Heap-buffer-overflow ietf/rtp_pck_mpeg4.c:435 in gp_rtp_builder_do_avc()

[14isnot40]

• [ y] I looked for a similar issue and couldn't find any.
• [ y] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
• [ y] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Describe the bug
A heap-based buffer overflow was discovered in libgpac, during array 'nalu' access a invalid address. The issue is being triggered in the function gp_rtp_builder_do_avc() at ietf/rtp_pck_mpeg4.c

To Reproduce
Steps to reproduce the behavior:

1. Compile according to the default configuration

$ CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ./configure --static-mp4box
$ make

2. execute command

MP4Box -hint $poc

poc can be found here.

Expected behavior
An attacker can exploit this vulnerability by submitting a malicious media file that exploits this issue. This will result in a Denial of Service (DoS) and potentially Information Exposure when the application attempts to process the file.

Screenshots
ASAN Reports

==69913==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e5b6 at pc 0x000000aa4f31 bp 0x7ffd5bf2d4d0 sp 0x7ffd5bf2d4c0
READ of size 1 at 0x60200000e5b6 thread T0
    #0 0xaa4f30 in gp_rtp_builder_do_avc ietf/rtp_pck_mpeg4.c:435
    #1 0x915cce in gf_hinter_track_process media_tools/isom_hinter.c:779
    #2 0x41e0dc in HintFile (/usr/local/bin/MP4Box+0x41e0dc)
    #3 0x429806 in mp4boxMain (/usr/local/bin/MP4Box+0x429806)
    #4 0x7f015314c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x41d668 in _start (/usr/local/bin/MP4Box+0x41d668)

0x60200000e5b6 is located 0 bytes to the right of 6-byte region [0x60200000e5b0,0x60200000e5b6)
allocated by thread T0 here:
    #0 0x7f0153ef0602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7185f2 in Media_GetSample isomedia/media.c:490

SUMMARY: AddressSanitizer: heap-buffer-overflow ietf/rtp_pck_mpeg4.c:435 gp_rtp_builder_do_avc
Shadow bytes around the buggy address:
  0x0c047fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9c90: fa fa fa fa fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff9ca0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff9cb0: fa fa 00 fa fa fa[06]fa fa fa fd fa fa fa fd fa
  0x0c047fff9cc0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff9cd0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c047fff9ce0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff9cf0: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd
  0x0c047fff9d00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==69913==ABORTING

We found that the call stack reported by asan is not accurate, the complete call stack should be as shown in the gdb debug below:

Program received signal SIGSEGV, Segmentation fault.
0xffffffffcd404790 in ?? ()
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0               
$rbx   : 0x0               
$rcx   : 0x6               
$rdx   : 0x6               
$rsp   : 0x00007fffffff8cb8  →  0x0000000000aa4f31  →  <gp_rtp_builder_do_avc+3265> call 0x403d50 <__asan_report_load8@plt>
$rbp   : 0x59e             
$rsi   : 0x0               
$rdi   : 0x000060200000e5b6  →  0x0000000000000000
$rip   : 0xffffffffcd404790
$r8    : 0x00007ffff7fcf778  →  0x0000000000000000
$r9    : 0x74d1            
$r10   : 0x000060200000e4b0  →  0x0000000000000000
$r11   : 0x00007fffffff82e0  →  0x00007ffff6f02603  →  <malloc+227> mov edi, DWORD PTR [r13+0x0]
$r12   : 0x000060200000e5b6  →  0x0000000000000000
$r13   : 0x1               
$r14   : 0x0               
$r15   : 0x000061600000ea80  →  0x0000000000000100
$eflags: [carry PARITY adjust zero sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffff8cb8│+0x0000: 0x0000000000aa4f31  →  <gp_rtp_builder_do_avc+3265> call 0x403d50 <__asan_report_load8@plt>	 ← $rsp
0x00007fffffff8cc0│+0x0008: 0x00007fffffff8dc0  →  0x0000000000000001
0x00007fffffff8cc8│+0x0010: 0x000061600000ec98  →  0x0000000000000000
0x00007fffffff8cd0│+0x0018: 0x000060800000b66c  →  0x0000000000000000
0x00007fffffff8cd8│+0x0020: 0x000060800000b670  →  0x0000000000000000
0x00007fffffff8ce0│+0x0028: 0x00007fffffff8ee0  →  0x0000000000000001
0x00007fffffff8ce8│+0x0030: 0x00000ffffffff1a6  →  0x0000000000000000
0x00007fffffff8cf0│+0x0038: 0x00007fffffff8d20  →  0x0000000041b58ab3
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0xffffffffcd404790
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "MP4Box", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤  bt
#0  0xffffffffcd404790 in ?? ()
#1  0x0000000000aa4f31 in gp_rtp_builder_do_avc (builder=0x61600000ea80, nalu=0x60200000e5b6 "", nalu_size=0x0, IsAUEnd=<optimized out>, FullAUSize=<optimized out>) at ietf/rtp_pck_mpeg4.c:435
#2  0x0000000000a97ef4 in gf_rtp_builder_process (builder=<optimized out>, data=data@entry=0x60200000e5b6 "", data_size=<optimized out>, IsAUEnd=<optimized out>, FullAUSize=<optimized out>, duration=duration@entry=0x1, descIndex=0x82) at ietf/rtp_packetizer.c:109
#3  0x0000000000915ccf in gf_hinter_track_process (tkHint=0x60700000cf80) at media_tools/isom_hinter.c:779
#4  0x000000000041e0dd in HintFile ()
#5  0x0000000000429807 in mp4boxMain ()
#6  0x00007ffff615e830 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#7  0x000000000041d669 in _start ()

Possible causes of vulnerabilitie
Array 'nalu' access an invalid address

	if (!builder->bytesInPacket) {
		builder->rtp_header.PayloadType = builder->PayloadType;
		builder->rtp_header.TimeStamp = (u32) builder->sl_header.compositionTimeStamp;
		builder->rtp_header.SequenceNumber += 1;
		builder->OnNewPacket(builder->cbk_obj, &builder->rtp_header);
		builder->avc_non_idr = GF_TRUE;
	}

	/*check NAL type to see if disposable or not*/
	nal_type = nalu[0] & 0x1F;

System (please complete the following information):

• OS version : Ubuntu 16.04
• GPAC Version : GPAC 0.8.0-e10d39d-master branch

[jeanlf]

fixed, thanks for the report