GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow via gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_vvc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c

for (i=0; i<sps\_rpl1\_same\_as\_rpl0; i++) {
  u32 j;
  sps->num\_ref\_pic\_lists\[i\] = gf\_bs\_read\_ue\_log\_idx(bs, "sps\_num\_ref\_pic\_lists", i);
  for (j=0; j<sps->num\_ref\_pic\_lists\[i\]; j++) {
	  s32 res = vvc\_parse\_ref\_pic\_list\_struct(bs, sps, i, j, &sps->rps\[i\]\[j\]); // when j == 64, overflow sps->rps
	  if (res<0) return res;
  }
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc.mp4
    

Crash reported by sanitizer

    [VVC] Warning: Error parsing NAL unit
    [Core] exp-golomb read failed, not enough bits in bitstream !
    media_tools/av_parsers.c:10710:71: runtime error: index 65 out of bounds for type 'VVC_RefPicList [64]'
    

**POC**

poc\_bof.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

xdchase

CVE-2022-47089: Buffer overflow in gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c · Issue #2338 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to heap use-after-free via filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

heap-use-after-free filters/dmx\_m2ts.c:470 in m2tsdmx\_declare\_pid

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_uaf.avi
    

**Crash reported by sanitizer**

    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    [MPEG-2 TS] PID 1863: Bad Adaptation Descriptor found (tag 100) size is 100 but only 93 bytes available
    stream type DSM CC user private sections on pid 32 
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 32
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5364
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    [MPEG-2 TS] PID 1863: Bad Adaptation Descriptor found (tag 100) size is 100 but only 93 bytes available
    stream type DSM CC user private sections on pid 32 
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 32
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5364
    =================================================================
    ==583780==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000004548 at pc 0x7fa6cb05f685 bp 0x7ffc93e21020 sp 0x7ffc93e21010
    READ of size 8 at 0x607000004548 thread T0
        #0 0x7fa6cb05f684 in m2tsdmx_declare_pid filters/dmx_m2ts.c:470
        #1 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
        #2 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
        #3 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
        #4 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
        #5 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
        #6 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
        #7 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
        #8 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
        #9 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
        #10 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
        #11 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #12 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
        #13 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
        #14 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #15 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #16 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #17 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #18 0x7fa6c7ec3e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #19 0x55f87201ecb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    0x607000004548 is located 8 bytes inside of 80-byte region [0x607000004540,0x607000004590)
    freed by thread T0 here:
        #0 0x7fa6cda1ec18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
        #1 0x7fa6ca0aff20 in realloc_chain utils/list.c:621
        #2 0x7fa6ca0aff20 in gf_list_add utils/list.c:630
        #3 0x7fa6caed06d0 in gf_props_set_property filter_core/filter_props.c:1098
        #4 0x7fa6cae8a35d in gf_filter_pid_set_property_full filter_core/filter_pid.c:5411
        #5 0x7fa6cae8a35d in gf_filter_pid_set_property filter_core/filter_pid.c:5418
        #6 0x7fa6cb05c6b3 in m2tsdmx_declare_pid filters/dmx_m2ts.c:454
        #7 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
        #8 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
        #9 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
        #10 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
        #11 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
        #12 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
        #13 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
        #14 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
        #15 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
        #16 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
        #17 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #18 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
        #19 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
        #20 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #21 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #22 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #23 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    previously allocated by thread T0 here:
        #0 0x7fa6cda1ec18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
        #1 0x7fa6ca0aff20 in realloc_chain utils/list.c:621
        #2 0x7fa6ca0aff20 in gf_list_add utils/list.c:630
        #3 0x7fa6caed0d5f in gf_props_merge_property filter_core/filter_props.c:1199
        #4 0x7fa6cae9661b in gf_filter_pid_new filter_core/filter_pid.c:5258
        #5 0x7fa6cb05adf9 in m2tsdmx_declare_pid filters/dmx_m2ts.c:411
        #6 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
        #7 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
        #8 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
        #9 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
        #10 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
        #11 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
        #12 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
        #13 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
        #14 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
        #15 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
        #16 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #17 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
        #18 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
        #19 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #20 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #21 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #22 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-use-after-free filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid
    Shadow bytes around the buggy address:
      0x0c0e7fff8850: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
      0x0c0e7fff8860: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
      0x0c0e7fff8870: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
      0x0c0e7fff8880: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
      0x0c0e7fff8890: 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 00 00
    =>0x0c0e7fff88a0: 00 00 00 00 fa fa fa fa fd[fd]fd fd fd fd fd fd
      0x0c0e7fff88b0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==583780==ABORTING
    

**POC**

poc\_uaf.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47093: heap-use-after-free filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid · Issue #2344 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b has a Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_vvc\_read\_pps\_bs\_internal function of media\_tools/av\_parsers.c

while (nb\_ctb\_left >= uni\_size\_ctb) {
	nb\_ctb\_left -= uni\_size\_ctb;
	pps->tile\_rows\_height\_ctb\[pps->num\_tile\_rows\] = uni\_size\_ctb; // when pps->num\_tile\_rows == 32, overflow at pps->tile\_rows\_height\_ctb
	pps->num\_tile\_rows++;
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof2.mp4
    

Crash reported by sanitizer

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [VVC] Warning: Error parsing NAL unit
    media_tools/av_parsers.c:10985:29: runtime error: index 33 out of bounds for type 'u32 [33]'
    

**POC**

poc\_bof2.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47087: Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c · Issue #2339 · gpac/gpac

GPAC MP4Box v2.1-DEV-rev574-g9d5bb184b contains a segmentation violation via the function gf_sm_load_init_swf at scene_manager/swf_parse.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Forget to check the return value of gf_swf_read_header in gf\_sm\_load\_init\_swf. gf_swf_read_header should fall fast if error is detected.

gf\_swf\_read\_header(read);
load->ctx->scene\_width = FIX2INT(read->width);
load->ctx->scene\_height = FIX2INT(read->height);
load->ctx->is\_pixel\_metrics = 1;

**Verison info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile with

    ./configure --enable-sanitizer
    make
    

run with poc.swf (in attachment)

    ./MP4Box import -add poc.swf
    

crash triggered

    [TXTLoad] Unknown text format for poc.swf
    Failed to connect filter fin PID poc.swf to filter txtin: Feature Not Supported
    Blacklisting txtin as output from fin and retrying connections
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==215517==ERROR: AddressSanitizer: SEGV on unknown address 0x615100000035 (pc 0x7f022cad9afb bp 0x7ffdc954ed70 sp 0x7ffdc954dc40 T0)
    ==215517==The signal is caused by a READ memory access.
        #0 0x7f022cad9afb in gf_sm_load_init_swf scene_manager/swf_parse.c:2667
        #1 0x7f022ca5125f in gf_sm_load_init scene_manager/scene_manager.c:692
        #2 0x7f022d169cea in ctxload_process filters/load_bt_xmt.c:476
        #3 0x7f022cecfbcc in gf_filter_process_task filter_core/filter.c:2750
        #4 0x7f022ce8faf3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #5 0x7f022ce9c3ee in gf_fs_run filter_core/filter_session.c:2120
        #6 0x7f022c8defd1 in gf_media_import media_tools/media_import.c:1551
        #7 0x56297ebccaec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #8 0x56297eb813db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #9 0x56297eb813db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #10 0x7f0229e69d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #11 0x7f0229e69e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #12 0x56297eb5dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV scene_manager/swf_parse.c:2667 in gf_sm_load_init_swf
    ==215517==ABORTING
    

**Gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007f2d4fe54afb in gf_sm_load_init_swf (load=load@entry=0x6110000084f0) at scene_manager/swf_parse.c:2667
    2667		load->ctx->scene_width = FIX2INT(read->width);
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────────────────────────────────
    *RAX  0x611000008508 —▸ 0x604000002a90 —▸ 0x616000001280 ◂— 0x0
     RBX  0xfffecf4d70a ◂— 0x0
     RCX  0xfffecf4d6ea ◂— 0x0
     RDX  0x0
    *RDI  0x615100000035 ◂— 0x0
     RSI  0x0
    *R8   0x611000008528 ◂— 0xa9
     R9   0x610000000bd0 —▸ 0x200000002 ◂— 0x0
     R10  0x610000000bd4 —▸ 0x20000000002 ◂— 0x0
     R11  0x610000000bd0 —▸ 0x200000002 ◂— 0x0
     R12  0x6110000084f0 ◂— 9 /* '\t' */
    *R13  0x6150fffffffd ◂— 0x0
    *R14  0x615000013e4c —▸ 0xb40000000a9 ◂— 0x0
    *R15  0x611000008508 —▸ 0x604000002a90 —▸ 0x616000001280 ◂— 0x0
    *RBP  0x7fff67a6c940 —▸ 0x7fff67a6ca60 —▸ 0x7fff67a6dd60 —▸ 0x7fff67a6ddf0 —▸ 0x7fff67a6def0 ◂— ...
    *RSP  0x7fff67a6b810 ◂— 0xf4dc4ae
    *RIP  0x7f2d4fe54afb (gf_sm_load_init_swf+747) ◂— cvttss2si ecx, dword ptr [r13 + 0x38]
    ────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────────────────────────────────
     ► 0x7f2d4fe54afb <gf_sm_load_init_swf+747>    cvttss2si ecx, dword ptr [r13 + 0x38]
       0x7f2d4fe54b01 <gf_sm_load_init_swf+753>    shr    rax, 3
       0x7f2d4fe54b05 <gf_sm_load_init_swf+757>    cmp    byte ptr [rax + 0x7fff8000], 0
       0x7f2d4fe54b0c <gf_sm_load_init_swf+764>    jne    gf_sm_load_init_swf+2550                <gf_sm_load_init_swf+2550>
     
       0x7f2d4fe54b12 <gf_sm_load_init_swf+770>    mov    rsi, qword ptr [r12 + 0x18]
       0x7f2d4fe54b17 <gf_sm_load_init_swf+775>    test   rsi, rsi
       0x7f2d4fe54b1a <gf_sm_load_init_swf+778>    je     gf_sm_load_init_swf+2570                <gf_sm_load_init_swf+2570>
     
       0x7f2d4fe54b20 <gf_sm_load_init_swf+784>    test   sil, 7
       0x7f2d4fe54b24 <gf_sm_load_init_swf+788>    jne    gf_sm_load_init_swf+2570                <gf_sm_load_init_swf+2570>
     
       0x7f2d4fe54b2a <gf_sm_load_init_swf+794>    lea    rdx, [rsi + 0x18]
       0x7f2d4fe54b2e <gf_sm_load_init_swf+798>    cmp    rsi, -0x18
    ──────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────────────────────────
    In file: /home/sumuchuan/Desktop/gpac_fuzz/gpac/src/scene_manager/swf_parse.c
       2662         read->flags = load->swf_import_flags;
       2663         read->flat_limit = FLT2FIX(load->swf_flatten_limit);
       2664         load->loader_priv = read;
       2665 
       2666         gf_swf_read_header(read);
     ► 2667         load->ctx->scene_width = FIX2INT(read->width);
       2668         load->ctx->scene_height = FIX2INT(read->height);
       2669         load->ctx->is_pixel_metrics = 1;
       2670 
       2671         if (!(load->swf_import_flags & GF_SM_SWF_SPLIT_TIMELINE) ) {
       2672                 swf_report(read, GF_OK, "ActionScript disabled");
    ──────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsp 0x7fff67a6b810 ◂— 0xf4dc4ae
    01:0008│     0x7fff67a6b818 —▸ 0x7fff67a6c910 —▸ 0x7fff67a6c9b0 —▸ 0x60e000667773 ◂— 0x0
    02:0010│     0x7fff67a6b820 —▸ 0x61100000852c —▸ 0x2b000000000 ◂— 0x0
    03:0018│     0x7fff67a6b828 —▸ 0x611000008528 ◂— 0xa9
    04:0020│     0x7fff67a6b830 —▸ 0x7fff67a6b850 ◂— 0x41b58ab3
    05:0028│     0x7fff67a6b838 —▸ 0x611000008530 —▸ 0x6020000002b0 ◂— '/tmp/gpac_cache'
    06:0030│     0x7fff67a6b840 —▸ 0x611000008548 —▸ 0x615000013e00 —▸ 0x6110000084f0 ◂— 9 /* '\t' */
    07:0038│     0x7fff67a6b848 —▸ 0x7fff67a6b850 ◂— 0x41b58ab3
    ────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────────────────
     ► f 0   0x7f2d4fe54afb gf_sm_load_init_swf+747
       f 1   0x7f2d4fdcc260 gf_sm_load_init+896
       f 2   0x7f2d504e4ceb ctxload_process+2283
       f 3   0x7f2d5024abcd gf_filter_process_task+3181
       f 4   0x7f2d5020aaf4 gf_fs_thread_proc+2244
       f 5   0x7f2d502173ef gf_fs_run+447
       f 6   0x7f2d4fc59fd2 gf_media_import+16210
       f 7   0x565119c9faed import_file+15133
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    
    

**Backtrace**

    pwndbg> bt
    #0  0x00007f2d4fe54afb in gf_sm_load_init_swf (load=load@entry=0x6110000084f0) at scene_manager/swf_parse.c:2667
    #1  0x00007f2d4fdcc260 in gf_sm_load_init (load=load@entry=0x6110000084f0) at scene_manager/scene_manager.c:692
    #2  0x00007f2d504e4ceb in ctxload_process (filter=<optimized out>) at filters/load_bt_xmt.c:476
    #3  0x00007f2d5024abcd in gf_filter_process_task (task=0x607000001520) at filter_core/filter.c:2750
    #4  0x00007f2d5020aaf4 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x616000000410) at filter_core/filter_session.c:1859
    #5  0x00007f2d502173ef in gf_fs_run (fsess=fsess@entry=0x616000000380) at filter_core/filter_session.c:2120
    #6  0x00007f2d4fc59fd2 in gf_media_import (importer=importer@entry=0x7fff67a6ee20) at media_tools/media_import.c:1551
    #7  0x0000565119c9faed in import_file (dest=<optimized out>, inName=inName@entry=0x7fff67a832c8 "fake.swf", import_flags=0, force_fps=..., frames_per_sample=0, fsess=fsess@entry=0x0, mux_args_if_first_pass=<optimized out>, mux_sid_if_first_pass=<optimized out>, tk_idx=<optimized out>) at fileimport.c:1498
    #8  0x0000565119c543dc in do_add_cat (argv=<optimized out>, argc=<optimized out>) at mp4box.c:4508
    #9  mp4box_main (argc=<optimized out>, argv=<optimized out>) at mp4box.c:6124
    #10 0x00007f2d4d1e4d90 in __libc_start_call_main (main=main@entry=0x565119c30bc0 <main>, argc=argc@entry=4, argv=argv@entry=0x7fff67a82d98) at ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x00007f2d4d1e4e40 in __libc_start_main_impl (main=0x565119c30bc0 <main>, argc=4, argv=0x7fff67a82d98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff67a82d88) at ../csu/libc-start.c:392
    #12 0x0000565119c30cb5 in _start ()
    

**Credit**

xdchase

**POC**

poc-segfault.zip

CVE-2022-47086: missing check in gf_sm_load_init_swf, causing Segmentation fault · Issue #2337 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Null pointer dereference via filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Null pointer dereference filters/dmx\_m2ts.c:343 in m2tsdmx\_declare\_pid

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_nderef.avi
    

**Crash reported by sanitizer**

    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PMT descriptor! size 54, desc size 48 but position 5
    MORE sections on pid 4144
    Broken PMT descriptor! size 54, desc size 48 but position 10
    Broken PMT descriptor! size 54, desc size 48 but position 15
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    Broken PMT descriptor! size 54, desc size 48 but position 20
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    MORE sections on pid 4144
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5859
    [MPEG-2 TS] TS Packet 3 is scrambled - not supported
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PMT descriptor! size 54, desc size 48 but position 5
    MORE sections on pid 4144
    Broken PMT descriptor! size 54, desc size 48 but position 10
    Broken PMT descriptor! size 54, desc size 48 but position 15
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    Broken PMT descriptor! size 54, desc size 48 but position 20
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    MORE sections on pid 4144
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5859
    [M2TSDmx] Stream type 0x30 not supported - ignoring pid
    filters/dmx_m2ts.c:343:51: runtime error: member access within null pointer of type 'struct GF_InitialObjectDescriptor'
    

**POC**

poc\_nderef.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47094: Null pointer dereference filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid · Issue #2345 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Buffer overflow in hevc\_parse\_vps\_extension function of media\_tools/av\_parsers.c

for (i = 0; i < (num\_scalability\_types - splitting\_flag); i++) {
  dimension\_id\_len\[i\] = 1 + gf\_bs\_read\_int\_log\_idx(bs, 3, "dimension\_id\_len\_minus1", i); // overflow at dimension\_id\_len
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof6.mp4
    

Crash reported by sanitizer

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Warning: Error parsing NAL unit
    media_tools/av_parsers.c:7633:19: runtime error: index 16 out of bounds for type 'u8 [16]'
    

**POC**

poc\_bof6.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47095: Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c · Issue #2346 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow in gf_text_process_sub function of filters/load_text.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Buffer overflow in gf\_text\_process\_sub function of filters/load\_text.c

while (szLine\[i+1+j\] && szLine\[i+1+j\]!='}') {
	szTime\[i\] = szLine\[i+1+j\]; // overflow at szTime
	i++;
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof5.avi
    

Crash reported by sanitizer

    Track Importing Timed Text - Text track 400 x 60 font Serif (size 18) layer 0
    [TXTIn] Bad SUB file - expecting "{" got "{"
    [TXTIn] corrupted SUB frame (line 2) - ends (at 0 ms) before start of current frame (6 ms) - skipping
    filters/load_text.c:2569:10: runtime error: index 20 out of bounds for type 'char [20]'
    

**POC**

poc\_bof5.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47091: Buffer overflow in gf_text_process_sub function of filters/load_text.c · Issue #2343 · gpac/gpac

A vulnerability was found in stevejagodzinski DevNewsAggregator. It has been rated as critical. Affected by this issue is the function getByName of the file php/data_access/RemoteHtmlContentDataAccess.php. The manipulation of the argument name leads to sql injection. The name of the patch is b9de907e7a8c9ca9d75295da675e58c5bf06b172. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217484.

CVE-2014-125040

A vulnerability classified as problematic has been found in web-cyradm. This affects an unknown part of the file search.php. The manipulation of the argument searchstring leads to sql injection. It is recommended to apply a patch to fix this issue. The identifier VDB-217449 was assigned to this vulnerability.

CVE-2007-10001

A vulnerability was found in Wikimedia mediawiki-extensions-I18nTags and classified as problematic. This issue affects some unknown processing of the file I18nTags_body.php of the component Unlike Parser. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is b4bc3cbbb099eab50cf2b544cf577116f1867b94. It is recommended to apply a patch to fix this issue. The identifier VDB-217445 was assigned to this vulnerability.

@@ -9,20 +9,22 @@ public static function onParserFirstCallInit( Parser $parser ) { $parser\->setFunctionHook( 'languagename', \[ \_\_CLASS\_\_, 'languageName' \] ); }  
public static function formatNumber( $data, $params, $parser ) { public static function formatNumber( $data, $params, $parser, $frame ) { $lang = self::languageObject( $params );  
return $lang\->formatNum( $data ); $text = $lang\->formatNum( $data ); return $parser\->recursiveTagParse( $text, $frame ); }  
public static function grammar( $data, $params, $parser ) { public static function grammar( $data, $params, $parser, $frame ) { $case = isset( $params\['case'\] ) ? $params\['case'\] : ''; $lang = self::languageObject( $params );  
return $lang\->convertGrammar( $data, $case ); $text = $lang\->convertGrammar( $data, $case ); return $parser\->recursiveTagParse( $text, $frame ); }  
public static function plural( $data, $params, $parser ) { public static function plural( $data, $params, $parser, $frame ) { list( $from, $to ) = self::getRange( isset( $params\['n'\] ) ? $params\['n'\] : '' ); $args = explode( '|', $data ); $lang = self::languageObject( $params ); @@ -41,10 +43,10 @@ public static function plural( $data, $params, $parser ) { ); }  
return $s; return $parser\->recursiveTagParse( $s, $frame ); }  
public static function linktrail( $data, $params, $parser ) { public static function linktrail( $data, $params, $parser, $frame ) { $lang = self::languageObject( $params ); $regex = $lang\->linkTrail();  
@@ -60,7 +62,8 @@ public static function linktrail( $data, $params, $parser ) { } $predata = isset( $predata\[2\] ) ? $predata\[2\] : isset( $predata\[1\] ) ? $predata\[1\] : $predata\[0\];  
return "<strong>$predata$inside</strong>$data"; $text = "<strong>$predata$inside</strong>$data"; return $parser\->recursiveTagParse( $text, $frame ); }  
public static function languageName( &$parser, $code = '', $outputLanguage = '' ) {

Tag

#php