New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap-buffer-overflow isomedia/stbl_read.c:135 in stbl_GetSampleSize() #1482
Comments
|
fixed, thanks for the report |
|
Bisecting this issue seems to indicate that it is fixed with e4ed32b, but this does not match the closing date on Jun 11 2020. Does it still make sense? |
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
A heap-based buffer overflow was discovered in libgpac, during structure GF_SampleSizeBox 'stsz' member 'sizes' points to an invalid address. The issue is being triggered in the function stbl_GetSampleSize() at isomedia/stbl_read.c
To Reproduce
Steps to reproduce the behavior:
MP4Box -hint $pocpoc can be found here.
Expected behavior
An attacker can exploit this vulnerability by submitting a malicious media file that exploits this issue. This will result in a Denial of Service (DoS) and potentially Information Exposure when the application attempts to process the file.
Screenshots
ASAN Reports
==94786==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000fdd0 at pc 0x000000744231 bp 0x7fffffff83c0 sp 0x7fffffff83b0 READ of size 4 at 0x61400000fdd0 thread T0 #0 0x744230 in stbl_GetSampleSize isomedia/stbl_read.c:135 #1 0x717f3d in Media_GetSample isomedia/media.c:418 #2 0x6cd966 in gf_isom_get_sample_info isomedia/isom_read.c:1692 #3 0x912ed8 in gf_media_get_sample_average_infos media_tools/isom_hinter.c:54 #4 0x913d43 in gf_hinter_track_new media_tools/isom_hinter.c:560 #5 0x41e02e in HintFile (/usr/local/bin/MP4Box+0x41e02e) #6 0x429806 in mp4boxMain (/usr/local/bin/MP4Box+0x429806) #7 0x7ffff615e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x41d668 in _start (/usr/local/bin/MP4Box+0x41d668) 0x61400000fdd0 is located 0 bytes to the right of 400-byte region [0x61400000fc40,0x61400000fdd0) allocated by thread T0 here: #0 0x7ffff6f02961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961) #1 0x7516dd in stbl_AppendSize isomedia/stbl_write.c:1487 SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/stbl_read.c:135 stbl_GetSampleSize Shadow bytes around the buggy address: 0x0c287fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff9f80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c287fff9f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c287fff9fb0: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa 0x0c287fff9fc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c287fff9fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fff9fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c287fff9ff0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c287fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==94786==ABORTINGPossible causes of vulnerabilities
structure GF_SampleSizeBox 'stsz' member 'sizes' points to an invalid address
System (please complete the following information):
The text was updated successfully, but these errors were encountered: