You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
A heap-based buffer overflow was discovered in libgpac, during array 'nalu' access a invalid address. The issue is being triggered in the function gp_rtp_builder_do_avc() at ietf/rtp_pck_mpeg4.c
Expected behavior
An attacker can exploit this vulnerability by submitting a malicious media file that exploits this issue. This will result in a Denial of Service (DoS) and potentially Information Exposure when the application attempts to process the file.
Screenshots
ASAN Reports
==69913==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e5b6 at pc 0x000000aa4f31 bp 0x7ffd5bf2d4d0 sp 0x7ffd5bf2d4c0
READ of size 1 at 0x60200000e5b6 thread T0
#0 0xaa4f30 in gp_rtp_builder_do_avc ietf/rtp_pck_mpeg4.c:435#1 0x915cce in gf_hinter_track_process media_tools/isom_hinter.c:779#2 0x41e0dc in HintFile (/usr/local/bin/MP4Box+0x41e0dc)#3 0x429806 in mp4boxMain (/usr/local/bin/MP4Box+0x429806)#4 0x7f015314c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)#5 0x41d668 in _start (/usr/local/bin/MP4Box+0x41d668)
0x60200000e5b6 is located 0 bytes to the right of 6-byte region [0x60200000e5b0,0x60200000e5b6)
allocated by thread T0 here:
#0 0x7f0153ef0602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)#1 0x7185f2 in Media_GetSample isomedia/media.c:490
SUMMARY: AddressSanitizer: heap-buffer-overflow ietf/rtp_pck_mpeg4.c:435 gp_rtp_builder_do_avc
Shadow bytes around the buggy address:
0x0c047fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9c90: fa fa fa fa fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff9ca0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff9cb0: fa fa 00 fa fa fa[06]fa fa fa fd fa fa fa fd fa
0x0c047fff9cc0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fff9cd0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x0c047fff9ce0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff9cf0: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd
0x0c047fff9d00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==69913==ABORTING
We found that the call stack reported by asan is not accurate, the complete call stack should be as shown in the gdb debug below:
Describe the bug
A heap-based buffer overflow was discovered in libgpac, during array 'nalu' access a invalid address. The issue is being triggered in the function gp_rtp_builder_do_avc() at ietf/rtp_pck_mpeg4.c
To Reproduce
Steps to reproduce the behavior:
MP4Box -hint $poc
poc can be found here.
Expected behavior
An attacker can exploit this vulnerability by submitting a malicious media file that exploits this issue. This will result in a Denial of Service (DoS) and potentially Information Exposure when the application attempts to process the file.
Screenshots
ASAN Reports
We found that the call stack reported by asan is not accurate, the complete call stack should be as shown in the gdb debug below:
Possible causes of vulnerabilitie
Array 'nalu' access an invalid address
System (please complete the following information):
The text was updated successfully, but these errors were encountered: