Integer Overflow in function lsr_translate_coords at laser/lsr_dec.c:856 (CVE-2022-4202)

[ajakk]

• I looked for a similar issue and couldn't find any.
• I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/

Hi, a CVE was issued affecting gpac and I wasn't able to find any report here or any fix. VulDB has a "writeup", which links to an advisory in Google Drive, which links to a reproducer

I can indeed reproduce when built from 4112fc3 (current HEAD at the time of writing):

# MP4Box -bt /poc-integer-Overflow                                                                                       
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Unknown box type drzf in parent dinf
[iso file] Missing dref box in dinf
[iso file] Incomplete box mdat - start 11495 size 853090
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Unknown box type drzf in parent dinf
[iso file] Missing dref box in dinf
[iso file] Incomplete box mdat - start 11495 size 853090
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[LASeR] sameg coded in bitstream but no g defined !
Reading 515 bits but max should be 64, skipping 451 most significants bits
laser/lsr_dec.c:856:27: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'

[ajakk]

Thanks!

[ajakk]

I can confirm the PoC now exits with this error:

Error loading scene: BitStream Not Compliant

        Error: BitStream Not Compliant