GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow via gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_vvc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c

for (i=0; i<sps\_rpl1\_same\_as\_rpl0; i++) {
  u32 j;
  sps->num\_ref\_pic\_lists\[i\] = gf\_bs\_read\_ue\_log\_idx(bs, "sps\_num\_ref\_pic\_lists", i);
  for (j=0; j<sps->num\_ref\_pic\_lists\[i\]; j++) {
	  s32 res = vvc\_parse\_ref\_pic\_list\_struct(bs, sps, i, j, &sps->rps\[i\]\[j\]); // when j == 64, overflow sps->rps
	  if (res<0) return res;
  }
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc.mp4
    

Crash reported by sanitizer

    [VVC] Warning: Error parsing NAL unit
    [Core] exp-golomb read failed, not enough bits in bitstream !
    media_tools/av_parsers.c:10710:71: runtime error: index 65 out of bounds for type 'VVC_RefPicList [64]'
    

**POC**

poc\_bof.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

xdchase

CVE-2022-47089: Buffer overflow in gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c · Issue #2338 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b has a Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_vvc\_read\_pps\_bs\_internal function of media\_tools/av\_parsers.c

while (nb\_ctb\_left >= uni\_size\_ctb) {
	nb\_ctb\_left -= uni\_size\_ctb;
	pps->tile\_rows\_height\_ctb\[pps->num\_tile\_rows\] = uni\_size\_ctb; // when pps->num\_tile\_rows == 32, overflow at pps->tile\_rows\_height\_ctb
	pps->num\_tile\_rows++;
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof2.mp4
    

Crash reported by sanitizer

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [VVC] Warning: Error parsing NAL unit
    media_tools/av_parsers.c:10985:29: runtime error: index 33 out of bounds for type 'u32 [33]'
    

**POC**

poc\_bof2.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47087: Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c · Issue #2339 · gpac/gpac

GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the afrt_box_read function at box_code_adobe.c.

A memory leak has occurred when running program MP4Box, this can reproduce on the lattest commit.

**Version**

    $ ./MP4Box -version                              
    MP4Box - GPAC version 2.1-DEV-rev505-gb9577e6ad-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-build --extra-cflags=-fsanitize=address -g --extra-ldflags=-fsanitize=address -g
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
    

git log

    commit b9577e6ad91ef96decbcd369227ab02b2842c77f (HEAD -> master, origin/master, origin/HEAD)
    Author: jeanlf <jeanlf@gpac.io>
    Date:   Fri Nov 25 16:53:55 2022 +0100
    

**Verification steps**

    export CFLAGS='-fsanitize=address -g'
    export CC=/usr/bin/clang
    export CXX=/usr/bin/clang++ 
    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --static-build --extra-cflags="${CFLAGS}" --extra-ldflags="${CFLAGS}"
    make
    cd bin/gcc
    ./MP4Box -info $poc
    

**POC file**

https://github.com/HotSpurzzZ/testcases/blob/main/gpac/gpac\_Direct\_leak\_afrt\_box\_read.mp4

**AddressSanitizer output**

    $ ./MP4Box -info gpac_Direct_leak_afrt_box_read.mp4       
    [isom] not enough bytes in box afrt: 0 left, reading 1 (file isomedia/box_code_adobe.c, line 713)
    [iso file] Read Box "afrt" (start 0) failed (Invalid IsoMedia File) - skipping
    Error opening file gpac_Direct_leak_afrt_box_read.mp4: Invalid IsoMedia File
    
    =================================================================
    ==10525==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 24 byte(s) in 1 object(s) allocated from:
        #0 0x4a186d in malloc (/root/Desktop/gpac/bin/gcc/MP4Box+0x4a186d)
        #1 0x902c18 in afrt_box_read /root/Desktop/gpac/src/isomedia/box_code_adobe.c:706:35
    
    SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s).

CVE-2022-46490: Memory leak in afrt_box_read function of box_code_adobe.c:706:35 · Issue #2327 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Null pointer dereference via filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Null pointer dereference filters/dmx\_m2ts.c:343 in m2tsdmx\_declare\_pid

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_nderef.avi
    

**Crash reported by sanitizer**

    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PMT descriptor! size 54, desc size 48 but position 5
    MORE sections on pid 4144
    Broken PMT descriptor! size 54, desc size 48 but position 10
    Broken PMT descriptor! size 54, desc size 48 but position 15
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    Broken PMT descriptor! size 54, desc size 48 but position 20
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    MORE sections on pid 4144
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5859
    [MPEG-2 TS] TS Packet 3 is scrambled - not supported
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PMT descriptor! size 54, desc size 48 but position 5
    MORE sections on pid 4144
    Broken PMT descriptor! size 54, desc size 48 but position 10
    Broken PMT descriptor! size 54, desc size 48 but position 15
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    Broken PMT descriptor! size 54, desc size 48 but position 20
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    MORE sections on pid 4144
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5859
    [M2TSDmx] Stream type 0x30 not supported - ignoring pid
    filters/dmx_m2ts.c:343:51: runtime error: member access within null pointer of type 'struct GF_InitialObjectDescriptor'
    

**POC**

poc\_nderef.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47094: Null pointer dereference filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid · Issue #2345 · gpac/gpac

GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the gf_isom_box_parse_ex function at box_funcs.c.

A memory leak has occurred when running program MP4Box, this can reproduce on the lattest commit.

**Version**

    $ ./MP4Box -version                              
    MP4Box - GPAC version 2.1-DEV-rev505-gb9577e6ad-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-build --extra-cflags=-fsanitize=address -g --extra-ldflags=-fsanitize=address -g
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
    

git log

    commit b9577e6ad91ef96decbcd369227ab02b2842c77f (HEAD -> master, origin/master, origin/HEAD)
    Author: jeanlf <jeanlf@gpac.io>
    Date:   Fri Nov 25 16:53:55 2022 +0100
    

**Verification steps**

    export CFLAGS='-fsanitize=address -g'
    export CC=/usr/bin/clang
    export CXX=/usr/bin/clang++ 
    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --static-build --extra-cflags="${CFLAGS}" --extra-ldflags="${CFLAGS}"
    make
    cd bin/gcc
    ./MP4Box -info $poc
    

**POC file**

https://github.com/HotSpurzzZ/testcases/blob/main/gpac/gpac\_Direct\_leak\_gf\_isom\_box\_parse\_ex.mp4

**AddressSanitizer output**

    $ ./MP4Box -info gpac_Direct_leak_gf_isom_box_parse_ex.mp4
    [iso file] Failed to uncompress payload for box type !ssx (0x21737378)
    Error opening file gpac_Direct_leak_gf_isom_box_parse_ex.mp4: BitStream Not Compliant
    
    =================================================================
    ==10575==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 1718840668 byte(s) in 1 object(s) allocated from:
        #0 0x4a186d in malloc (/root/Desktop/gpac/bin/gcc/MP4Box+0x4a186d)
        #1 0x7dfc41 in gf_isom_box_parse_ex /root/Desktop/gpac/src/isomedia/box_funcs.c:166:13
        #2 0x7df29c in gf_isom_parse_root_box /root/Desktop/gpac/src/isomedia/box_funcs.c:38:8
    
    Direct leak of 4096 byte(s) in 1 object(s) allocated from:
        #0 0x4a186d in malloc (/root/Desktop/gpac/bin/gcc/MP4Box+0x4a186d)
        #1 0x599d69 in gf_gz_decompress_payload /root/Desktop/gpac/src/utils/base_encoding.c:257:31
        #2 0x7dfc66 in gf_isom_box_parse_ex /root/Desktop/gpac/src/isomedia/box_funcs.c:170:9
        #3 0x7df29c in gf_isom_parse_root_box /root/Desktop/gpac/src/isomedia/box_funcs.c:38:8
    
    SUMMARY: AddressSanitizer: 1718844764 byte(s) leaked in 2 allocation(s).

CVE-2022-46489: Memory leak in gf_isom_box_parse_ex function of box_funcs.c:166:13 · Issue #2328 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to heap use-after-free via filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

heap-use-after-free filters/dmx\_m2ts.c:470 in m2tsdmx\_declare\_pid

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_uaf.avi
    

**Crash reported by sanitizer**

    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    [MPEG-2 TS] PID 1863: Bad Adaptation Descriptor found (tag 100) size is 100 but only 93 bytes available
    stream type DSM CC user private sections on pid 32 
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 32
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5364
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    [MPEG-2 TS] PID 1863: Bad Adaptation Descriptor found (tag 100) size is 100 but only 93 bytes available
    stream type DSM CC user private sections on pid 32 
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 32
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5364
    =================================================================
    ==583780==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000004548 at pc 0x7fa6cb05f685 bp 0x7ffc93e21020 sp 0x7ffc93e21010
    READ of size 8 at 0x607000004548 thread T0
        #0 0x7fa6cb05f684 in m2tsdmx_declare_pid filters/dmx_m2ts.c:470
        #1 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
        #2 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
        #3 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
        #4 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
        #5 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
        #6 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
        #7 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
        #8 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
        #9 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
        #10 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
        #11 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #12 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
        #13 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
        #14 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #15 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #16 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #17 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #18 0x7fa6c7ec3e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #19 0x55f87201ecb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    0x607000004548 is located 8 bytes inside of 80-byte region [0x607000004540,0x607000004590)
    freed by thread T0 here:
        #0 0x7fa6cda1ec18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
        #1 0x7fa6ca0aff20 in realloc_chain utils/list.c:621
        #2 0x7fa6ca0aff20 in gf_list_add utils/list.c:630
        #3 0x7fa6caed06d0 in gf_props_set_property filter_core/filter_props.c:1098
        #4 0x7fa6cae8a35d in gf_filter_pid_set_property_full filter_core/filter_pid.c:5411
        #5 0x7fa6cae8a35d in gf_filter_pid_set_property filter_core/filter_pid.c:5418
        #6 0x7fa6cb05c6b3 in m2tsdmx_declare_pid filters/dmx_m2ts.c:454
        #7 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
        #8 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
        #9 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
        #10 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
        #11 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
        #12 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
        #13 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
        #14 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
        #15 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
        #16 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
        #17 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #18 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
        #19 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
        #20 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #21 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #22 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #23 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    previously allocated by thread T0 here:
        #0 0x7fa6cda1ec18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
        #1 0x7fa6ca0aff20 in realloc_chain utils/list.c:621
        #2 0x7fa6ca0aff20 in gf_list_add utils/list.c:630
        #3 0x7fa6caed0d5f in gf_props_merge_property filter_core/filter_props.c:1199
        #4 0x7fa6cae9661b in gf_filter_pid_new filter_core/filter_pid.c:5258
        #5 0x7fa6cb05adf9 in m2tsdmx_declare_pid filters/dmx_m2ts.c:411
        #6 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
        #7 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
        #8 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
        #9 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
        #10 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
        #11 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
        #12 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
        #13 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
        #14 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
        #15 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
        #16 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #17 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
        #18 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
        #19 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #20 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #21 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #22 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-use-after-free filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid
    Shadow bytes around the buggy address:
      0x0c0e7fff8850: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
      0x0c0e7fff8860: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
      0x0c0e7fff8870: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
      0x0c0e7fff8880: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
      0x0c0e7fff8890: 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 00 00
    =>0x0c0e7fff88a0: 00 00 00 00 fa fa fa fa fd[fd]fd fd fd fd fd fd
      0x0c0e7fff88b0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==583780==ABORTING
    

**POC**

poc\_uaf.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47093: heap-use-after-free filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid · Issue #2344 · gpac/gpac

GPAC MP4Box v2.1-DEV-rev574-g9d5bb184b contains a segmentation violation via the function gf_sm_load_init_swf at scene_manager/swf_parse.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Forget to check the return value of gf_swf_read_header in gf\_sm\_load\_init\_swf. gf_swf_read_header should fall fast if error is detected.

gf\_swf\_read\_header(read);
load->ctx->scene\_width = FIX2INT(read->width);
load->ctx->scene\_height = FIX2INT(read->height);
load->ctx->is\_pixel\_metrics = 1;

**Verison info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile with

    ./configure --enable-sanitizer
    make
    

run with poc.swf (in attachment)

    ./MP4Box import -add poc.swf
    

crash triggered

    [TXTLoad] Unknown text format for poc.swf
    Failed to connect filter fin PID poc.swf to filter txtin: Feature Not Supported
    Blacklisting txtin as output from fin and retrying connections
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==215517==ERROR: AddressSanitizer: SEGV on unknown address 0x615100000035 (pc 0x7f022cad9afb bp 0x7ffdc954ed70 sp 0x7ffdc954dc40 T0)
    ==215517==The signal is caused by a READ memory access.
        #0 0x7f022cad9afb in gf_sm_load_init_swf scene_manager/swf_parse.c:2667
        #1 0x7f022ca5125f in gf_sm_load_init scene_manager/scene_manager.c:692
        #2 0x7f022d169cea in ctxload_process filters/load_bt_xmt.c:476
        #3 0x7f022cecfbcc in gf_filter_process_task filter_core/filter.c:2750
        #4 0x7f022ce8faf3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #5 0x7f022ce9c3ee in gf_fs_run filter_core/filter_session.c:2120
        #6 0x7f022c8defd1 in gf_media_import media_tools/media_import.c:1551
        #7 0x56297ebccaec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #8 0x56297eb813db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #9 0x56297eb813db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #10 0x7f0229e69d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #11 0x7f0229e69e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #12 0x56297eb5dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV scene_manager/swf_parse.c:2667 in gf_sm_load_init_swf
    ==215517==ABORTING
    

**Gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007f2d4fe54afb in gf_sm_load_init_swf (load=load@entry=0x6110000084f0) at scene_manager/swf_parse.c:2667
    2667		load->ctx->scene_width = FIX2INT(read->width);
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────────────────────────────────
    *RAX  0x611000008508 —▸ 0x604000002a90 —▸ 0x616000001280 ◂— 0x0
     RBX  0xfffecf4d70a ◂— 0x0
     RCX  0xfffecf4d6ea ◂— 0x0
     RDX  0x0
    *RDI  0x615100000035 ◂— 0x0
     RSI  0x0
    *R8   0x611000008528 ◂— 0xa9
     R9   0x610000000bd0 —▸ 0x200000002 ◂— 0x0
     R10  0x610000000bd4 —▸ 0x20000000002 ◂— 0x0
     R11  0x610000000bd0 —▸ 0x200000002 ◂— 0x0
     R12  0x6110000084f0 ◂— 9 /* '\t' */
    *R13  0x6150fffffffd ◂— 0x0
    *R14  0x615000013e4c —▸ 0xb40000000a9 ◂— 0x0
    *R15  0x611000008508 —▸ 0x604000002a90 —▸ 0x616000001280 ◂— 0x0
    *RBP  0x7fff67a6c940 —▸ 0x7fff67a6ca60 —▸ 0x7fff67a6dd60 —▸ 0x7fff67a6ddf0 —▸ 0x7fff67a6def0 ◂— ...
    *RSP  0x7fff67a6b810 ◂— 0xf4dc4ae
    *RIP  0x7f2d4fe54afb (gf_sm_load_init_swf+747) ◂— cvttss2si ecx, dword ptr [r13 + 0x38]
    ────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────────────────────────────────
     ► 0x7f2d4fe54afb <gf_sm_load_init_swf+747>    cvttss2si ecx, dword ptr [r13 + 0x38]
       0x7f2d4fe54b01 <gf_sm_load_init_swf+753>    shr    rax, 3
       0x7f2d4fe54b05 <gf_sm_load_init_swf+757>    cmp    byte ptr [rax + 0x7fff8000], 0
       0x7f2d4fe54b0c <gf_sm_load_init_swf+764>    jne    gf_sm_load_init_swf+2550                <gf_sm_load_init_swf+2550>
     
       0x7f2d4fe54b12 <gf_sm_load_init_swf+770>    mov    rsi, qword ptr [r12 + 0x18]
       0x7f2d4fe54b17 <gf_sm_load_init_swf+775>    test   rsi, rsi
       0x7f2d4fe54b1a <gf_sm_load_init_swf+778>    je     gf_sm_load_init_swf+2570                <gf_sm_load_init_swf+2570>
     
       0x7f2d4fe54b20 <gf_sm_load_init_swf+784>    test   sil, 7
       0x7f2d4fe54b24 <gf_sm_load_init_swf+788>    jne    gf_sm_load_init_swf+2570                <gf_sm_load_init_swf+2570>
     
       0x7f2d4fe54b2a <gf_sm_load_init_swf+794>    lea    rdx, [rsi + 0x18]
       0x7f2d4fe54b2e <gf_sm_load_init_swf+798>    cmp    rsi, -0x18
    ──────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────────────────────────
    In file: /home/sumuchuan/Desktop/gpac_fuzz/gpac/src/scene_manager/swf_parse.c
       2662         read->flags = load->swf_import_flags;
       2663         read->flat_limit = FLT2FIX(load->swf_flatten_limit);
       2664         load->loader_priv = read;
       2665 
       2666         gf_swf_read_header(read);
     ► 2667         load->ctx->scene_width = FIX2INT(read->width);
       2668         load->ctx->scene_height = FIX2INT(read->height);
       2669         load->ctx->is_pixel_metrics = 1;
       2670 
       2671         if (!(load->swf_import_flags & GF_SM_SWF_SPLIT_TIMELINE) ) {
       2672                 swf_report(read, GF_OK, "ActionScript disabled");
    ──────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsp 0x7fff67a6b810 ◂— 0xf4dc4ae
    01:0008│     0x7fff67a6b818 —▸ 0x7fff67a6c910 —▸ 0x7fff67a6c9b0 —▸ 0x60e000667773 ◂— 0x0
    02:0010│     0x7fff67a6b820 —▸ 0x61100000852c —▸ 0x2b000000000 ◂— 0x0
    03:0018│     0x7fff67a6b828 —▸ 0x611000008528 ◂— 0xa9
    04:0020│     0x7fff67a6b830 —▸ 0x7fff67a6b850 ◂— 0x41b58ab3
    05:0028│     0x7fff67a6b838 —▸ 0x611000008530 —▸ 0x6020000002b0 ◂— '/tmp/gpac_cache'
    06:0030│     0x7fff67a6b840 —▸ 0x611000008548 —▸ 0x615000013e00 —▸ 0x6110000084f0 ◂— 9 /* '\t' */
    07:0038│     0x7fff67a6b848 —▸ 0x7fff67a6b850 ◂— 0x41b58ab3
    ────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────────────────
     ► f 0   0x7f2d4fe54afb gf_sm_load_init_swf+747
       f 1   0x7f2d4fdcc260 gf_sm_load_init+896
       f 2   0x7f2d504e4ceb ctxload_process+2283
       f 3   0x7f2d5024abcd gf_filter_process_task+3181
       f 4   0x7f2d5020aaf4 gf_fs_thread_proc+2244
       f 5   0x7f2d502173ef gf_fs_run+447
       f 6   0x7f2d4fc59fd2 gf_media_import+16210
       f 7   0x565119c9faed import_file+15133
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    
    

**Backtrace**

    pwndbg> bt
    #0  0x00007f2d4fe54afb in gf_sm_load_init_swf (load=load@entry=0x6110000084f0) at scene_manager/swf_parse.c:2667
    #1  0x00007f2d4fdcc260 in gf_sm_load_init (load=load@entry=0x6110000084f0) at scene_manager/scene_manager.c:692
    #2  0x00007f2d504e4ceb in ctxload_process (filter=<optimized out>) at filters/load_bt_xmt.c:476
    #3  0x00007f2d5024abcd in gf_filter_process_task (task=0x607000001520) at filter_core/filter.c:2750
    #4  0x00007f2d5020aaf4 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x616000000410) at filter_core/filter_session.c:1859
    #5  0x00007f2d502173ef in gf_fs_run (fsess=fsess@entry=0x616000000380) at filter_core/filter_session.c:2120
    #6  0x00007f2d4fc59fd2 in gf_media_import (importer=importer@entry=0x7fff67a6ee20) at media_tools/media_import.c:1551
    #7  0x0000565119c9faed in import_file (dest=<optimized out>, inName=inName@entry=0x7fff67a832c8 "fake.swf", import_flags=0, force_fps=..., frames_per_sample=0, fsess=fsess@entry=0x0, mux_args_if_first_pass=<optimized out>, mux_sid_if_first_pass=<optimized out>, tk_idx=<optimized out>) at fileimport.c:1498
    #8  0x0000565119c543dc in do_add_cat (argv=<optimized out>, argc=<optimized out>) at mp4box.c:4508
    #9  mp4box_main (argc=<optimized out>, argv=<optimized out>) at mp4box.c:6124
    #10 0x00007f2d4d1e4d90 in __libc_start_call_main (main=main@entry=0x565119c30bc0 <main>, argc=argc@entry=4, argv=argv@entry=0x7fff67a82d98) at ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x00007f2d4d1e4e40 in __libc_start_main_impl (main=0x565119c30bc0 <main>, argc=4, argv=0x7fff67a82d98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff67a82d88) at ../csu/libc-start.c:392
    #12 0x0000565119c30cb5 in _start ()
    

**Credit**

xdchase

**POC**

poc-segfault.zip

CVE-2022-47086: missing check in gf_sm_load_init_swf, causing Segmentation fault · Issue #2337 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

buffer overflow in gf\_vvc\_read\_pps\_bs\_internal function of media\_tools/av\_parsers.c

while (nb\_ctb\_left >= uni\_size\_ctb) {
	nb\_ctb\_left -= uni\_size\_ctb;
	pps->tile\_cols\_width\_ctb\[pps->num\_tile\_cols\] = uni\_size\_ctb; // when pps->num\_tile\_cols == 30, overflow at pps->tile\_cols\_width\_ctb
	pps->num\_tile\_cols++;
}

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof3.mp4
    

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [VVC] Warning: Error parsing NAL unit
    [Core] exp-golomb read failed, not enough bits in bitstream !
    media_tools/av_parsers.c:10964:28: runtime error: index 30 out of bounds for type 'u32 [30]'

CVE-2022-47088: Another Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c · Issue #2340 · gpac/gpac

A vulnerability was found in Woorank robots-txt-guard. It has been rated as problematic. Affected by this issue is the function makePathPattern of the file lib/patterns.js. The manipulation of the argument pattern leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. The name of the patch is c03827cd2f9933619c23894ce7c98401ea824020. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217448.

**robots-txt-guard Inefficient Regular Expression Complexity vulnerability**

Moderate severity GitHub Reviewed Published Jan 5, 2023 • Updated Jan 9, 2023

GHSA-6g33-8w2q-4hxv: robots-txt-guard Inefficient Regular Expression Complexity vulnerability

A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.

**Vercel ms Inefficient Regular Expression Complexity vulnerability**

Moderate severity GitHub Reviewed Published Jan 5, 2023 • Updated Jan 10, 2023

Tag

#js