OOB Read segfault in gpac/gpac


Reported on

May 18th 2023


Distributor ID: Debian
Description:    Debian GNU/Linux bookworm/sid
Release:    n/a
Codename:   bookworm


I checked against the latest release as of 05/18/23 the current master branch at commit a6ae93532ea5615c876c81a6580badbfa01d4383 .


This AddressSanitizer output is indicating that an out of bounds read occurred in the function gf_filter_get_stats at line 4149 in the file filter_session.c. A bit of debugging leads me to think that the loop at line line 4131 is improperly bounded since at the crash, the loop iterator i equals 0xffff4f07

for (i=0; i<f->num_input_pids; i++)  


AFL_MAP_SIZE=260000 ./MP4Box -dash 1000 ./crash_file

POC File


[Dasher] No template assigned, using $File$_dash$FS$$Number$
Failed to connect filter fin PID crash_file to filter rfmpgvid: Feature Not Supported
Blacklisting rfmpgvid as output from fin and retrying connections
[MP4Mux] muxing codecID 0 not yet implemented - patch welcome
Failed to connect filter dasher PID crash_file to filter mp4mx: Feature Not Supported
Blacklisting mp4mx as output from dasher and retrying connections
==2980979==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000009c (pc 0x7ffff6d5968a bp 0x0c2600000200 sp 0x7fffffff4f90 T0)
==2980979==The signal is caused by a READ memory access.
==2980979==Hint: address points to the zero page.
    #0 0x7ffff6d5968a in gf_filter_get_stats /path/to/gpac/src/filter_core/filter_session.c:4149:32
    #1 0x7ffff660b68b in on_dasher_event /path/to/gpac/src/media_tools/dash_segmenter.c:501:8
    #2 0x7ffff6d51fc9 in gf_fs_ui_event /path/to/gpac/src/filter_core/filter_session.c:4180:8
    #3 0x7ffff6d831da in gf_filter_update_status /path/to/gpac/src/filter_core/filter.c:4738:2
    #4 0x7ffff6f74b0a in filein_process /path/to/gpac/src/filters/in_file.c:699:3
    #5 0x7ffff6d74d05 in gf_filter_process_task /path/to/gpac/src/filter_core/filter.c:2894:7
    #6 0x7ffff6d4153c in gf_fs_thread_proc /path/to/gpac/src/filter_core/filter_session.c:1962:3
    #7 0x7ffff6d3fd2f in gf_fs_run /path/to/gpac/src/filter_core/filter_session.c:2264:3
    #8 0x7ffff660245a in gf_dasher_process /path/to/gpac/src/media_tools/dash_segmenter.c:1236:6
    #9 0x5555556c15fc in do_dash /path/to/gpac/applications/mp4box/mp4box.c:4825:15
    #10 0x5555556b2a8e in mp4box_main /path/to/gpac/applications/mp4box/mp4box.c:6236:7
    #11 0x7ffff5846189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7ffff5846244 in __libc_start_main csu/../csu/libc-start.c:381:3
    #13 0x5555555dad30 in _start (/path/to/gpac/new_pull_2_build/bin/gcc/MP4Box+0x86d30) (BuildId: 764c86f2d59b4db3d4590a720eca33bd143620a7)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /path/to/gpac/src/filter_core/filter_session.c:4149:32 in gf_filter_get_stats


out of bounds read can cause a crash which will affect the system availability or potentially leak memory from the application.


Beginning of loop to where the crash triggers.

We are processing your report and will contact the gpac team within 24 hours. 8 days ago
We have contacted a member of the gpac team and are waiting to hear back 7 days ago
gpac/gpac maintainer
6 days ago


We've always been open to CVE reports. However due to recent discussions with Linux distribution maintainers, we need to understand high CVSS. Could you elaborate how you computed your score?

6 days ago


I think that the cvss score of this is lower, I agree. As a submission through huntr.dev you have to use a cvss calculator, the "Integrity" and "availability" in this calculator are set to high, which causes the score to be inflated in my opinion. Cvss is difficult determine with this calculator and devoid of context. I'm willing to edit the score and categories how you see fit. I think lowering the integrity score sounds reasonable. Let me know what you think.

coolkingcole modified the report
6 days ago
gpac/gpac maintainer
5 days ago

Thanks. @admin If there is anything you can do to help reporters and maintainers set appropriate CVSS, please do.

5 days ago


The CVSS is 6.1 after adjustment. If that sounds correct to you, admin and maintainer(s) can proceed.

gpac/gpac maintainer
5 days ago

Thank you for all.

Ben Harvie
3 days ago


Hi, you can update the CVSS at the resolution stage:)

gpac/gpac maintainer validated this vulnerability 3 days ago
coolkingcole has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.2.2 with commit c88df2 3 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
gpac/gpac maintainer published this vulnerability 3 days ago
to join this conversation