OOB read of Heap in gpac/gpac

Valid

Reported on

Oct 17th 2023


Environment

Distributor ID: Debian
Description:    Debian GNU/Linux bookworm/sid

Version

I checked against the latest release as of 10/17/23 the current master branch at commit 2fb17d2248bc88bd01434096e684d9b61d4d949b .

Description

This AddressSanitizer output is indicating a large OOB read of invalid heap memory past a buffer allocated in the function filein_initialize_ex at line 248. This exception occurred in the function mpgviddmx_process at line 1166 in the file src/filters/reframe_mpgvid.c. This error being an OOB read indicates that the error is related to the source calculation. The size of the read matches the size being iterated in the while(remain) and the read is directly after the allocated memory indicating that the loop is iterating one more time than it should.

src/filters/reframe_mpgvid.c:line 1158

//bytes come from both our store and the data packet
if (bytes_from_store) {
    memcpy(pck_data, ctx->hdr_store+current, bytes_from_store);
    assert(size >= bytes_from_store);
    size -= bytes_from_store;
    if (byte_offset != GF_FILTER_NO_BO) {
        gf_filter_pck_set_byte_offset(dst_pck, byte_offset - bytes_from_store);
    }
    memcpy(pck_data + bytes_from_store, start, (size_t) size);//ASAN report here
} else {
    //bytes only come the data packet
    memcpy(pck_data, start, (size_t) size);
    if (byte_offset != GF_FILTER_NO_BO) {
        gf_filter_pck_set_byte_offset(dst_pck, byte_offset + start - (u8 *) data);
    }
}

POC

./MP4Box -dash 1000 ./POC

POC File

ASAN

[Dasher] No template assigned, using $File$_dash$FS$$Number$
=================================================================
==328411==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62200000bc89 at pc 0x55d1e1252f47 bp 0x7ffd880e8470 sp 0x7ffd880e7c40
READ of size 5002 at 0x62200000bc89 thread T0
    #0 0x55d1e1252f46 in __asan_memcpy (/path/gpac/build4/bin/gcc/MP4Box+0x109f46) (BuildId: 07d4e21339b97d2fcf0fd0c64228219778b0247c)
    #1 0x7fbd664391df in mpgviddmx_process /path/gpac/src/filters/reframe_mpgvid.c:1166:4
    #2 0x7fbd65fad353 in gf_filter_process_task /path/gpac/src/filter_core/filter.c:2971:7
    #3 0x7fbd65f7ad9b in gf_fs_thread_proc /path/gpac/src/filter_core/filter_session.c:2105:3
    #4 0x7fbd65f78eef in gf_fs_run /path/gpac/src/filter_core/filter_session.c:2405:3
    #5 0x7fbd6582802a in gf_dasher_process /path/gpac/src/media_tools/dash_segmenter.c:1236:6
    #6 0x55d1e12b76dc in do_dash /path/gpac/applications/mp4box/mp4box.c:4831:15
    #7 0x55d1e12a8b6e in mp4box_main /path/gpac/applications/mp4box/mp4box.c:6245:7
    #8 0x7fbd64a461c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7fbd64a46284 in __libc_start_main csu/../csu/libc-start.c:360:3
    #10 0x55d1e11d0dd0 in _start (/path/gpac/build4/bin/gcc/MP4Box+0x87dd0) (BuildId: 07d4e21339b97d2fcf0fd0c64228219778b0247c)

0x62200000bc89 is located 0 bytes to the right of 5001-byte region [0x62200000a900,0x62200000bc89)
allocated by thread T0 here:
    #0 0x55d1e1253c1e in malloc (/path/gpac/build4/bin/gcc/MP4Box+0x10ac1e) (BuildId: 07d4e21339b97d2fcf0fd0c64228219778b0247c)
    #1 0x7fbd661b7f9b in filein_initialize_ex /path/gpac/src/filters/in_file.c:248:16
    #2 0x7fbd65f9a754 in gf_filter_new_finalize /path/gpac/src/filter_core/filter.c:543:8

SUMMARY: AddressSanitizer: heap-buffer-overflow (/path/gpac/build4/bin/gcc/MP4Box+0x109f46) (BuildId: 07d4e21339b97d2fcf0fd0c64228219778b0247c) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c447fff9740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c447fff9750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c447fff9760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c447fff9770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c447fff9780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c447fff9790: 00[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c447fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c447fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c447fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c447fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c447fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==328411==ABORTING

Impact

This vulnerability can crash the program. Also, leaking OOB heap can be used as a primitive during exploitation.

We are processing your report and will contact the gpac team within 24 hours. 4 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 4 months ago
We have contacted a member of the gpac team and are waiting to hear back 4 months ago
gpac/gpac maintainer
4 months ago

https://github.com/gpac/gpac/issues/2651

Renzo
4 months ago

Researcher


Should I close this?

gpac/gpac maintainer validated this vulnerability 4 months ago
coolkingcole has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.3.0-DEV with commit db7483 4 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
gpac/gpac maintainer
4 months ago

@Renzo Sorry for the delay, this one escaped us (we have no dashboard here). Thanks for the work!

to join this conversation