Out of Bounds Read in scene_manager/loader_bt.c:478 in gpac/gpac
Valid
Reported on
Sep 4th 2023
Description
Out of Bounds Read in MP4Box.
Version
$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
complie and run
./configure --enable-sanitizer
make
Proof of Concept
./bin/gcc/MP4Box -dash 1000 -out /dev/null ./crash000362
POC_crash000362 is here.
ASAN
information reported by sanitizer
$ ./bin/gcc/MP4Box -dash 1000 ./crash000362
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No template assigned, using $File$_dash$FS$$Number$
Failed to connect filter btplay PID crash000362 to filter dasher: Feature Not Supported
Blacklisting dasher as output from btplay and retrying connections
BT: X3D (WRL) Scene Parsing | (70/100)
scene_manager/loader_bt.c:478:21: runtime error: index 500 out of bounds for type 'char [500]'
Impact
This is capable of causing crashes.
References
POC_crash000362 is here.
Impact
This is capable of causing crashes.
References
We are processing your report and will contact the
gpac
team within 24 hours.
3 months ago
A
GitHub Issue
asking the maintainers to create a
SECURITY.md exists
3 months ago
We have contacted a member of the
gpac
team and are waiting to hear back
3 months ago
The researcher's credibility has increased: +7
to join this conversation