heap-buffer-overflow in gf_isom_box_write_header in gpac/gpac

Valid

Reported on

Nov 21st 2022

Description

heap-buffer-overflow in gf_isom_box_write_header at isomedia/box_funcs.c:408.

version info

git log
commit 68064e10172675e0853d6f429fb2055112835602 (grafted, HEAD -> master, origin/master, origin/HEAD)
Author: jeanlf <jeanlf@gpac.io>
Date:   Fri Nov 18 10:36:10 2022 +0100

    fixed build without http2 support

./MP4Box -version
MP4Box - GPAC version 2.1-DEV-revUNKNOWN-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Proof of Concept

./MP4Box -hint poc2_hbo
[iso file] Unknown top-level box type freN
[iso file] Unknown box type FFFFFF80 in parent schi
[iso file] Unknown box type 00000004 in parent moov
[iso file] Read Box type 00000200 (0x00000200) at position 1213 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 351) has 703 extra bytes
[iso file] Unknown top-level box type s7Fyp
[iso file] Box "sbgp" (start 2072) has 8 extra bytes
[iso file] Read Box type 00000000 (0x00000000) at position 2168 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "traf" (start 2028) has 458 extra bytes
[iso file] Unknown box type sdBp in parent traf
[iso file] Unknown box type shgp in parent traf
[iso file] senc box without tenc, assuming MS smooth+piff
[iso file] Box "uuid" (start 3475) has 58 extra bytes
[iso file] Box "uuid" (start 3565) has 58 extra bytes
[iso file] Read Box type 00000000 (0x00000000) at position 3655 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "trgr" (start 3467) has 233 extra bytes
Hinting track ID 1 - Type "encv:encv" (mpeg4-generic) - BW 0 kbps
Saving /home/fuzz/test/poc1_huaf: 0.500 secs Interleaving
=================================================================
==7021==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000744 at pc 0x7f434982526d bp 0x7ffd16e63e00 sp 0x7ffd16e63df0
READ of size 4 at 0x604000000744 thread T0
    #0 0x7f434982526c in gf_isom_box_write_header isomedia/box_funcs.c:408
    #1 0x7f43498252bc in gf_isom_full_box_write isomedia/box_funcs.c:455
    #2 0x7f43497bfa10 in trgt_box_write isomedia/box_code_base.c:10667
    #3 0x7f43498292f4 in gf_isom_box_write_listing isomedia/box_funcs.c:1880
    #4 0x7f43498292f4 in gf_isom_box_write isomedia/box_funcs.c:1930
    #5 0x7f43498296a5 in gf_isom_box_array_write isomedia/box_funcs.c:472
    #6 0x7f43498296a5 in gf_isom_box_array_write isomedia/box_funcs.c:463
    #7 0x7f4349829337 in gf_isom_box_write isomedia/box_funcs.c:1933
    #8 0x7f43498aafda in WriteInterleaved isomedia/isom_store.c:1962
    #9 0x7f43498ac497 in WriteToFile isomedia/isom_store.c:2554
    #10 0x7f4349864af7 in gf_isom_write isomedia/isom_read.c:611
    #11 0x7f43498652e8 in gf_isom_close isomedia/isom_read.c:635
    #12 0x55ad1dde719c in mp4box_main /home/fuzz/gpac/applications/mp4box/mp4box.c:6779
    #13 0x7f4346dbc082 in __libc_start_main ../csu/libc-start.c:308
    #14 0x55ad1ddc0cbd in _start (/home/fuzz/gpac/bin/gcc/MP4Box+0xa3cbd)

0x604000000744 is located 4 bytes to the right of 48-byte region [0x604000000710,0x604000000740)
allocated by thread T0 here:
    #0 0x7f434cbe1808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7f43497bf781 in trgt_box_new isomedia/box_code_base.c:10639
    #2 0x7f434982637f in gf_isom_box_new_ex isomedia/box_funcs.c:1726
    #3 0x7f434982637f in gf_isom_box_new isomedia/box_funcs.c:1749
    #4 0x7f4349826c31 in gf_isom_box_parse_ex isomedia/box_funcs.c:237
    #5 0x7f434982b9aa in gf_isom_box_array_read isomedia/box_funcs.c:1761
    #6 0x7f4349826e33 in gf_isom_box_read isomedia/box_funcs.c:1868
    #7 0x7f4349826e33 in gf_isom_box_parse_ex isomedia/box_funcs.c:271
    #8 0x7f4349828285 in gf_isom_parse_root_box isomedia/box_funcs.c:38
    #9 0x7f434985130c in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:378
    #10 0x7f4349857571 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:868
    #11 0x7f4349857571 in gf_isom_open_file isomedia/isom_intern.c:988
    #12 0x55ad1dde5139 in mp4box_main /home/fuzz/gpac/applications/mp4box/mp4box.c:6209
    #13 0x7f4346dbc082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box_funcs.c:408 in gf_isom_box_write_header
Shadow bytes around the buggy address:
  0x0c087fff8090: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff80a0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff80b0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
  0x0c087fff80c0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff80d0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
=>0x0c087fff80e0: fa fa 00 00 00 00 00 00[fa]fa 00 00 00 00 00 00
  0x0c087fff80f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8100: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff8110: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8120: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8130: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==7021==ABORTING

poc download url: https://github.com/Janette88/test_pocs/blob/main/poc2_hbo

Impact

This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution.

We are processing your report and will contact the gpac team within 24 hours. 4 months ago

We have contacted a member of the gpac team and are waiting to hear back 4 months ago

A gpac/gpac maintainer

commented 4 months ago

https://github.com/gpac/gpac/issues/2322

A gpac/gpac maintainer

commented 4 months ago

https://github.com/gpac/gpac/commit/000c84a87f73b901d267e6f96446e9bfc78d1214

A gpac/gpac maintainer validated this vulnerability 4 months ago

janette88 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

janette88

commented 4 months ago

Researcher

@admin can we get a CVE for this report?

Ben Harvie marked this as fixed in 2.2 with commit 000c84 3 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Ben Harvie published this vulnerability 3 months ago

janette88

commented 2 months ago

Researcher

@Ben Harvie can we get a CVE for this report?

to join this conversation

We are processing your report and will contact the gpac team within 24 hours. 4 months ago

We have contacted a member of the gpac team and are waiting to hear back 4 months ago

A gpac/gpac maintainer

commented 4 months ago

https://github.com/gpac/gpac/issues/2322

A gpac/gpac maintainer

commented 4 months ago

https://github.com/gpac/gpac/commit/000c84a87f73b901d267e6f96446e9bfc78d1214

A gpac/gpac maintainer validated this vulnerability 4 months ago

janette88 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

janette88

commented 4 months ago

Researcher

@admin can we get a CVE for this report?

Ben Harvie marked this as fixed in 2.2 with commit 000c84 3 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Ben Harvie published this vulnerability 3 months ago

janette88

commented 2 months ago

Researcher

@Ben Harvie can we get a CVE for this report?

to join this conversation