Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

buffer overflow issue 6# #1203

Closed
niugx opened this issue Feb 12, 2019 · 6 comments
Closed

buffer overflow issue 6# #1203

niugx opened this issue Feb 12, 2019 · 6 comments

Comments

@niugx
Copy link

niugx commented Feb 12, 2019

There is a buffer overflow issue in gf_import_message () function, media_import.c

szMsg overflow when srt file contains more than one txt line and the line is long enough.

GF_Err gf_import_message(GF_MediaImporter *import, GF_Err e, char *format, ...)
{

if (gf_log_tool_level_on(GF_LOG_AUTHOR, e ? GF_LOG_WARNING : GF_LOG_INFO)) {
	va_list args;
	char szMsg[1024];
	va_start(args, format);
	vsprintf(szMsg, format, args);
	va_end(args);
	GF_LOG((u32) (e ? GF_LOG_WARNING : GF_LOG_INFO), GF_LOG_AUTHOR, ("%s\n", szMsg) );
}

return e;

}

//////////////////////debug/////////////////////
(gdb) set args -srt 0 crafted_text.srt
(gdb) r
Starting program: /opt/niugx/cov_product/gpac/gpac-master/bin/gcc/MP4Box -srt 0 crafted_text.srt
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Timed Text (SRT) import - text track 400 x 60, font Serif (size 18)
Bad SRT formatting - expecting number got "hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hello world hel"
*** stack smashing detected ***: /opt/niugx/cov_product/gpac/gpac-master/bin/gcc/MP4Box terminated

Program received signal SIGABRT, Aborted.
0x00007ffff725bc37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff725bc37 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff725f028 in __GI_abort () at abort.c:89
#2 0x00007ffff72982a4 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff73a4113 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff732fbbc in __GI___fortify_fail (msg=, msg@entry=0x7ffff73a40fb "stack smashing detected") at fortify_fail.c:38
#4 0x00007ffff732fb60 in __stack_chk_fail () at stack_chk_fail.c:28
#5 0x00007ffff78b28eb in gf_import_message (import=0x7fffffff9b60, e=GF_CORRUPTED_DATA, format=0x7ffff7b3d7f0 "Bad SRT formatting - expecting number got "%s"") at media_tools/media_import.c:59
#6 0x00007ffff795db01 in gf_text_import_srt (import=0x7fffffff9b60) at media_tools/text_import.c:505
#7 0x00007ffff7966e38 in gf_import_timed_text (import=0x7fffffff9b60) at media_tools/text_import.c:2673
#8 0x00007ffff78ded42 in gf_media_import (importer=0x7fffffff9b60) at media_tools/media_import.c:10663
#9 0x000000000041c71c in mp4boxMain (argc=4, argv=0x7fffffffe548) at main.c:4129
#10 0x0000000000423d05 in main (argc=4, argv=0x7fffffffe548) at main.c:5712
(gdb)

Guoxiang Niu, EaglEye Team

@rbouqueau
Copy link
Contributor

@niugx I am not happy. Reporting vulnerabilities is a good thing, but propagating wrong information harms us. Could you please update https://tools.cisco.com/security/center/viewAlert.x?alertId=60006&vs_f=Alert%20RSS&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=GPAC%20gf_import_message()%20Function%20Buffer%20Overflow%20Vulnerability&vs_k=1 to tell that it has been fixed?

@niugx
Copy link
Author

niugx commented Apr 19, 2019

Hi, I am sorry about it, but, I don't know why they think the issue not fixed, i am not a cisco engineer, i guess they did not see the patch, so, you can contacts them directly to tell them it has been fixed.

@niugx
Copy link
Author

niugx commented Apr 19, 2019

Next time, we can add a new comment for fixed status, and the patch link.

@niugx
Copy link
Author

niugx commented Apr 19, 2019

Fixed.

Patch:
f461620

@rbouqueau
Copy link
Contributor

Sounds fair, thanks for reacting.

@niugx
Copy link
Author

niugx commented Apr 19, 2019

I have added new comment about the fixed status and patch information for previous issues. I would like to continue test GPAC when i available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants