Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A Integer Overflow in function gf_avc_read_pps_bs_internal #1720

Closed
treebacker opened this issue Mar 29, 2021 · 1 comment
Closed

A Integer Overflow in function gf_avc_read_pps_bs_internal #1720

treebacker opened this issue Mar 29, 2021 · 1 comment

Comments

@treebacker
Copy link

treebacker commented Mar 29, 2021

There is a integer overflow in media_tools/av_parsers.c:5349, function gf_avc_read_pps_bs_internal.
Below code:
pps_id = gf_bs_read_ue_log(bs, "pps_id"); if (pps_id >= 255) { return -1; } pps = &avc->pps[pps_id]; pps->id = pps_id;
pps_id may be a negative number, so will not return.
However, avc->pps only has 255 unit, so overflow, which results a crash .

More than, because of the pps->id = pps_id, the vuln may lead to an any addr write.

In command Line:
gpac -info bug3
bug3_cmd

In gdb:
bug3

The crafted file is in the attached zip:
bug3.zip

@jeanlf
Copy link
Contributor

jeanlf commented Mar 29, 2021

could not reproduce crash with latest master, but added safety checks. Thanks for the report

@jeanlf jeanlf closed this as completed Mar 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants