2 stack-buffer-overflow in MP4Box in gpac/gpac

Valid

Reported on

Oct 11th 2023

Description

2 stack-buffer-overflow in MP4Box

Version

$ ./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master

Platform

$ uname -a
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Reproduce

./MP4Box -dash 10000 poc

Credit

Gandalf4a

Impact

This vulnerability allows a remote attacker to cause a denial of service or even arbitrary code execution on an affected gpac MP4Box. Exploiting this vulnerability requires user interaction, as the target must access a malicious page or open a malicious file.

Occurrences

stack-buffer-overflow in /gpac/src/media_tools/mpegts.c:2471:21 in gf_m2ts_get_adaptation_field

poc

https://github.com/gandalf4a/crash_report/blob/main/gpac/MP4Box/poc2/sbo_2471

asan

[31m[MPEG-2 TS] PID 1024: Bad Adaptation Descriptor found (tag 71) size is 71 but only 67 bytes available
[0m[31m[MPEG-2 TS] PID 1024: Bad Adaptation Descriptor found (tag 71) size is 71 but only 67 bytes available
[0m[33m[MPEG-2 TS] TS Packet 3 is scrambled - not supported
[0m[31m[MPEG-2 TS] PID 1863: Bad Adaptation Extension found
[0m[33m[MPEG-2 TS] TS Packet 5 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 6 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 7 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 8 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 9 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 10 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 11 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 12 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 13 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 14 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 15 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 16 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 17 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 18 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 19 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 20 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 21 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 22 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 23 is scrambled - not supported
[0m[33m[MPEG-2 TS] TS Packet 24 does not start with sync marker
[0m[33m[MPEG-2 TS] TS Packet 25 AF size is 71 when it must be 183 for AF type 2
[0m[33m[MPEG-2 TS] TS Packet 26 does not start with sync marker
[0m[33m[MPEG-2 TS] TS Packet 27 does not start with sync marker
[0m[31m[MPEG-2 TS] PID 1863: Bad Adaptation Extension found
[0m=================================================================
==738023==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd6b7fb75f at pc 0x7ff78ccec2b9 bp 0x7ffd6b7fb630 sp 0x7ffd6b7fb628
WRITE of size 1 at 0x7ffd6b7fb75f thread T0
    #0 0x7ff78ccec2b8 in gf_m2ts_get_adaptation_field /home/user/fuzzing_gpac/gpac/src/media_tools/mpegts.c:2471:21
    #1 0x7ff78cce0114 in gf_m2ts_process_packet /home/user/fuzzing_gpac/gpac/src/media_tools/mpegts.c:2565:16
    #2 0x7ff78ccdf236 in gf_m2ts_process_data /home/user/fuzzing_gpac/gpac/src/media_tools/mpegts.c:2842:18
    #3 0x7ff78d512ca8 in m2tsdmx_configure_pid /home/user/fuzzing_gpac/gpac/src/filters/dmx_m2ts.c:1173:5
    #4 0x7ff78d30740c in gf_filter_pid_configure /home/user/fuzzing_gpac/gpac/src/filter_core/filter_pid.c:876:6
    #5 0x7ff78d3262a6 in gf_filter_pid_connect_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter_pid.c:1230:3
    #6 0x7ff78d37d47b in gf_fs_thread_proc /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2105:3
    #7 0x7ff78d37b5cf in gf_fs_run /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2405:3
    #8 0x7ff78cc2ac6a in gf_dasher_process /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:1236:6
    #9 0x564f871ee6dc in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4831:15
    #10 0x564f871dfb6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
    #11 0x7ff78bc29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7ff78bc29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x564f87107dd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)

Address 0x7ffd6b7fb75f is located in stack of thread T0 at offset 287 in frame
    #0 0x7ff78cceacdf in gf_m2ts_get_adaptation_field /home/user/fuzzing_gpac/gpac/src/media_tools/mpegts.c:2350

  This frame has 2 object(s):
    [32, 287) 'URL' (line 2442) <== Memory access at offset 287 overflows this variable
    [352, 392) 'temi_loc' (line 2443)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/user/fuzzing_gpac/gpac/src/media_tools/mpegts.c:2471:21 in gf_m2ts_get_adaptation_field
Shadow bytes around the buggy address:
  0x10002d6f7690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002d6f76a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002d6f76b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002d6f76c0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
  0x10002d6f76d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10002d6f76e0: 00 00 00 00 00 00 00 00 00 00 00[07]f2 f2 f2 f2
  0x10002d6f76f0: f2 f2 f2 f2 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3
  0x10002d6f7700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002d6f7710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002d6f7720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002d6f7730: f1 f1 f1 f1 00 02 f2 f2 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==738023==ABORTING
We are processing your report and will contact the gpac team within 24 hours. 2 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 months ago
We have contacted a member of the gpac team and are waiting to hear back 2 months ago
gpac/gpac maintainer
2 months ago

Maintainer

https://github.com/gpac/gpac/issues/2634

gpac/gpac maintainer modified the Severity from Medium (6.8) to Medium (5.1) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
gpac/gpac maintainer validated this vulnerability 2 months ago
gandalf4a has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.3.0-DEV with commit e9b913 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
gpac/gpac maintainer published this vulnerability 2 months ago
mpegts.c#L2471 has been validated
gandalf4a
2 months ago

Researcher

Can this vulnerability be applied for cve? @admin

Ben Harvie
2 months ago

Admin

CVE assignment is the maintainers decision, if we can get confirmation from them I can assign a CVE. Thanks!

gandalf4a
2 months ago

Researcher

The maintainers didn't seem to know how to do it, they were confirmed directly in the github issue(https://github.com/gpac/gpac/issues/2634). Can we assign a CVE through this? Thanks! @admin

to join this conversation