Stack buffer overflow in XML entity parsing in gpac/gpac

Valid

Reported on

Mar 27th 2022


Description

Attempting to parse a XML/SVG file containing an <!ENTITY with a sufficiently long name into a fixed sized, stack allocated buffer causes an overflow.

Proof of Concept

./bin/gcc/gpac -play ./poc-clean.svg

poc-clean.svg available here

GDB

*** stack smashing detected ***: terminated
Thread 1 "gpac" received signal SIGABRT, Aborted.
0x00007ffff74b934c in __pthread_kill_implementation () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff74b934c in __pthread_kill_implementation () at /usr/lib/libc.so.6
#1  0x00007ffff746c4b8 in raise () at /usr/lib/libc.so.6
#2  0x00007ffff7456534 in abort () at /usr/lib/libc.so.6
#3  0x00007ffff74ad397 in __libc_message () at /usr/lib/libc.so.6
#4  0x00007ffff754c2fa in __fortify_fail () at /usr/lib/libc.so.6
#5  0x00007ffff754c2c6 in  () at /usr/lib/libc.so.6
#6  0x00007ffff7754f5a in  () at /gpac/bin/gcc/libgpac.so.11
#7  0x00007ffff77550e8 in xml_sax_parse () at /gpac/bin/gcc/libgpac.so.11
#8  0x00007ffff775658b in xml_sax_read_file.part () at /gpac/bin/gcc/libgpac.so.11
#9  0x00007ffff7756876 in gf_xml_sax_parse_file () at /gpac/bin/gcc/libgpac.so.11
#10 0x00007ffff79ea5f6 in load_svg_run () at /gpac/bin/gcc/libgpac.so.11
#11 0x00007ffff7c20471 in svgin_process () at /gpac/bin/gcc/libgpac.so.11
#12 0x00007ffff7b4f8c5 in gf_filter_process_task () at /gpac/bin/gcc/libgpac.so.11
#13 0x00007ffff7b3cdc7 in gf_fs_thread_proc () at /gpac/bin/gcc/libgpac.so.11
#14 0x00007ffff7b41d7b in gf_fs_run () at /gpac/bin/gcc/libgpac.so.11
#15 0x0000555555563194 in gpac_main ()
#16 0x00007ffff7457310 in __libc_start_call_main () at /usr/lib/libc.so.6
#17 0x00007ffff74573c1 in __libc_start_main_impl () at /usr/lib/libc.so.6
#18 0x0000555555559dc5 in _start ()

Occurrences

No length check on this write to the fixed size array "szName" can go out of bounds with a sufficiently long entity name

We are processing your report and will contact the gpac team within 24 hours. 2 months ago
We have contacted a member of the gpac team and are waiting to hear back 2 months ago
gpac/gpac maintainer
2 months ago

Maintainer


https://github.com/gpac/gpac/issues/2154

gpac/gpac maintainer validated this vulnerability 2 months ago
Callum Thomson has been awarded the disclosure bounty
The fix bounty is now up for grabs
gpac/gpac maintainer confirmed that a fix has been merged on a74b68 2 months ago
The fix bounty has been dropped
xml_parser.c#L688 has been validated
to join this conversation