left shift of negative value in scene_manager/swf_parse.c:213:12 in gpac/gpac
Valid
Reported on
Aug 31st 2023
Description
left shift of negative value in MP4Box
Version
$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
complie and run
./configure --enable-sanitizer
make
Proof of Concept
./bin/gcc/MP4Box -dash 1000 ./crash000173
poc_crash000369 is here.
ASAN details
information reported by sanitizer
$ ./bin/gcc/MP4Box -dash 1000 ./crash000369
SWF Import - Scene Size 29.1x-61.05 - 8448 frames @ 0 FPS
[TXTIn] swf -> svg not fully migrated, using SWF flags 0 and no flatten angle. Patch welcome
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No bitrate property assigned to PID crash000369, computing from bitstream
[SWF Parsing] Tag UnknownTag (0x1a4) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x1bd) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x12b) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x80) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0xee) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x1b9) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x2ea) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x1cc) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x295) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x242) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x1cf) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x10c) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x84) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x2b6) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x153) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x396) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x143) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x43) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x13f) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x2d1) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0xdf) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x3be) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x24a) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x1d1) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x3ef) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x2fe) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x31e) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0xdf) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x3d6) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0xe9) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x2f7) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x3fd) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x356) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x19d) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0xe9) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x21a) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x333) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x225) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x2f4) not implemented - skipping (frame 1)
[SWF Parsing] Tag DefineMorphShape (0x2e) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x312) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x150) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x35f) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x44) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x228) not implemented - skipping (frame 1)
[SWF Parsing] Tag ExternalFont (0x34) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0xde) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x377) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x1b9) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x2b1) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0xaa) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x12c) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x9a) not implemented - skipping (frame 1)
[SWF Parsing] Tag DefineBitsLossless (0x14) not implemented - skipping (frame 1)
[SWF Parsing] tag DoAction over-read of 664 bytes (size 8) (frame 1)
[SWF Parsing] Tag UnknownTag (0x19f) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x19a) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x140) not implemented - skipping (frame 1)
scene_manager/swf_parse.c:213:12: runtime error: left shift of negative value -45
Impact
This is capable of causing crashes.
References
poc_crash000369 is here.
Impact
This is capable of causing crashes.
Occurrences
swf_parse.c L213
scene_manager/swf_parse.c:213:12: runtime error: left shift of negative value -45
References
We are processing your report and will contact the
gpac
team within 24 hours.
21 days ago
We have contacted a member of the
gpac
team and are waiting to hear back
20 days ago
The researcher's credibility has increased: +7
swf_parse.c#L213
has been validated
to join this conversation