Controlled heap buffer overflow in SDP packet parsing in gpac/gpac

Valid

Reported on

Mar 30th 2022


Description

A malicious server can trigger an out-of-bounds heap write via a specially crafted SDP packet due to no bounds check when parsing time zone information into the AdjustmentTime and AdjustmentOffset fields of GF_SDPTiming.

Proof of Concept

poc.py is available here

(terminal 1)

python3 poc.py 31337

(terminal 2)

./configure --enable-sanitizer
make -j32
./bin/gcc/gpac -play rtsp://127.0.0.1:31337/test
ietf/sdp.c:624:27: runtime error: index 10 out of bounds for type 'u32 [10]'

GDB

Thread 1 "gpac" received signal SIGSEGV, Segmentation fault.
0x00007ffff7828932 in gf_sdp_info_parse () from /gpac/bin/gcc/libgpac.so.11
(gdb) bt
#0  0x00007ffff7828932 in gf_sdp_info_parse () at /gpac/bin/gcc/libgpac.so.11
#1  0x00007ffff7be6020 in rtpin_load_sdp () at /gpac/bin/gcc/libgpac.so.11
#2  0x00007ffff7be6d6c in rtpin_rtsp_describe_process () at /gpac/bin/gcc/libgpac.so.11
#3  0x00007ffff7be493b in rtpin_rtsp_process_commands () at /gpac/bin/gcc/libgpac.so.11
#4  0x00007ffff7be3d56 in rtpin_process () at /gpac/bin/gcc/libgpac.so.11
#5  0x00007ffff7b47945 in gf_filter_process_task () at /gpac/bin/gcc/libgpac.so.11
#6  0x00007ffff7b34e67 in gf_fs_thread_proc () at /gpac/bin/gcc/libgpac.so.11
#7  0x00007ffff7b39e1b in gf_fs_run () at /gpac/bin/gcc/libgpac.so.11
#8  0x0000555555563a43 in gpac_main ()
#9  0x00007ffff744c310 in __libc_start_call_main () at /usr/lib/libc.so.6
#10 0x00007ffff744c3c1 in __libc_start_main_impl () at /usr/lib/libc.so.6
#11 0x0000555555559dc5 in _start ()

Impact

This is capable of causing crashes and allowing modification of heap memory which could lead to remote code execution.

We are processing your report and will contact the gpac team within 24 hours. 2 months ago
We have contacted a member of the gpac team and are waiting to hear back 2 months ago
gpac/gpac maintainer
2 months ago

Maintainer


https://github.com/gpac/gpac/issues/2162

We have sent a follow up to the gpac team. We will try again in 7 days. 2 months ago
We have sent a second follow up to the gpac team. We will try again in 10 days. a month ago
gpac/gpac maintainer validated this vulnerability a month ago

Fixed by https://github.com/gpac/gpac/commit/cfaea36eb0116f28b3ca46096b5ed932b5a8c600

Callum Thomson has been awarded the disclosure bounty
The fix bounty is now up for grabs
gpac/gpac maintainer confirmed that a fix has been merged on cfaea3 a month ago
The fix bounty has been dropped
to join this conversation