Heap-based Buffer Overflow in gpac/gpac

Valid

Reported on

Jan 20th 2022


Description

When fuzzing gpac with clang 10 I found a heap overflow.

Proof of Concept

poc_gf_fprintf

Crash stack trace

aldo@vps:~/gpac/bin/gcc$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null poc_gf_fprintf.mp4
[iso file] extra box udta found in moov, deleting
[iso file] extra box udta found in moov, deleting
[iso file] extra box udta found in moov, deleting
[iso file] extra box udta found in moov, deleting
[iso file] Unknown box type 04inf in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type url  in parent dinf
[iso file] Missing dref box in dinf
[iso file] Unknown top-level box type fr0000
[iso file] Unknown top-level box type 00000008
[iso file] Incomplete box 00000000 - start 1574 size 285148754
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box udta found in moov, deleting
[iso file] extra box udta found in moov, deleting
[iso file] extra box udta found in moov, deleting
[iso file] extra box udta found in moov, deleting
[iso file] Unknown box type 04inf in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type url  in parent dinf
[iso file] Missing dref box in dinf
[iso file] Unknown top-level box type fr0000
[iso file] Unknown top-level box type 00000008
[iso file] Incomplete box 00000000 - start 1574 size 285148754
[iso file] Incomplete file while reading for dump - aborting parsing
Scene loaded - dumping root scene
=================================================================
==3204087==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000011b9 at pc 0x00000044841b bp 0x7fffffff0280 sp 0x7ffffffefa08
READ of size 10 at 0x6020000011b9 thread T0
    #0 0x44841a in printf_common(void*, char const*, __va_list_tag*) (/home/aldo/gpac/bin/gcc/MP4Box+0x44841a)
    #1 0x7ffff5c765b9 in gf_fprintf /home/aldo/gpac/src/utils/os_file.c:1598:9
    #2 0x7ffff62b51c5 in cprt_box_dump /home/aldo/gpac/src/isomedia/box_dump.c:395:2
    #3 0x7ffff62fbec1 in gf_isom_box_dump /home/aldo/gpac/src/isomedia/box_funcs.c:2065:2
    #4 0x7ffff62b939a in gf_isom_box_array_dump /home/aldo/gpac/src/isomedia/box_dump.c:101:3
    #5 0x7ffff62b939a in udta_box_dump /home/aldo/gpac/src/isomedia/box_dump.c:918:3
    #6 0x7ffff62fbec1 in gf_isom_box_dump /home/aldo/gpac/src/isomedia/box_funcs.c:2065:2
    #7 0x7ffff62b3331 in gf_isom_box_array_dump /home/aldo/gpac/src/isomedia/box_dump.c:101:3
    #8 0x7ffff62fca3b in gf_isom_box_dump_done /home/aldo/gpac/src/isomedia/box_funcs.c:2072:3
    #9 0x7ffff62b44e6 in moov_box_dump /home/aldo/gpac/src/isomedia/box_dump.c:217:2
    #10 0x7ffff62fbec1 in gf_isom_box_dump /home/aldo/gpac/src/isomedia/box_funcs.c:2065:2
    #11 0x7ffff62b38c2 in gf_isom_dump /home/aldo/gpac/src/isomedia/box_dump.c:135:3
    #12 0x5290b3 in dump_isom_xml /home/aldo/gpac/applications/mp4box/filedump.c:1949:6
    #13 0x4ff57e in mp4boxMain /home/aldo/gpac/applications/mp4box/main.c:6166:7
    #14 0x7ffff54d40b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #15 0x429b7d in _start (/home/aldo/gpac/bin/gcc/MP4Box+0x429b7d)

0x6020000011b9 is located 0 bytes to the right of 9-byte region [0x6020000011b0,0x6020000011b9)
allocated by thread T0 here:
    #0 0x4a22bd in malloc (/home/aldo/gpac/bin/gcc/MP4Box+0x4a22bd)
    #1 0x7ffff6212b74 in cprt_box_read /home/aldo/gpac/src/isomedia/box_code_base.c:245:24

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aldo/gpac/bin/gcc/MP4Box+0x44841a) in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
  0x0c047fff81e0: fa fa fd fa fa fa 05 fa fa fa fd fa fa fa 06 fa
  0x0c047fff81f0: fa fa fd fa fa fa 00 01 fa fa fd fd fa fa 00 07
  0x0c047fff8200: fa fa 07 fa fa fa fd fa fa fa 04 fa fa fa 00 02
  0x0c047fff8210: fa fa fd fa fa fa 00 07 fa fa 00 00 fa fa 00 00
  0x0c047fff8220: fa fa 00 fa fa fa fd fa fa fa 00 00 fa fa 00 00
=>0x0c047fff8230: fa fa 00 00 fa fa 00[01]fa fa 00 00 fa fa 00 00
  0x0c047fff8240: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8250: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8260: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8270: fa fa fd fd fa fa 00 05 fa fa 00 00 fa fa 00 00
  0x0c047fff8280: fa fa 00 00 fa fa 00 fa fa fa 04 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3204087==ABORTING

Impact

This vulnerability is capable of...

We are processing your report and will contact the gpac team within 24 hours. 4 months ago
We have contacted a member of the gpac team and are waiting to hear back 4 months ago
gpac/gpac maintainer
4 months ago

Maintainer


Could you attach the POC please? We cannot reproduce without.

Muhammad Aldo Firmansyah modified the report
4 months ago
Muhammad
4 months ago

Researcher


Sorry I forgot to attach poc. Already add poc in the report

gpac/gpac maintainer
4 months ago

Maintainer


Thanks. Just created https://github.com/gpac/gpac/issues/2062.

gpac/gpac maintainer validated this vulnerability 4 months ago
Muhammad Aldo Firmansyah has been awarded the disclosure bounty
The fix bounty is now up for grabs
gpac/gpac maintainer confirmed that a fix has been merged on 827d84 4 months ago
The fix bounty has been dropped
to join this conversation