Versions of the package exec-local-bin before 1.2.0 are vulnerable to Command Injection via the theProcess() functionality due to improper user-input sanitization.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   Snyk ID **SNYK-JS-EXECLOCALBIN-3157956**
*   published **20 Dec 2022**
*   disclosed **6 Dec 2022**
*   credit **JHU System Security Lab**

**How to fix?**

Upgrade exec-local-bin to version 1.2.0 or higher.

**Overview**

Affected versions of this package are vulnerable to Command Injection via the theProcess() functionality due to improper user-input sanitization.

**PoC**

    var root = require("exec-local-bin")
    root("& touch JHU",{})

CVE-2022-25923: Snyk Vulnerability Database | Snyk

An issue was discovered in Siren Investigate before 12.1.7. Script variable whitelisting is insufficiently sandboxed.

**New features**

**Custom record views**

You can now create custom views for your documents in the Overview tab of the Record View by writing template scripts. Learn more.

**Reporting**

Template scripts can also be used to generate reports from Elasticsearch documents in many different formats (PDF, HTML, Word and more) through integration with jsreport. Learn more.

**Filter to dashboard**

You now have the option to apply the filters from one dashboard to another dashboard associated to the same entity table. Learn more.

**Security fixes**

*   Upgraded Node.js to version 14.19.1. For the full list of fixes, see the 14.19.1 changelog.
    
*   Upgraded url-parse to version 1.5.9 to address CVE-2022-0691.
    
*   Upgraded prismjs to version 1.27.0 to address CVE-2022-23647.
    
*   Upgraded moment to version 2.29.2 to address GHSA-8hfj-j24r-96c4.
    

**Breaking Changes**

**Saved objects**

*   The index-pattern saved object type has been removed; the methods that were previously exposed by IndexPattern instances are now part of the SavedSearch interface.
    

**Migration to Babel 7**

*   Siren Investigate is now built with Babel 7; if you made any custom plugin it is recommended to test it on a pristine Siren Investigate 12.1 instance before upgrading.
    

**Deprecations**

**Discover**

*   The Discover application has been deprecated and will be removed in a future release. The buttons to create and save child searches from the Discover application have been removed.
    

**Improvements**

**Auditing**

*   Added a configuration option that allows customization of the Elasticsearch fields to be put in data export audit log entries. Learn more.
    

**Data model**

*   Enabled granular editing of relations in the Relations tab. When saving or deleting a relation the changes will now be applied immediately.
    
*   Improved the performance of the relations tab with a high number of relations.
    
*   Added a button to aggregate multiple relations between two entities into a single link showing the number of relations. In this mode, the individual relation names are displayed in a tooltip.
    
*   When transforming data it is now possible to test the transformation against any of the sample source documents.
    

**Dashboard**

*   It is now possible to use a visual date/time picker when creating filters on date fields.
    
*   When editing a visualization on a dashboard, you can now save it and return immediately to the dashboard by clicking on a **Save and return** button.
    
*   The tooltips showing data model explanations on 360 Dashboards are now enabled by default.
    
*   Modified 360 Dashboards to include documents from both the target and the source entity when self relations have the same label in both directions.
    
*   Replaced the graph based widget to pick relations in the 360 Dashboard data model configuration with a simpler dropdown based widget.
    

**Record Table**

*   Added options to rearrange the columns of the table to the column context menu.
    

**Record view**

*   It is now possible to use a visual date/time picker when editing date fields.
    
*   It is now possible to add multiple values to a field when editing a document in the record view.
    

**Graph Browser**

*   Links that represent self relations on the same field are now automatically hidden when the source and the target are the same node.
    
*   Added explicit drag and drop handles to the lens listing.
    
*   Added an option to the Node to edge by fields lens configuration that allows you to automatically expand intermediate nodes when creating edge links.
    

**Relational Navigator**

*   Added a configuration option that allows you to group relations having the same label into a single button.
    
*   Modified the relation links to include documents from both the target and the source entity when self relations have the same label in both directions.
    
*   Removed the automatic capitalization of relation links.
    

**Development**

*   The EUI library dependency has been upgraded to version 34.6.0 .
    

**Bug fixes**

**Auditing**

*   Fixed an issue that caused data requests initiated by the Graph Browser to be classified as count requests.
    
*   Fixed an issue that caused dataExport requests to be assigned to the HOME dataspace instead of the current one.
    

**Data Model**

*   Fixed an issue that prevented child searches from inheriting the search query and filters from their parent.
    
*   Suppressed an unnecessary warning which was appearing after saving changes to a child search.
    
*   Fixed an issue in the data import flow that caused leading zeroes in fields to be automatically stripped.
    

**Graph Browser**

*   Fixed an issue that caused nodes created by a time/location lens to not disappear when disabling the lens.
    
*   You can now use custom icons in node glyphs.
    
*   Fixed an issue that could cause a node to edge lens to not be applied automatically when adding nodes to the graph.
    
*   Fixed an issue that could cause a fatal error when switching between two dashboards with a Graph Browser visualization in map mode.
    
*   Fixed an issue that would cause all the nodes to be expanded when no checkbox was selected in the expansion dialog.
    
*   Adjusted the formula to determine the size of nodes at high zoom levels to minimize overlapping.
    
*   Fixed an issue that prevented the deletion of edges created by Node to edge by fields lens instances.
    
*   Fixed an issue that prevented opening the record view of nodes containing spaces in the _id field.
    

**Enhanced Coordinate Map**

*   Fixed an issue that would cause unnecessary rendering operations while changing the configuration of a visualization.
    

**Scripting**

*   Fixed an issue that could cause a fatal error when editing a script containing JSX fragments.
    

**Record Table**

*   Fixed an issue that caused a wrong search request to be generated after creating a negated filter having multiple values by holding CTRL/CMD.
    

**Dashboard**

*   Fixed an issue that caused a wrong confirmation dialog to appear after deleting a dashboard whilst in edit mode.
    
*   Fixed an issue that prevented nodes from being added to a Graph Browser visualization when dragging a dashboard with a modified state.
    
*   The explanation tooltip for visualizations in 360 Dashboards is now enabled by default following recent performance improvements.
    

**Miscellaneous**

*   Added the investigate_core.search.max_buckets configuration setting. This setting prevents aggregations with a large number of buckets from being processed by visualizations and freezing the browser. The default value of the setting is 1000.
    
*   Improved the Elasticsearch periodic health check to wait for the ACL index to be ready in addition to the main Siren Investigate index.

CVE-2022-47544: Release Notes :: SIREN DOCS

Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, the number of times a user posted in an arbitrary topic is exposed to unauthorized users through the `/u/username.json` endpoint. The issue is patched in version 2.8.14 and 3.0.0.beta16. There is no known workaround.

Moderate

jomaxro published GHSA-xx97-6494-p2rv

Jan 5, 2023

**Package**

No package listed

**Affected versions**

stable <= 2.8.13; beta <= 3.0.0.beta15; tests-passed <= 3.0.0.beta15

**Patched versions**

stable >= 2.8.14; beta >= 3.0.0.beta16; tests-passed >= 3.0.0.beta16

**Description**

**Impact**

The number of times a user posted in an arbitrary topic is exposed to unauthorized users through the /u/username.json endpoint.

**Patches**

This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

**Workarounds**

There is no known workaround.

**Severity**

**CVSS base metrics**

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

**Weaknesses**

CVE-2023-22453: Exposure of user post counts per topic to unauthorized users

The Swifty Page Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on several AJAX actions handling page creation and deletion among other things. This makes it possible for unauthenticated attackers to invoke those functions, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-0088: swifty-page-manager.php in swifty-page-manager/trunk – WordPress Plugin Repository

In version 2.9.0.beta14 of Discourse, an open-source discussion platform, maliciously embedded urls can leak an admin's digest of recent topics, possibly exposing private information. A patch is available for version 2.9.0.beta15. There are no known workarounds for this issue.

@@ -337,6 +337,19 @@

end

end

  

describe '#send\_digest' do

context "when logged in as an admin" do

before { sign\_in(admin) }

  

it "sends the digest" do

post "/admin/email/send-digest.json", params: {

last\_seen\_at: 1.week.ago, username: admin.username, email: email('previous\_replies')

}

expect(response.status).to eq(200)

end

end

end

  

describe '#handle\_mail' do

context "when logged in as an admin" do

before { sign\_in(admin) }

CVE-2022-23546: SECURITY: Convert send_digest to a post request (#19746) · discourse/discourse@cf862e7

GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to buffer overflow in function hevc_parse_vps_extension of media_tools/av_parsers.c:7662

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

buffer overflow in function hevc\_parse\_vps\_extension of media\_tools/av\_parsers.c:7662

    MP4Box - GPAC version 2.1-DEV-rev644-g5c4df2a67-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof12.mp4
    

    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] 51 layers in VPS but only 4 supported in GPAC
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    Track Importing HEVC - Width 1 Height 6 FPS 25000/1000
    [HEVC] 56 layers in VPS but only 4 supported in GPAC
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    media_tools/av_parsers.c:7662:23: runtime error: index 56 out of bounds for type 'u32 [4]'

CVE-2022-47657: buffer overflow in function hevc_parse_vps_extension of media_tools/av_parsers.c:7662 · Issue #2355 · gpac/gpac

GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to buffer overflow in function gf_hevc_read_vps_bs_internal of media_tools/av_parsers.c:8039

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

buffer overflow in function gf\_hevc\_read\_vps\_bs\_internal of media\_tools/av\_parsers.c:8039

    MP4Box - GPAC version 2.1-DEV-rev644-g5c4df2a67-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof10.mp4
    

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 32
    [HEVC] 8 layers in VPS but only 4 supported in GPAC
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    [HEVC] Error parsing NAL unit type 33
    Track Importing HEVC - Width 1 Height 6 FPS 488447261/488447261
    [HEVC] Error parsing NAL unit type 390)
    [HEVC] SEI user message type 249 size error (109 but 15 remain), skipping SEI message
    media_tools/av_parsers.c:8039:32: runtime error: index 4 out of bounds for type 'u8 [4]'

CVE-2022-47658: buffer overflow in function gf_hevc_read_vps_bs_internal of media_tools/av_parsers.c:8039 · Issue #2356 · gpac/gpac

GPAC MP4box 2.1-DEV-rev617-g85ce76efd is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8273

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

buffer overflow in gf\_hevc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c:8273

    MP4Box - GPAC version 2.1-DEV-rev617-g85ce76efd-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof9.mp4
    

    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    media_tools/av_parsers.c:8273:32: runtime error: index 159 out of bounds for type 'HEVC_RepFormat [16]'

CVE-2022-47656: buffer overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8273 · Issue #2353 · gpac/gpac

GPAC MP4box 2.1-DEV-rev649-ga8f438d20 is vulnerable to buffer overflow in h263dmx_process filters/reframe_h263.c:609

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels,

**Description**

buffer overflow in h263dmx\_process filters/reframe\_h263.c:609

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof13.mp4
    

Crash reported by sanitizer

    [H263Dmx] garbage before first frame!
    Track Importing H263 - Width 704 Height 576 FPS 15000/1000
    =================================================================
    ==735609==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000000620 at pc 0x7ff71222b397 bp 0x7ffeaf3c2280 sp 0x7ffeaf3c1a28
    READ of size 4294967295 at 0x60e000000620 thread T0
        #0 0x7ff71222b396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
        #1 0x7ff70fbae101 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
        #2 0x7ff70fbae101 in h263dmx_process filters/reframe_h263.c:609
        #3 0x7ff70f7a6f1d in gf_filter_process_task filter_core/filter.c:2815
        #4 0x7ff70f7665a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #5 0x7ff70f772ece in gf_fs_run filter_core/filter_session.c:2120
        #6 0x7ff70f1b59c1 in gf_media_import media_tools/media_import.c:1551
        #7 0x5617e36bfb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #8 0x5617e36ca5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #9 0x5617e3674130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #10 0x5617e3674130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #11 0x7ff70c73cd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #12 0x7ff70c73ce3f in __libc_start_main_impl ../csu/libc-start.c:392
        #13 0x5617e3650cb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    0x60e000000620 is located 0 bytes to the right of 160-byte region [0x60e000000580,0x60e000000620)
    allocated by thread T0 here:
        #0 0x7ff7122a5867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x7ff70f7b4528 in gf_filter_parse_args filter_core/filter.c:2033
        #2 0x7ff70f7b5234 in gf_filter_new_finalize filter_core/filter.c:510
        #3 0x7ff70f7b65d7 in gf_filter_new filter_core/filter.c:439
        #4 0x7ff70f7021c7 in gf_filter_pid_resolve_link_internal filter_core/filter_pid.c:3611
        #5 0x7ff70f7258b2 in gf_filter_pid_resolve_link_check_loaded filter_core/filter_pid.c:3711
        #6 0x7ff70f7258b2 in gf_filter_pid_init_task filter_core/filter_pid.c:4883
        #7 0x7ff70f7665a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #8 0x7ff70f772ece in gf_fs_run filter_core/filter_session.c:2120
        #9 0x7ff70f1b59c1 in gf_media_import media_tools/media_import.c:1551
        #10 0x5617e36bfb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #11 0x5617e36ca5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #12 0x5617e3674130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #13 0x5617e3674130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #14 0x7ff70c73cd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
    Shadow bytes around the buggy address:
      0x0c1c7fff8070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1c7fff8080: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
      0x0c1c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c1c7fff80c0: 00 00 00 00[fa]fa fa fa fa fa fa fa 00 00 00 00
      0x0c1c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff80e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1c7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
      0x0c1c7fff8100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff8110: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==735609==ABORTING
    

Looks like the oob read happens in filters/reframe\_h263.c

    READ of size 4294967295 at 0x60e000000620 thread T0
       #0 0x7ff71222b396 in __interceptor_memcpy 
       ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
       #1 0x7ff70fbae101 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
       #2 0x7ff70fbae101 in h263dmx_process filters/reframe_h263.c:609
    

if compile without ASAN and run the same poc

    ./configure --static-bin
    make
    ./MP4Box import -cat poc_bof13.mp4
    

there will be segment fault

    [H263Dmx] garbage before first frame!
    Track Importing H263 - Width 704 Height 576 FPS 15000/1000
    Segmentation fault=          | (50/100)
    

backtrace atm

    pwndbg> bt
    #0  0x0000000000afc1cc in __memmove_avx_unaligned_erms ()
    #1  0x00000000007f0dbf in h263dmx_process ()
    #2  0x00000000006d9c90 in gf_filter_process_task ()
    #3  0x00000000006c5dbc in gf_fs_thread_proc ()
    #4  0x00000000006cb3bb in gf_fs_run ()
    #5  0x00000000006008ed in gf_media_import ()
    #6  0x00000000004313d1 in import_file ()
    #7  0x00000000004375f1 in cat_isomedia_file ()
    #8  0x0000000000411e78 in mp4box_main ()
    #9  0x0000000000a8c47a in __libc_start_call_main ()
    #10 0x0000000000a8dcd7 in __libc_start_main_impl ()
    #11 0x0000000000402c55 in _start ()
    

**POC**

poc\_bof13.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47663: buffer overflow in h263dmx_process filters/reframe_h263.c:609 · Issue #2360 · gpac/gpac

GPAC MP4box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to Buffer Overflow in gf_bs_read_data

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

stack-buffer-overflow utils/bitstream.c:732 in gf\_bs\_read\_data

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev644-g5c4df2a67-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof11.mp4
    

Crash reported by sanitizer

    Track Importing AAC  - SampleRate 88200 Num Channels 8
    =================================================================
    ==325854==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc52ec0940 at pc 0x7fa1e477c501 bp 0x7ffc52ebf3a0 sp 0x7ffc52ebf390
    WRITE of size 1 at 0x7ffc52ec0940 thread T0
        #0 0x7fa1e477c500 in gf_bs_read_data utils/bitstream.c:732
        #1 0x7fa1e59d0a8c in latm_dmx_sync_frame_bs filters/reframe_latm.c:170
        #2 0x7fa1e59d289f in latm_dmx_sync_frame_bs filters/reframe_latm.c:86
        #3 0x7fa1e59d289f in latm_dmx_process filters/reframe_latm.c:526
        #4 0x7fa1e55eabac in gf_filter_process_task filter_core/filter.c:2795
        #5 0x7fa1e55aa703 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #6 0x7fa1e55b700e in gf_fs_run filter_core/filter_session.c:2120
        #7 0x7fa1e4ff9a21 in gf_media_import media_tools/media_import.c:1551
        #8 0x55a84c1ccb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #9 0x55a84c1d75d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #10 0x55a84c181130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #11 0x55a84c181130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #12 0x7fa1e2580d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #13 0x7fa1e2580e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #14 0x55a84c15dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    Address 0x7ffc52ec0940 is located in stack of thread T0 at offset 5088 in frame
        #0 0x7fa1e59d20af in latm_dmx_process filters/reframe_latm.c:456
    
      This frame has 19 object(s):
        [48, 52) 'pck_size' (line 461)
        [64, 68) 'latm_frame_size' (line 525)
        [80, 84) 'dsi_s' (line 312)
        [96, 104) 'output' (line 460)
        [128, 136) 'dsi_b' (line 311)
        [160, 184) '<unknown>'
        [224, 248) '<unknown>'
        [288, 312) '<unknown>'
        [352, 376) '<unknown>'
        [416, 440) '<unknown>'
        [480, 504) '<unknown>'
        [544, 568) '<unknown>'
        [608, 632) '<unknown>'
        [672, 696) '<unknown>'
        [736, 760) '<unknown>'
        [800, 824) '<unknown>'
        [864, 888) '<unknown>'
        [928, 952) '<unknown>'
        [992, 5088) 'latm_buffer' (line 524) <== Memory access at offset 5088 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data
    Shadow bytes around the buggy address:
      0x10000a5d00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d00f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10000a5d0120: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3
      0x10000a5d0130: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
      0x10000a5d0140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==325854==ABORTING
    

**POC**

poc\_bof11.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

Tag

#js