Heap-based Buffer Overflow in gpac/gpac


Reported on

Jan 24th 2022


Heap-based Buffer Overflow in gpac

Proof of Concept


MP4Box - GPAC version 1.1.0-DEV-rev1659-g7d3281e88-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --prefix=/home/aidai/fuzzing/gpac

System information Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz


base64 poc


./MP4Box -info poc


[HEVC] Warning: Error parsing NAL unit
==3731647==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001ef1 at pc 0x7efef1b445d6 bp 0x7ffdd2133830 sp 0x7ffdd2133828
READ of size 1 at 0x602000001ef1 thread T0
    #0 0x7efef1b445d5 in naludmx_create_hevc_decoder_config /home/aidai/fuzzing/gpac/gpac/src/filters/reframe_nalu.c:1008:44
    #1 0x7efef1b445d5 in naludmx_check_pid /home/aidai/fuzzing/gpac/gpac/src/filters/reframe_nalu.c:1581:3
    #2 0x7efef1b2dfad in naludmx_process /home/aidai/fuzzing/gpac/gpac/src/filters/reframe_nalu.c:3074:3
    #3 0x7efef15c73b2 in gf_filter_process_task /home/aidai/fuzzing/gpac/gpac/src/filter_core/filter.c:2515:7
    #4 0x7efef158b9ea in gf_fs_thread_proc /home/aidai/fuzzing/gpac/gpac/src/filter_core/filter_session.c:1756:3
    #5 0x7efef1588387 in gf_fs_run /home/aidai/fuzzing/gpac/gpac/src/filter_core/filter_session.c:2000:2
    #6 0x7efef0e36503 in gf_media_import /home/aidai/fuzzing/gpac/gpac/src/media_tools/media_import.c:1226:3
    #7 0x56561c in convert_file_info /home/aidai/fuzzing/gpac/gpac/applications/mp4box/fileimport.c:128:6
    #8 0x50f706 in mp4boxMain /home/aidai/fuzzing/gpac/gpac/applications/mp4box/main.c:6068:6
    #9 0x7efeefc050b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x429b8d in _start (/home/aidai/fuzzing/gpac/gpac/bin/gcc/MP4Box+0x429b8d)

0x602000001ef1 is located 0 bytes to the right of 1-byte region [0x602000001ef0,0x602000001ef1)
allocated by thread T0 here:
    #0 0x4a22cd in malloc (/home/aidai/fuzzing/gpac/gpac/bin/gcc/MP4Box+0x4a22cd)
    #1 0x7efef1b4a835 in naludmx_queue_param_set /home/aidai/fuzzing/gpac/gpac/src/filters/reframe_nalu.c:1928:13

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/aidai/fuzzing/gpac/gpac/src/filters/reframe_nalu.c:1008:44 in naludmx_create_hevc_decoder_config
Shadow bytes around the buggy address:
  0x0c047fff8380: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8390: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff83a0: fa fa 00 00 fa fa 07 fa fa fa 00 00 fa fa 00 00
  0x0c047fff83b0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff83c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff83d0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa[01]fa
  0x0c047fff83e0: fa fa 00 00 fa fa 00 00 fa fa fa fa fa fa fa fa
  0x0c047fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
We are processing your report and will contact the gpac team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
We have contacted a member of the gpac team and are waiting to hear back 2 years ago
gpac/gpac maintainer
2 years ago



gpac/gpac maintainer validated this vulnerability 2 years ago
aidaip has been awarded the disclosure bounty
The fix bounty is now up for grabs
gpac/gpac maintainer marked this as fixed in 1.1.0 with commit 9c7458 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation