We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

signed integer overflow in filters/mux_isom.c:5716:20 in gpac/gpac

Valid

Reported on

Aug 31st 2023

Description

The signed integer overflow in MP4Box, and the program will eventually crash due to double-free,.

It is uncertain whether the signed integer overflow is directly related to double-free

Version

$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

complie and run

./configure --enable-sanitizer
make

Proof of Concept

./bin/gcc/MP4Box -dash 1000 ./crash000173

poc_crash000173 is here.

ASAN details

information reported by sanitizer

$ ../bin/gcc/MP4Box -dash 1000 ./crash000173
[iso file] default sample description set to 241 but only 1 sample description(s), likely broken ! Fixing to 1
[iso file] default sample description set to 241 but only 1 sample description(s), likely broken ! Fixing to 1
[iso file] TFDT timing 3 higher than cumulated timing 12884901123 (last sample got extended in duration)
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No bitrate property assigned to PID V1, computing from bitstream
filters/mux_isom.c:5716:20: runtime error: signed integer overflow: 25769802246 * 1406331903 cannot be represented in type 'long int'

when compile without ASAN:

./gpac-master-noasan/bin/gcc/MP4Box -dash 1000 ./crash000173
[iso file] default sample description set to 241 but only 1 sample description(s), likely broken ! Fixing to 1
[iso file] default sample description set to 241 but only 1 sample description(s), likely broken ! Fixing to 1
[iso file] TFDT timing 3 higher than cumulated timing 12884901123 (last sample got extended in duration)
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No bitrate property assigned to PID V1, computing from bitstream
[IsoMedia] File truncated, aborting read for track 115396044.92s 50 %
[MP4Mux] PID A2 ID 2 Sample 2 with DTS 0 less than previous sample DTS 0, patching DTS
[MP4Mux] PID A2 ID 2 Sample 3 with DTS 0 less than previous sample DTS 1, patching DTS
[MPD] Generating MPD at time 2023-08-31T01:51:21.969Z
[Dasher] End of Period 
[Dasher] End of MPD (no more active streams)

free(): double free detected in tcache 2

Impact

This is capable of causing crashes.

References

poc_crash000173 is here.

Impact

This is capable of causing crashes.

Occurrences

filters/mux_isom.c:5716:20: runtime error: signed integer overflow: 25769802246 * 1406331903 cannot be represented in type 'long int'

References

We are processing your report and will contact the gpac team within 24 hours. 21 days ago
functionmain modified the report
21 days ago
We have contacted a member of the gpac team and are waiting to hear back 20 days ago
gpac/gpac maintainer
20 days ago

Maintainer

https://github.com/gpac/gpac/issues/2579

gpac/gpac maintainer validated this vulnerability 20 days ago
functionmain has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.3-DEV with commit de7f3a 20 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
gpac/gpac maintainer published this vulnerability 20 days ago
mux_isom.c#L5716 has been validated
to join this conversation