Heap OOB Read in gpac/gpac

Valid

Reported on

Oct 8th 2023


Environment

Distributor ID: Debian
Description:    Debian GNU/Linux bookworm/sid

Version

I checked against the latest release as of 10/08/23 the current master branch at commit 50c2ab06f45a3101d73d6f317e98f041809f4923 .

Description

This AddressSanitizer output is indicating an OOB read of invalid heap memory. This exception occurred in the function ac3dmx_process at line 489 in the file src/filters/reframe_ac3.c. This error being an OOB read indicates that the error is related to the source calculation here.

src/filters/reframe_ac3.c:line 489

memcpy(output, sync, ctx->hdr.framesize);

POC

./MP4Box -dash 1000 ./POC5_min

POC File

ASAN

[BS] Attempt to overread bitstream
[Dasher] No template assigned, using $File$_dash$FS$$Number$
=================================================================
==1037600==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000293c at pc 0x5555563f1b57 bp 0x7fffffff6670 sp 0x7fffffff5e40
READ of size 98 at 0x60300000293c thread T0
    #0 0x5555563f1b56 in __asan_memcpy (/path/gpac/build/bin/gcc/MP4Box+0xe9db56) (BuildId: 1b19b3f64554102b121e6b611467f4f8dd9b5747)
    #1 0x55555787b067 in ac3dmx_process /path/gpac/src/filters/reframe_ac3.c:489:4
    #2 0x555557276bc7 in gf_filter_process_task /path/gpac/src/filter_core/filter.c:2971:7
    #3 0x55555722b99e in gf_fs_thread_proc /path/gpac/src/filter_core/filter_session.c:2105:3
    #4 0x55555722985d in gf_fs_run /path/gpac/src/filter_core/filter_session.c:2405:3
    #5 0x555556dd7a39 in gf_dasher_process /path/gpac/src/media_tools/dash_segmenter.c:1236:6
    #6 0x55555646143c in do_dash /path/gpac/applications/mp4box/mp4box.c:4831:15
    #7 0x555556451064 in mp4box_main /path/gpac/applications/mp4box/mp4box.c:6245:7
    #8 0x7ffff6fe11c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7ffff6fe1284 in __libc_start_main csu/../csu/libc-start.c:360:3
    #10 0x55555636f9e0 in _start (/path/gpac/build/bin/gcc/MP4Box+0xe1b9e0) (BuildId: 1b19b3f64554102b121e6b611467f4f8dd9b5747)

0x60300000293c is located 0 bytes to the right of 28-byte region [0x603000002920,0x60300000293c)
allocated by thread T0 here:
    #0 0x5555563f2c56 in __interceptor_realloc (/path/gpac/build/bin/gcc/MP4Box+0xe9ec56) (BuildId: 1b19b3f64554102b121e6b611467f4f8dd9b5747)
    #1 0x55555787a567 in ac3dmx_process /path/gpac/src/filters/reframe_ac3.c:399:22
    #2 0x555557276bc7 in gf_filter_process_task /path/gpac/src/filter_core/filter.c:2971:7
    #3 0x55555722b99e in gf_fs_thread_proc /path/gpac/src/filter_core/filter_session.c:2105:3
    #4 0x55555722985d in gf_fs_run /path/gpac/src/filter_core/filter_session.c:2405:3
    #5 0x555556dd7a39 in gf_dasher_process /path/gpac/src/media_tools/dash_segmenter.c:1236:6
    #6 0x55555646143c in do_dash /path/gpac/applications/mp4box/mp4box.c:4831:15
    #7 0x555556451064 in mp4box_main /path/gpac/applications/mp4box/mp4box.c:6245:7
    #8 0x7ffff6fe11c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/path/gpac/build/bin/gcc/MP4Box+0xe9db56) (BuildId: 1b19b3f64554102b121e6b611467f4f8dd9b5747) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c067fff84d0: fd fd fd fd fa fa 00 00 01 fa fa fa fd fd fd fd
  0x0c067fff84e0: fa fa fd fd fd fa fa fa 00 00 01 fa fa fa 00 00
  0x0c067fff84f0: 01 fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8500: 00 00 01 fa fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8510: fa fa 00 00 01 fa fa fa 00 00 00 fa fa fa 00 00
=>0x0c067fff8520: 00 fa fa fa 00 00 00[04]fa fa 00 00 00 00 fa fa
  0x0c067fff8530: 00 00 02 fa fa fa 00 00 00 fa fa fa 00 00 01 fa
  0x0c067fff8540: fa fa 00 00 00 00 fa fa 00 00 01 fa fa fa 00 00
  0x0c067fff8550: 01 fa fa fa 00 00 05 fa fa fa 00 00 04 fa fa fa
  0x0c067fff8560: 00 00 06 fa fa fa 00 00 00 fa fa fa 00 00 00 00
  0x0c067fff8570: fa fa 00 00 02 fa fa fa 00 00 00 01 fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1037600==ABORTING

Impact

An OOB read on the heap can potentially cause a crash or information disclosure in some cases. Could be leveraged with other vulnerabilities for a more serious impact.

We are processing your report and will contact the gpac team within 24 hours. 5 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 5 months ago
We have contacted a member of the gpac team and are waiting to hear back 5 months ago
gpac/gpac maintainer
5 months ago

Maintainer


In the severity, could you change "Availability" to "Low"? While it is true that the program stops, nothing prevents from relaunching it.

https://github.com/gpac/gpac/issues/2627

Renzo
5 months ago

Researcher


Makes sense, will do.

Renzo modified the report
5 months ago
gpac/gpac maintainer validated this vulnerability 4 months ago
coolkingcole has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.2.2 with commit 5692dc 4 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
to join this conversation