We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Out of Bounds Read in MPEG12_ParseSeqHdr media_tools/mpeg2_ps.c in gpac/gpac

Valid

Reported on

Aug 31st 2023

Description

Out of Bounds Read in MP4Box.

Version

$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

complie and run

./configure --enable-sanitizer
make

Proof of Concept

./bin/gcc/MP4Box -dash 1000 ./crash000086

poc_crash000086 is here

ASAN

information reported by sanitizer

$ ./bin/gcc/MP4Box -dash 1000 ./crash000086
=================================================================
==3400280==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000059200 at pc 0x7f9f454eb2ad bp 0x7ffc60dd7560 sp 0x7ffc60dd7550
READ of size 1 at 0x629000059200 thread T0
    #0 0x7f9f454eb2ac in MPEG12_ParseSeqHdr media_tools/mpeg2_ps.c:273
    #1 0x7f9f454ee983 in get_info_from_frame media_tools/mpeg2_ps.c:990
    #2 0x7f9f454ee983 in get_info_for_all_streams media_tools/mpeg2_ps.c:1203
    #3 0x7f9f454ee983 in mpeg2ps_scan_file media_tools/mpeg2_ps.c:1368
    #4 0x7f9f454ee983 in mpeg2ps_init media_tools/mpeg2_ps.c:1625
    #5 0x7f9f45b2150c in m2psdmx_process filters/dmx_mpegps.c:327
    #6 0x7f9f459ae33e in gf_filter_process_task filter_core/filter.c:2971
    #7 0x7f9f4596d66a in gf_fs_thread_proc filter_core/filter_session.c:1962
    #8 0x7f9f4597afd6 in gf_fs_run filter_core/filter_session.c:2261
    #9 0x7f9f45310a9d in gf_dasher_process media_tools/dash_segmenter.c:1236
    #10 0x557a668afbb6 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
    #11 0x557a668afbb6 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
    #12 0x7f9f425bf082 in __libc_start_main ../csu/libc-start.c:308
    #13 0x557a66887f5d in _start (/home/functionmain/Desktop/gpac-master-asan/bin/gcc/MP4Box+0xa5f5d)

0x629000059200 is located 0 bytes to the right of 16384-byte region [0x629000055200,0x629000059200)
allocated by thread T0 here:
    #0 0x7f9f485bb808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7f9f454e4eda in mpeg2ps_stream_create media_tools/mpeg2_ps.c:392
    #2 0x7f9f454e4eda in add_stream media_tools/mpeg2_ps.c:1116
    #3 0x7f9f454ec886 in mpeg2ps_scan_file media_tools/mpeg2_ps.c:1293
    #4 0x7f9f454ec886 in mpeg2ps_init media_tools/mpeg2_ps.c:1625
    #5 0x7f9f45b2150c in m2psdmx_process filters/dmx_mpegps.c:327
    #6 0x7f9f459ae33e in gf_filter_process_task filter_core/filter.c:2971
    #7 0x7f9f4596d66a in gf_fs_thread_proc filter_core/filter_session.c:1962
    #8 0x7f9f4597afd6 in gf_fs_run filter_core/filter_session.c:2261
    #9 0x7f9f45310a9d in gf_dasher_process media_tools/dash_segmenter.c:1236
    #10 0x557a668afbb6 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
    #11 0x557a668afbb6 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
    #12 0x7f9f425bf082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow media_tools/mpeg2_ps.c:273 in MPEG12_ParseSeqHdr
Shadow bytes around the buggy address:
  0x0c52800031f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5280003200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5280003210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5280003220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5280003230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5280003240:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280003250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280003260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280003270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280003280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280003290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3400280==ABORTING

Impact

This is capable of causing crashes.

References

poc_crash000086 is here

Impact

This is capable of causing crashes.

References

We are processing your report and will contact the gpac team within 24 hours. 21 days ago
We have contacted a member of the gpac team and are waiting to hear back 20 days ago
gpac/gpac maintainer
20 days ago

Maintainer

https://github.com/gpac/gpac/issues/2580

gpac/gpac maintainer validated this vulnerability 20 days ago
functionmain has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.3-DEV with commit 3ec93d 20 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
gpac/gpac maintainer published this vulnerability 20 days ago
to join this conversation