heap-buffer-overflow in function avi_parse_input_file media_tools/avilib.c:2083 in gpac/gpac
Valid
Reported on
Aug 28th 2023
Description
Heap-buffer-overflow in MP4Box.
Version
$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
complie and run
./configure --enable-sanitizer
make
Proof of Concept
./bin/gcc/MP4Box -dash 1000 -out /dev/null ./crash4
poc is here
ASAN
information reported by sanitizer
$ ./bin/gcc/MP4Box -dash 1000 -out /dev/null ./crash4
=================================================================
==1177213==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000015330 at pc 0x7f22f9f75490 bp 0x7fffd30752c0 sp 0x7fffd3074a68
READ of size 1769512 at 0x621000015330 thread T0
#0 0x7f22f9f7548f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
#1 0x7f22f6f007c6 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#2 0x7f22f6f007c6 in avi_parse_input_file media_tools/avilib.c:2083
#3 0x7f22f6f0d03d in AVI_open_input_file media_tools/avilib.c:1840
#4 0x7f22f74fcdd0 in avidmx_process filters/dmx_avi.c:490
#5 0x7f22f73da33e in gf_filter_process_task filter_core/filter.c:2971
#6 0x7f22f739966a in gf_fs_thread_proc filter_core/filter_session.c:1962
#7 0x7f22f73a6fd6 in gf_fs_run filter_core/filter_session.c:2261
#8 0x7f22f6d3ca9d in gf_dasher_process media_tools/dash_segmenter.c:1236
#9 0x55b8698dcbb6 in do_dash /home/functionmain/desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
#10 0x55b8698dcbb6 in mp4box_main /home/functionmain/desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
#11 0x7f22f3feb082 in __libc_start_main ../csu/libc-start.c:308
#12 0x55b8698b4f5d in _start (/home/functionmain/desktop/gpac-master-asan/bin/gcc/MP4Box+0xa5f5d)
0x621000015330 is located 0 bytes to the right of 4656-byte region [0x621000014100,0x621000015330)
allocated by thread T0 here:
#0 0x7f22f9fe7808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7f22f6eff2be in avi_parse_input_file media_tools/avilib.c:1944
#2 0x7f22f6f0d03d in AVI_open_input_file media_tools/avilib.c:1840
#3 0x7f22f74fcdd0 in avidmx_process filters/dmx_avi.c:490
#4 0x7f22f73da33e in gf_filter_process_task filter_core/filter.c:2971
#5 0x7f22f739966a in gf_fs_thread_proc filter_core/filter_session.c:1962
#6 0x7f22f73a6fd6 in gf_fs_run filter_core/filter_session.c:2261
#7 0x7f22f6d3ca9d in gf_dasher_process media_tools/dash_segmenter.c:1236
#8 0x55b8698dcbb6 in do_dash /home/functionmain/desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
#9 0x55b8698dcbb6 in mp4box_main /home/functionmain/desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
#10 0x7f22f3feb082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0c427fffaa10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffaa20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffaa30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffaa40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffaa50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffaa60: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
0x0c427fffaa70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaa80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaa90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1177213==ABORTING
Impact
This is capable of causing crashes.
References
Impact
This is capable of causing crashes.
Occurrences
avilib.c L2083
READ of size 1769512
References
We are processing your report and will contact the
gpac
team within 24 hours.
3 months ago
A
GitHub Issue
asking the maintainers to create a
SECURITY.md exists
3 months ago
functionmain modified the report
3 months ago
functionmain modified the report
3 months ago
We have contacted a member of the
gpac
team and are waiting to hear back
3 months ago
I noticed that the issue has been fixed in the latest version on github, should I close the report?
That's right, I missed this one. My bad.
functionmain
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
avilib.c#L2083
has been validated
to join this conversation