Stack-Based Buffer Overflow in gf_sg_proto_field_is_sftime_offset in gpac/gpac

Valid

Reported on

Nov 15th 2022

Description

Stack-Based Buffer Overflow in gf_sg_proto_field_is_sftime_offset at vrml_proto.c:1295.

version

git log
commit 05eaac875354682942b70c790bcd62cb5f4cc825 (grafted, HEAD -> master, origin/master, origin/HEAD)
Author: Jean Le Feuvre <jeanlf@gpac.io>
Date:   Mon Nov 14 18:07:45 2022 +0100

    fixed msvc warnings

./MP4Box -version
MP4Box - GPAC version 2.1-DEV-revUNKNOWN-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

reference: possible root cause

1) recursive call

code1:gf_node_get_field scenegraph/base_scenegraph.c:2043

GF_Err gf_node_get_field(GF_Node *node, u32 FieldIndex, GF_FieldInfo *info)
{
    assert(node);
    assert(info);
    memset(info, 0, sizeof(GF_FieldInfo));                //here sizeof(GF_FieldInfo)=0x28
    info->fieldIndex = FieldIndex;

    if (node->sgprivate->tag==TAG_UndefinedNode) return GF_BAD_PARAM;
#ifndef GPAC_DISABLE_VRML
    else if (node->sgprivate->tag == TAG_ProtoNode) return gf_sg_proto_get_field(NULL, node, info);
    else if (node->sgprivate->tag == TAG_MPEG4_Script)
        return gf_sg_script_get_field(node, info);

 code 2:gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1293

Bool gf_sg_proto_field_is_sftime_offset(GF_Node *node, GF_FieldInfo *field)
{
    u32 i;
    GF_Route *r;
    GF_ProtoInstance *inst;
    GF_FieldInfo inf;
    if (node->sgprivate->tag != TAG_ProtoNode) return 0;
    if (field->fieldType != GF_SG_VRML_SFTIME) return 0;

    inst = (GF_ProtoInstance *) node;
    /*check in interface if this is ISed */
    i=0;
    while ((r = (GF_Route*)gf_list_enum(inst->proto_interface->sub_graph->Routes, &i))) {
        if (!r->IS_route) continue;
        /*only check eventIn/field/exposedField*/
        if (r->FromNode || (r->FromField.fieldIndex != field->fieldIndex)) continue;

        gf_node_get_field(r->ToNode, r->ToField.fieldIndex, &inf);   //  0x100
        /*IS to another proto*/
        if (r->ToNode->sgprivate->tag == TAG_ProtoNode) return gf_sg_proto_field_is_sftime_offset(r->ToNode, &inf);   // Recursive call triggered SIGSEGV
        /*IS to a startTime/stopTime field*/
        if (!stricmp(inf.name, "startTime") || !stricmp(inf.name, "stopTime")) return 1;
    }
    return 0;
}

2、
when stack size of programe stack is too small , it triggered stack overflow and  caused segmentation fault (core dumped).
Hope it's helpful for fix it.

Proof of Concept

poc download url: https://github.com/Janette88/test_pocs/blob/main/sbo2

./MP4Box -bt  sbo2 
[iso file] Unknown box type dCCf in parent minf
[iso file] Missing DataInformationBox
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[ODF] Descriptor size on more than 4 bytes
[iso file] Incomplete box mdat - start 11495 size 853093
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Unknown box type dCCf in parent minf
[iso file] Missing DataInformationBox
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[ODF] Descriptor size on more than 4 bytes
[iso file] Incomplete box mdat - start 11495 size 853093
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[ODF] Reading bifs config: shift in sizes (invalid descriptor)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==6667==ERROR: AddressSanitizer: stack-overflow on address 0x7fff20958f18 (pc 0x7efda5e75e49 bp 0x7fff209597a0 sp 0x7fff20958f20 T0)
    #0 0x7efda5e75e48 in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
    #1 0x7efda26e7f7a in memset /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
    #2 0x7efda26e7f7a in gf_node_get_field scenegraph/base_scenegraph.c:2043
    #3 0x7efda2858b22 in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1293
    #4 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #5 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #6 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #7 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #8 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #9 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #10 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #11 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #12 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #13 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #14 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #15 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #16 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #17 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #18 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #19 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #20 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #21 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #22 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #23 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #24 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #25 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #26 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #27 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #28 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #29 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #30 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #31 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #32 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #33 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #34 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #35 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #36 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #37 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #38 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #39 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #40 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #41 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #42 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #43 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #44 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #45 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #46 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #47 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #48 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #49 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #50 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #51 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #52 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #53 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #54 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #55 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #56 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #57 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #58 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #59 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #60 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #61 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #62 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #63 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #64 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #65 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #66 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #67 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #68 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #69 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #70 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #71 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #72 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #73 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #74 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #75 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #76 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #77 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #78 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #79 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #80 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #81 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #82 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #83 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #84 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #85 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #86 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #87 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #88 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #89 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #90 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #91 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #92 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #93 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #94 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #95 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #96 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #97 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #98 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #99 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #100 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #101 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #102 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #103 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #104 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #105 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #106 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #107 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #108 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #109 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #110 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #111 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #112 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #113 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #114 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #115 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #116 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #117 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #118 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #119 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #120 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #121 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #122 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #123 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #124 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #125 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #126 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #127 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #128 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #129 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #130 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #131 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #132 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #133 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #134 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #135 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #136 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #137 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #138 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #139 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #140 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #141 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #142 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #143 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #144 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #145 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #146 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #147 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #148 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #149 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #150 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #151 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #152 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #153 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #154 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #155 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #156 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #157 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #158 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #159 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #160 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #161 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #162 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #163 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #164 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #165 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #166 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #167 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #168 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #169 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #170 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #171 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #172 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #173 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #174 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #175 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #176 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #177 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #178 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #179 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #180 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #181 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #182 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #183 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #184 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #185 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #186 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #187 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #188 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #189 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #190 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #191 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #192 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #193 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #194 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #195 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #196 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #197 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #198 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #199 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #200 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #201 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #202 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #203 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #204 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #205 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #206 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #207 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #208 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #209 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #210 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #211 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #212 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #213 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #214 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #215 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #216 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #217 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #218 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #219 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #220 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #221 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #222 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #223 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #224 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #225 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #226 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #227 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #228 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #229 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #230 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #231 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #232 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #233 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #234 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #235 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #236 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #237 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #238 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #239 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #240 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #241 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #242 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #243 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #244 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #245 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #246 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #247 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #248 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295
    #249 0x7efda2858c1f in gf_sg_proto_field_is_sftime_offset scenegraph/vrml_proto.c:1295

SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
==6667==ABORTING

Impact

This is capable of causing crashes and allowing modification of stack memory which could lead to remote code execution.

We are processing your report and will contact the gpac team within 24 hours. 4 months ago
janette88 modified the report
4 months ago
janette88 modified the report
4 months ago
We have contacted a member of the gpac team and are waiting to hear back 4 months ago
gpac/gpac maintainer
4 months ago

Maintainer

https://github.com/gpac/gpac/issues/2316

gpac/gpac maintainer
4 months ago

Maintainer

https://github.com/gpac/gpac/commit/c31941822ee275a35bc148382bafef1c53ec1c26

gpac/gpac maintainer validated this vulnerability 4 months ago
janette88 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
janette88
4 months ago

Researcher

@admin can we get a CVE for this report?

Ben Harvie marked this as fixed in 2.2 with commit c31941 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Ben Harvie published this vulnerability 2 months ago
vrml_proto.c#L1295 has been validated
janette88
2 months ago

Researcher

@Ben Harvie can we get a CVE for this report?

gpac/gpac maintainer
2 months ago

Maintainer

https://github.com/gpac/gpac/issues/2384

janette88
2 months ago

Researcher

@ gpac/gpac I read the link. The two links are both from this bug report ,so they are the same vulnerability. This bug report was submitted on 5,Nov,2022 ,but it was never assigned cve_id . I asked @gpac/gpac and @admin assign a cve_id for this bug report if it is valid :-) Thanks.

gpac/gpac maintainer
2 months ago

Maintainer

@janette88 I have no clue what's happening here. I created a new issue because I thought it was a new vulnerability. The platform doesn't make it clear. I only realized when I wanted to post it in the chat.

As for the bounty dropped and not getiing a CVE messages, I don't know where they come from. @benharvie could be able to assist you here?

janette88
2 months ago

Researcher

@gpac/gpac thank you for your quick response:-) I will ask @Ben Harvie again . In this case , I always confuse who are responsible for cve_id assignment. Also i find help from @ admin

Ben Harvie
a month ago

Admin

Happy to assign a CVE but I just need confirmation from the maintainer that they would like to go ahead with the assignment also. Thanks!

gpac/gpac maintainer
a month ago

Maintainer

As usual: if that's the state of the art, there's no problem for us, go ahead.

Ben Harvie
a month ago

Admin

Great, a CVE has now been assigned.

to join this conversation