When GPAC tries to parse a MP4 file, it calls the function diST_box_read() to read from video. In this funtion, it allocates a buffer str with fixed length. However, content read from bs is controllable by user, so is the length, which causes a buffer overflow.
char str[1024];
i=0;
str[0]=0;
while (1) {
str[i] = gf_bs_read_u8(bs);
if (!str[i]) break;
i++;
}
Impact
Since video content is absolutely controllable by users, an unlimited length will cause stack overflow, corrupting canary or even get shell.
Mitigation
We can just set a length limit to it, making it less than 1024 byte. See pull request #2174 .
Reproduce
On Ubuntu 2004, make with this.
./configure --static-bin
make
Run the following command with POC.mp4.
$ MP4Box -info ./POC.mp4
You may get a stack smashing detectde error, which indicates that CANARY is crashed.
Description
When GPAC tries to parse a MP4 file, it calls the function
diST_box_read()to read from video. In this funtion, it allocates a bufferstrwith fixed length. However, content read frombsis controllable by user, so is the length, which causes a buffer overflow.Impact
Since video content is absolutely controllable by users, an unlimited length will cause stack overflow, corrupting canary or even get shell.
Mitigation
We can just set a length limit to it, making it less than 1024 byte. See pull request #2174 .
Reproduce
On Ubuntu 2004, make with this.
Run the following command with POC.mp4.
You may get a stack smashing detectde error, which indicates that CANARY is crashed.
GDB
Credits
xdchase
POC
POC.zip
The text was updated successfully, but these errors were encountered: