A fixed length buffer value_string is allocated in smil_parse_time_list, while in the later memcpy, it doesn't check the length and simply copy content to this buffer, causing overflow.
staticvoidsmil_parse_time_list(GF_Node *e, GF_List *values, char *begin_or_end_list)
{
SMIL_Time *value;
char value_string[500];
char *str = begin_or_end_list, *tmp;
u32 len;
/* get rid of leading spaces */while (*str == '') str++;
while (1) {
tmp = strchr(str, ';');
if (tmp) len = (u32) (tmp-str);
else len = (u32) strlen(str);
memcpy(value_string, str, len);
while ((len > 0) && (value_string[len - 1] == ''))
Impact
Since the content is absolutely controllable by users, an unlimited length will cause stack overflow, corrupting canary, causing DoS or even Remote Code Execution.
Mitigation
We can just set a length limit to it, making it less than 500 byte.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Description
A fixed length buffer value_string is allocated in smil_parse_time_list, while in the later memcpy, it doesn't check the length and simply copy content to this buffer, causing overflow.
Impact
Since the content is absolutely controllable by users, an unlimited length will cause stack overflow, corrupting canary, causing DoS or even Remote Code Execution.
Mitigation
We can just set a length limit to it, making it less than 500 byte.
Reproduce
On Ubuntu 22.04 lts, make with this.
Run the following command with POC.svg.
You may get a buffer overflow detected error.
GDB info before crash
Backtrace
Credit
xdchase
POC
POC-bof.zip
The text was updated successfully, but these errors were encountered: