memcpy-param-overlap in MP4Box in gpac/gpac

Valid

Reported on

Oct 11th 2023

Description

memcpy-param-overlap in MP4Box

Version

$ ./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master

Platform

$ uname -a
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Asan

[32m[Dasher] No template assigned, using $File$_dash$FS$$Number$
[0m=================================================================
==733818==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x62a000066200,0x62a00006b01f) and [0x62a000066201, 0x62a00006b020) overlap
    #0 0x557430340e44 in __asan_memcpy (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x104e44) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
    #1 0x7f79be43cc7c in mpgviddmx_process /home/user/fuzzing_gpac/gpac/src/filters/reframe_mpgvid.c:959:7
    #2 0x7f79bdfafa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7
    #3 0x7f79bdf7d47b in gf_fs_thread_proc /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2105:3
    #4 0x7f79bdf7b5cf in gf_fs_run /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2405:3
    #5 0x7f79bd82ac6a in gf_dasher_process /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:1236:6
    #6 0x5574303a56dc in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4831:15
    #7 0x557430396b6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
    #8 0x7f79bc829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7f79bc829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #10 0x5574302bedd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)

0x62a000066200 is located 0 bytes inside of 20000-byte region [0x62a000066200,0x62a00006b020)
allocated by thread T0 here:
    #0 0x557430342046 in __interceptor_realloc (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x106046) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
    #1 0x7f79be438447 in mpgviddmx_process /home/user/fuzzing_gpac/gpac/src/filters/reframe_mpgvid.c:670:21
    #2 0x7f79bdfafa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7

0x62a000066201 is located 1 bytes inside of 20000-byte region [0x62a000066200,0x62a00006b020)
allocated by thread T0 here:
    #0 0x557430342046 in __interceptor_realloc (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x106046) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)
    #1 0x7f79be438447 in mpgviddmx_process /home/user/fuzzing_gpac/gpac/src/filters/reframe_mpgvid.c:670:21
    #2 0x7f79bdfafa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7

SUMMARY: AddressSanitizer: memcpy-param-overlap (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x104e44) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9) in __asan_memcpy
==733818==ABORTING

Reproduce

./MP4Box -dash 10000 poc

POC File

https://github.com/gandalf4a/crash_report/blob/main/gpac/MP4Box/poc2/mpo_104e44

Credit

Gandalf4a

Impact

This vulnerability allows a remote attacker to cause a denial of service on an affected gpac MP4Box. Exploiting this vulnerability requires user interaction, as the target must access a malicious page or open a malicious file.

Occurrences

reframe_mpgvid.c L959

We are processing your report and will contact the gpac team within 24 hours. 2 months ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 months ago

We have contacted a member of the gpac team and are waiting to hear back 2 months ago

A gpac/gpac maintainer

commented 2 months ago

Maintainer

https://github.com/gpac/gpac/issues/2636

A gpac/gpac maintainer modified the Severity from Medium (6.8) to Medium (5.1) 2 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

A gpac/gpac maintainer validated this vulnerability 2 months ago

gandalf4a has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A gpac/gpac maintainer marked this as fixed in 2.3.0-DEV with commit 4925c4 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A gpac/gpac maintainer published this vulnerability 2 months ago

reframe_mpgvid.c#L959 has been validated

gandalf4a

commented 2 months ago

Researcher

Can this vulnerability be applied for cve? @admin

Ben Harvie

commented 2 months ago

Admin

CVE assignment is the maintainers decision, if we can get confirmation from them I can assign a CVE. Thanks!

gandalf4a

commented 2 months ago

Researcher

The maintainers didn't seem to know how to do it, they were confirmed directly in the github issue(https://github.com/gpac/gpac/issues/2636). Can we assign a CVE through this? Thanks! @admin

to join this conversation

We are processing your report and will contact the gpac team within 24 hours. 2 months ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 months ago

We have contacted a member of the gpac team and are waiting to hear back 2 months ago

A gpac/gpac maintainer

commented 2 months ago

Maintainer

https://github.com/gpac/gpac/issues/2636

A gpac/gpac maintainer modified the Severity from Medium (6.8) to Medium (5.1) 2 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

A gpac/gpac maintainer validated this vulnerability 2 months ago

gandalf4a has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A gpac/gpac maintainer marked this as fixed in 2.3.0-DEV with commit 4925c4 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A gpac/gpac maintainer published this vulnerability 2 months ago

reframe_mpgvid.c#L959 has been validated

gandalf4a

commented 2 months ago

Researcher

Can this vulnerability be applied for cve? @admin

Ben Harvie

commented 2 months ago

Admin

CVE assignment is the maintainers decision, if we can get confirmation from them I can assign a CVE. Thanks!

gandalf4a

commented 2 months ago

Researcher

The maintainers didn't seem to know how to do it, they were confirmed directly in the github issue(https://github.com/gpac/gpac/issues/2636). Can we assign a CVE through this? Thanks! @admin

to join this conversation