Description
- [ y] I looked for a similar issue and couldn't find any.
- [ y] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- [ y] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Describe the bug
A heap-based buffer overflow was discovered in libgpac, during structure GF_SampleSizeBox 'stsz' member 'sizes' points to an invalid address. The issue is being triggered in the function stbl_GetSampleSize() at isomedia/stbl_read.c
To Reproduce
Steps to reproduce the behavior:
- Compile according to the default configuration
$ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
$ make- execute command
MP4Box -hint $pocpoc can be found here.
Expected behavior
An attacker can exploit this vulnerability by submitting a malicious media file that exploits this issue. This will result in a Denial of Service (DoS) and potentially Information Exposure when the application attempts to process the file.
Screenshots
ASAN Reports
==94786==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000fdd0 at pc 0x000000744231 bp 0x7fffffff83c0 sp 0x7fffffff83b0
READ of size 4 at 0x61400000fdd0 thread T0
#0 0x744230 in stbl_GetSampleSize isomedia/stbl_read.c:135
#1 0x717f3d in Media_GetSample isomedia/media.c:418
#2 0x6cd966 in gf_isom_get_sample_info isomedia/isom_read.c:1692
#3 0x912ed8 in gf_media_get_sample_average_infos media_tools/isom_hinter.c:54
#4 0x913d43 in gf_hinter_track_new media_tools/isom_hinter.c:560
#5 0x41e02e in HintFile (/usr/local/bin/MP4Box+0x41e02e)
#6 0x429806 in mp4boxMain (/usr/local/bin/MP4Box+0x429806)
#7 0x7ffff615e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x41d668 in _start (/usr/local/bin/MP4Box+0x41d668)
0x61400000fdd0 is located 0 bytes to the right of 400-byte region [0x61400000fc40,0x61400000fdd0)
allocated by thread T0 here:
#0 0x7ffff6f02961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
#1 0x7516dd in stbl_AppendSize isomedia/stbl_write.c:1487
SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/stbl_read.c:135 stbl_GetSampleSize
Shadow bytes around the buggy address:
0x0c287fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff9f80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c287fff9f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff9fb0: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
0x0c287fff9fc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c287fff9fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c287fff9fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c287fff9ff0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c287fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==94786==ABORTINGPossible causes of vulnerabilities
structure GF_SampleSizeBox 'stsz' member 'sizes' points to an invalid address
GF_Err stbl_GetSampleSize(GF_SampleSizeBox *stsz, u32 SampleNumber, u32 *Size)
{
if (!stsz || !SampleNumber || SampleNumber > stsz->sampleCount) return GF_BAD_PARAM;
(*Size) = 0;
if (stsz->sampleSize && (stsz->type != GF_ISOM_BOX_TYPE_STZ2)) {
(*Size) = stsz->sampleSize;
} else if (stsz->sizes) {
(*Size) = stsz->sizes[SampleNumber - 1];
}
return GF_OK;
}System (please complete the following information):
- OS version : Ubuntu 16.04
- GPAC Version : GPAC 0.8.0-e10d39d-master branch