gpac

Valid

Reported on

Feb 12th 2023

Version

MP4Box - GPAC version 2.3-DEV-rev40-g3602a5ded-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer --verbose
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Proof of Concept

➜  gcc git:(master) ✗ ./MP4Box -info ./gf_text_get_utf8_line_poc
filters/load_text.c:362:13: runtime error: index 2048 out of bounds for type 'char [2048]'

Reproduce

./configure --enable-sanitizer --enable-debug
make
./MP4Box -info gf_text_get_utf8_line_poc

Git Log

commit 3602a5ded4e57b0044a949f985ee3792f94a9a36 (HEAD -> master, origin/master, origin/HEAD)
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date:   Thu Feb 9 11:24:23 2023 +0100

    mp3dmx: check truncated frames (#2391)

commit ea7395f39f601a7750d48d606e9d10ea0b7beefe
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date:   Wed Feb 8 16:52:00 2023 +0100

    sgpd box entry: disallow null grouping_type (#2389)

commit 8db20cb634a546c536c31caac94e1f74b778b463
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date:   Tue Feb 7 18:27:19 2023 +0100

    m2ts: check descs_size read from input to prevent overflow (#2388)

Impact

This is capable of causing crashes by using unexpected value.

References

We are processing your report and will contact the gpac team within 24 hours. 2 months ago

qianshuidewajueji modified the report

2 months ago

qianshuidewajueji modified the report

2 months ago

We have contacted a member of the gpac team and are waiting to hear back 2 months ago

A gpac/gpac maintainer

commented 2 months ago

https://github.com/gpac/gpac/issues/2397

A gpac/gpac maintainer validated this vulnerability 2 months ago

qianshuidewajueji has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A gpac/gpac maintainer marked this as fixed in v2.3.0-DEV with commit 377ab2 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A gpac/gpac maintainer published this vulnerability 2 months ago

to join this conversation

We are processing your report and will contact the gpac team within 24 hours. 2 months ago

qianshuidewajueji modified the report

2 months ago

qianshuidewajueji modified the report

2 months ago

We have contacted a member of the gpac team and are waiting to hear back 2 months ago

A gpac/gpac maintainer

commented 2 months ago

https://github.com/gpac/gpac/issues/2397

A gpac/gpac maintainer validated this vulnerability 2 months ago

qianshuidewajueji has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A gpac/gpac maintainer marked this as fixed in v2.3.0-DEV with commit 377ab2 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A gpac/gpac maintainer published this vulnerability 2 months ago

to join this conversation