Describe the bug
A heap-based buffer overflow was discovered in libgpac, during the pointer ptr points to the wrong memory area operation. The issue is being triggered in the function gf_hinter_track_process() at isom_hinter_track_process.c.
To Reproduce
Steps to reproduce the behavior:
Compile gpac according to the default configuration
Expected behavior
An attacker can exploit this vulnerability by submitting a malicious media file that exploits this issue. This will result in a Denial of Service (DoS) and potentially Information Exposure when the application attempts to process the file.
Screenshots
ASAN Reports
==32436==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e7f9 at pc 0x7ffff44178c2 bp 0x7fffffff8de0 sp 0x7fffffff8dd0
READ of size 1 at 0x60200000e7f9 thread T0
#0 0x7ffff44178c1 in gf_hinter_track_process (/usr/local/lib/libgpac.so.8+0x24ce8c1)#1 0x40e68c in HintFile (/usr/local/bin/MP4Box+0x40e68c)#2 0x419db6 in mp4boxMain (/usr/local/bin/MP4Box+0x419db6)#3 0x7ffff1b9f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)#4 0x40dc18 in _start (/usr/local/bin/MP4Box+0x40dc18)
0x60200000e7f9 is located 0 bytes to the right of 9-byte region [0x60200000e7f0,0x60200000e7f9)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)#1 0x7ffff3f83fb8 in Media_GetSample (/usr/local/lib/libgpac.so.8+0x203afb8)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 gf_hinter_track_process
Shadow bytes around the buggy address:
0x0c047fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9ce0: fa fa fa fa fa fa fa fa fa fa 00 00 fa fa 00 00
=>0x0c047fff9cf0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00[01]
0x0c047fff9d00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff9d10: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff9d20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff9d30: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff9d40: fa fa fd fd fa fa fd fd fa fa 04 fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==32436==ABORTING
Possible causes of vulnerabilities is in the function gf_hinter_track_process() at isom_hinter_track_process.c.
while (remain) {
size = 0;
v = tkHint->avc_nalu_size;
while (v) {
size |= (u8) *ptr;
ptr++;
remain--;
v-=1;
if (v) size<<=8;
}
System (please complete the following information):
OS version : Ubuntu 16.04
GPAC Version : GPAC 0.8.0-e10d39d-master branch
The text was updated successfully, but these errors were encountered:
Describe the bug
A heap-based buffer overflow was discovered in libgpac, during the pointer ptr points to the wrong memory area operation. The issue is being triggered in the function gf_hinter_track_process() at isom_hinter_track_process.c.
To Reproduce
Steps to reproduce the behavior:
MP4Box -hint $pocpoc can be found here.
Expected behavior
An attacker can exploit this vulnerability by submitting a malicious media file that exploits this issue. This will result in a Denial of Service (DoS) and potentially Information Exposure when the application attempts to process the file.
Screenshots
ASAN Reports
==32436==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e7f9 at pc 0x7ffff44178c2 bp 0x7fffffff8de0 sp 0x7fffffff8dd0 READ of size 1 at 0x60200000e7f9 thread T0 #0 0x7ffff44178c1 in gf_hinter_track_process (/usr/local/lib/libgpac.so.8+0x24ce8c1) #1 0x40e68c in HintFile (/usr/local/bin/MP4Box+0x40e68c) #2 0x419db6 in mp4boxMain (/usr/local/bin/MP4Box+0x419db6) #3 0x7ffff1b9f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #4 0x40dc18 in _start (/usr/local/bin/MP4Box+0x40dc18) 0x60200000e7f9 is located 0 bytes to the right of 9-byte region [0x60200000e7f0,0x60200000e7f9) allocated by thread T0 here: #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x7ffff3f83fb8 in Media_GetSample (/usr/local/lib/libgpac.so.8+0x203afb8) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 gf_hinter_track_process Shadow bytes around the buggy address: 0x0c047fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9ce0: fa fa fa fa fa fa fa fa fa fa 00 00 fa fa 00 00 =>0x0c047fff9cf0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00[01] 0x0c047fff9d00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff9d10: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff9d20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff9d30: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff9d40: fa fa fd fd fa fa fd fd fa fa 04 fa fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==32436==ABORTINGPossible causes of vulnerabilities is in the function gf_hinter_track_process() at isom_hinter_track_process.c.
System (please complete the following information):
The text was updated successfully, but these errors were encountered: