heap-buffer-overflow in function adts_dmx_process filters/reframe_adts.c in gpac/gpac

Valid

Reported on

Feb 15th 2023


Version

MP4Box - GPAC version 2.3-DEV-rev44-gbe9f8d395-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer --verbose
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 

Reproduce

complie and run

./configure --enable-sanitizer
make
./MP4Box -info poc

information reported by sanitizer

➜  gcc git:(master) ✗ ./MP4Box -info ./adts_dmx_process_poc 
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
=================================================================
==6277==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e00000fb8e at pc 0x7f68193a0490 bp 0x7fff943fa890 sp 0x7fff943fa038
READ of size 6134 at 0x61e00000fb8e thread T0
    #0 0x7f68193a048f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
    #1 0x7f6816cc2268 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
    #2 0x7f6816cc2268 in adts_dmx_process filters/reframe_adts.c:831
    #3 0x7f68168d612d in gf_filter_process_task filter_core/filter.c:2828
    #4 0x7f68168980c2 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #5 0x7f68168a4896 in gf_fs_run filter_core/filter_session.c:2120
    #6 0x7f68162e2806 in gf_media_import media_tools/media_import.c:1228
    #7 0x5636382583b1 in convert_file_info /home/qianshuidewajueji/gpac/applications/mp4box/fileimport.c:130
    #8 0x563638227db5 in mp4box_main /home/qianshuidewajueji/gpac/applications/mp4box/mp4box.c:6302
    #9 0x7f6813579082 in __libc_start_main ../csu/libc-start.c:308
    #10 0x5636381fbcfd in _start (/home/qianshuidewajueji/gpac/bin/gcc/MP4Box+0xa3cfd)

0x61e00000fb8e is located 0 bytes to the right of 2830-byte region [0x61e00000f080,0x61e00000fb8e)
allocated by thread T0 here:
    #0 0x7f6819412c3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
    #1 0x7f6816cc2cee in adts_dmx_process filters/reframe_adts.c:606
    #2 0x7f68168d612d in gf_filter_process_task filter_core/filter.c:2828
    #3 0x7f68168980c2 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #4 0x7f68168a4896 in gf_fs_run filter_core/filter_session.c:2120
    #5 0x7f68162e2806 in gf_media_import media_tools/media_import.c:1228
    #6 0x5636382583b1 in convert_file_info /home/qianshuidewajueji/gpac/applications/mp4box/fileimport.c:130
    #7 0x563638227db5 in mp4box_main /home/qianshuidewajueji/gpac/applications/mp4box/mp4box.c:6302
    #8 0x7f6813579082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
Shadow bytes around the buggy address:
  0x0c3c7fff9f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff9f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff9f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff9f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff9f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff9f70: 00[06]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff9fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==6277==ABORTING

Git log

commit be9f8d395bbd196e3812e9cd80708f06bcc206f7 (HEAD -> master, origin/master, origin/HEAD)
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date:   Mon Feb 13 15:42:23 2023 +0100

    mhas: check idx not oob (#2398)

commit 377ab25f3e502db2934a9cf4b54739e1c89a02ff
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date:   Mon Feb 13 15:42:10 2023 +0100

    fix a5efec8 to cover more cases (#2397)

Credit

qianshuidewajueji@QAX src

Impact

This is capable of causing crashes by using unexpected value, or possible code execution.

References

We are processing your report and will contact the gpac team within 24 hours. a month ago
We have contacted a member of the gpac team and are waiting to hear back a month ago
gpac/gpac maintainer
a month ago

https://github.com/gpac/gpac/issues/2400

gpac/gpac maintainer validated this vulnerability a month ago
qianshuidewajueji has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.3.0-DEV with commit b964fe a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
gpac/gpac maintainer published this vulnerability a month ago
to join this conversation