We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

OOB read from unchecked return in gpac/gpac

Valid

Reported on

May 29th 2023

Environment

Distributor ID: Debian
Description:    Debian GNU/Linux bookworm/sid

Version

I checked against the latest release as of 05/29/23 the current master branch at commit 4f810869b06b5d7b0cb73d166864dfb4b1e900f6 .

Description

This AddressSanitizer output is indicating a read on an unknown address 0x8. This exception occurred in the function dasher_configure_pid at line 1418 in the file dasher.c. This root cause of this error is that the function call to gf_odf_avc_cfg_read on the line line 1418 just before the call to gf_list_get can return 0/NULL. This value is set to the variable avccfg and is then dereferenced like this:

avccfg->sequenceParameterSets

The fix is to properly check the return value whenever gf_odf_avc_cfg_read is called, or change said function to exit cleanly with an error if it is fatal.

GF_AVCConfig* avccfg = gf_odf_avc_cfg_read(dsi->value.data.ptr, dsi->value.data.size);  
//The provided testcase causes avccfg to equal 0.
GF_NALUFFParam *sl = (GF_NALUFFParam *)gf_list_get(avccfg->sequenceParameterSets, 0); // the deref that causes the asan output is here

POC

./MP4Box -dash 1000 ./POC3_config4

POC File

ASAN

./bin/gcc/MP4Box -dash 1000 ../d_test_min

[BS] Attempt to overread bitstream
[Core] exp-golomb read failed, not enough bits in bitstream !
[AVC|H264] Error parsing NAL unit type 13
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No bitrate property assigned to PID d_test_min, computing from bitstream
[Dasher] No bitrate property assigned to PID d_test_min, computing from bitstream
[AVC] Wrong param set size 1
AddressSanitizer:DEADLYSIGNAL
=================================================================
==934039==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7ffff6de6190 bp 0x7fffffff4fb0 sp 0x7ffffffc4ae0 T0)
==934039==The signal is caused by a READ memory access.
==934039==Hint: address points to the zero page.
    #0 0x7ffff6de6190 in dasher_configure_pid /path/to/gpac/src/filters/dasher.c:1418:64
    #1 0x7ffff6cd87d5 in gf_filter_pid_configure /path/to/gpac/src/filter_core/filter_pid.c:860:6
    #2 0x7ffff6d061b3 in filter_pck_check_prop_change /path/to/gpac/src/filter_core/filter_pid.c:6157:9
    #3 0x7ffff6cdd0b8 in gf_filter_pid_get_packet /path/to/gpac/src/filter_core/filter_pid.c:6206:6
    #4 0x7ffff6e1e08a in dasher_switch_period /path/to/gpac/src/filters/dasher.c:6111:3
    #5 0x7ffff6ddf178 in dasher_process /path/to/gpac/src/filters/dasher.c:9490:6
    #6 0x7ffff6d7bae5 in gf_filter_process_task /path/to/gpac/src/filter_core/filter.c:2894:7
    #7 0x7ffff6d4830c in gf_fs_thread_proc /path/to/gpac/src/filter_core/filter_session.c:1962:3
    #8 0x7ffff6d46aff in gf_fs_run /path/to/gpac/src/filter_core/filter_session.c:2264:3
    #9 0x7ffff6607cfa in gf_dasher_process /path/to/gpac/src/media_tools/dash_segmenter.c:1236:6
    #10 0x5555556c161c in do_dash /path/to/gpac/applications/mp4box/mp4box.c:4825:15
    #11 0x5555556b2aae in mp4box_main /path/to/gpac/applications/mp4box/mp4box.c:6236:7
    #12 0x7ffff5846189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x7ffff5846244 in __libc_start_main csu/../csu/libc-start.c:381:3
    #14 0x5555555dad50 in _start (/path/to/gpac/bin/gcc/MP4Box+0x86d50) (BuildId: 4f810869b06b5d7b0cb73d166864dfb4b1e900f6)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /path/to/gpac/src/filters/dasher.c:1418:64 in dasher_configure_pid
==934039==ABORTING

Testcase crashes:
https://github.com/gpac/gpac/blob/4b28f33967d63c1039f31efd0bcf04a35894ff67/src/filters/dasher.c#L1417-L1418
Similar code sites:
https://github.com/gpac/gpac/blob/4b28f33967d63c1039f31efd0bcf04a35894ff67/src/filters/mux_isom.c#L2561-L2565
https://github.com/gpac/gpac/blob/4b28f33967d63c1039f31efd0bcf04a35894ff67/src/filters/dec_vtb.c#L1096-L1097
https://github.com/gpac/gpac/blob/4b28f33967d63c1039f31efd0bcf04a35894ff67/src/filters/dec_mediacodec.c#L665-L666

Impact

This can cause this program or programs using this library to crash or experience undefined behavior.

Occurrences

Expected same behavior from unchecked return. No testcase provided to verify.

We are processing your report and will contact the gpac team within 24 hours. 4 months ago
We have contacted a member of the gpac team and are waiting to hear back 4 months ago
gpac/gpac maintainer
4 months ago

Maintainer

https://github.com/gpac/gpac/issues/2485

gpac/gpac maintainer validated this vulnerability 4 months ago
coolkingcole has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.2.2 with commit 78e539 4 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
gpac/gpac maintainer published this vulnerability 4 months ago
mux_isom.c#L2561-L2565 has been validated
to join this conversation