
	for (i=0; i<hdr->nb\_streams; i++) {
		u32 nb\_ch = ac3\_mod\_to\_total\_chans\[hdr->streams\[i\].acmod\]; // overflow
		if (hdr->streams\[i\].nb\_dep\_sub) {
			hdr->streams\[i\].chan\_loc = eac3\_chanmap\_to\_chan\_loc(hdr->streams\[i\].chan\_loc);
			nb\_ch += gf\_eac3\_get\_chan\_loc\_count(hdr->streams\[i\].chan\_loc);
		}
		if (hdr->streams\[i\].lfon) nb\_ch++;
		hdr->streams\[i\].channels = nb\_ch;
		hdr->streams\[i\].surround\_channels = ac3\_mod\_to\_surround\_chans\[hdr->streams\[i\].acmod\];
	}
}

**Version info**

latest version

    MP4Box - GPAC version 2.1-DEV-rev593-g007bf61a0-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof7.swf
    

Crash reported by sanitizer

    [iso file] Unknown box type dvbs in parent stsd
    Track Importing EAC-3 - SampleRate 32000 Num Channels 6
    [AC3Dmx] 24 bytes unrecovered before sync word
    [AC3Dmx] 13 bytes unrecovered before sync word
    media_tools/av_parsers.c:9113:50: runtime error: index 8 out of bounds for type 'GF_AC3StreamInfo [8]'
    

**POC**

poc\_bof7.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

Tag

#buffer_overflow