heap-buffer-overflow in function gf_m2ts_process_tdt_tot media_tools/mpegts.c in gpac/gpac

Valid

Reported on

Feb 9th 2023

Version

./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev40-g3602a5ded-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer --verbose
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

./configure --enable-sanitizer --enable-debug
make
./MP4Box -info gf_m2ts_process_tdt_tot

Git log

commit 3602a5ded4e57b0044a949f985ee3792f94a9a36 (HEAD -> master, origin/master, origin/HEAD)
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date:   Thu Feb 9 11:24:23 2023 +0100

    mp3dmx: check truncated frames (#2391)

commit ea7395f39f601a7750d48d606e9d10ea0b7beefe
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date:   Wed Feb 8 16:52:00 2023 +0100

    sgpd box entry: disallow null grouping_type (#2389)

Proof of Concept

./MP4Box -info gf_m2ts_process_tdt_tot


=================================================================
==24800==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001b51 at pc 0x7fa11638a599 bp 0x7fff33c01ff0 sp 0x7fff33c01fe0
READ of size 1 at 0x602000001b51 thread T0
    #0 0x7fa11638a598 in gf_m2ts_process_tdt_tot media_tools/mpegts.c:952
    #1 0x7fa11638a598 in gf_m2ts_process_tdt_tot media_tools/mpegts.c:905
    #2 0x7fa11638b936 in gf_m2ts_section_complete media_tools/mpegts.c:623
    #3 0x7fa11638d619 in gf_m2ts_gather_section media_tools/mpegts.c:760
    #4 0x7fa116395c12 in gf_m2ts_process_packet media_tools/mpegts.c:2591
    #5 0x7fa1163982b9 in gf_m2ts_process_data media_tools/mpegts.c:2817
    #6 0x7fa1163a25c5 in gf_m2ts_probe_buffer media_tools/mpegts.c:3201
    #7 0x7fa116aa5fa4 in m2tsdmx_probe_data filters/dmx_m2ts.c:1438
    #8 0x7fa11696b778 in gf_filter_pid_raw_new filter_core/filter.c:4210
    #9 0x7fa116b3a2db in filein_process filters/in_file.c:492
    #10 0x7fa1169730ed in gf_filter_process_task filter_core/filter.c:2828
    #11 0x7fa116935082 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #12 0x7fa116941856 in gf_fs_run filter_core/filter_session.c:2120
    #13 0x7fa11637f806 in gf_media_import media_tools/media_import.c:1228
    #14 0x562a5a4743b1 in convert_file_info /home/qianshuidewajueji/gpac/applications/mp4box/fileimport.c:130
    #15 0x562a5a443db5 in mp4box_main /home/qianshuidewajueji/gpac/applications/mp4box/mp4box.c:6302
    #16 0x7fa113617082 in __libc_start_main ../csu/libc-start.c:308
    #17 0x562a5a417cfd in _start (/home/qianshuidewajueji/gpac/bin/gcc/MP4Box+0xa3cfd)

0x602000001b51 is located 0 bytes to the right of 1-byte region [0x602000001b50,0x602000001b51)
allocated by thread T0 here:
    #0 0x7fa1194ae808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7fa11638b5e9 in gf_m2ts_section_complete media_tools/mpegts.c:566
    #2 0x7fa11638d619 in gf_m2ts_gather_section media_tools/mpegts.c:760
    #3 0x7fa116395c12 in gf_m2ts_process_packet media_tools/mpegts.c:2591
    #4 0x7fa1163982b9 in gf_m2ts_process_data media_tools/mpegts.c:2817
    #5 0x7fa1163a25c5 in gf_m2ts_probe_buffer media_tools/mpegts.c:3201
    #6 0x7fa116aa5fa4 in m2tsdmx_probe_data filters/dmx_m2ts.c:1438
    #7 0x7fa11696b778 in gf_filter_pid_raw_new filter_core/filter.c:4210
    #8 0x7fa116b3a2db in filein_process filters/in_file.c:492
    #9 0x7fa1169730ed in gf_filter_process_task filter_core/filter.c:2828
    #10 0x7fa116935082 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #11 0x7fa116941856 in gf_fs_run filter_core/filter_session.c:2120
    #12 0x7fa11637f806 in gf_media_import media_tools/media_import.c:1228
    #13 0x562a5a4743b1 in convert_file_info /home/qianshuidewajueji/gpac/applications/mp4box/fileimport.c:130
    #14 0x562a5a443db5 in mp4box_main /home/qianshuidewajueji/gpac/applications/mp4box/mp4box.c:6302
    #15 0x7fa113617082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow media_tools/mpegts.c:952 in gf_m2ts_process_tdt_tot
Shadow bytes around the buggy address:
  0x0c047fff8310: fa fa 00 00 fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8320: fa fa 06 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8330: fa fa 00 00 fa fa 00 00 fa fa fd fa fa fa 00 00
  0x0c047fff8340: fa fa 00 00 fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8350: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 03 fa
=>0x0c047fff8360: fa fa 00 00 fa fa 00 00 fa fa[01]fa fa fa 00 fa
  0x0c047fff8370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==24800==ABORTING

Impact

This is capable of causing crashes by using unexpected value, or possible code execution.

References

We are processing your report and will contact the gpac team within 24 hours. a month ago
qianshuidewajueji modified the report
a month ago
qianshuidewajueji modified the report
a month ago
qianshuidewajueji modified the report
a month ago
qianshuidewajueji modified the report
a month ago
qianshuidewajueji modified the report
a month ago
We have contacted a member of the gpac team and are waiting to hear back a month ago
gpac/gpac maintainer
a month ago

Maintainer

https://github.com/gpac/gpac/issues/2395

qianshuidewajueji
a month ago

Researcher

@gpac/gpac Can I get a CVE for this report?

gpac/gpac maintainer
a month ago

Maintainer

Please proceed as per the best practice. We are no security experts.

qianshuidewajueji modified the report
a month ago
qianshuidewajueji modified the report
a month ago
gpac/gpac maintainer validated this vulnerability a month ago
qianshuidewajueji has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in v2.3.0-DEV with commit d067ab a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
gpac/gpac maintainer published this vulnerability a month ago
to join this conversation