Skip to content

Integer Overflow in function lsr_translate_coords at laser/lsr_dec.c:856 (CVE-2022-4202) #2333

Closed
@ajakk

Description

@ajakk

Hi, a CVE was issued affecting gpac and I wasn't able to find any report here or any fix. VulDB has a "writeup", which links to an advisory in Google Drive, which links to a reproducer

I can indeed reproduce when built from 4112fc3 (current HEAD at the time of writing):

# MP4Box -bt /poc-integer-Overflow                                                                                       
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Unknown box type drzf in parent dinf
[iso file] Missing dref box in dinf
[iso file] Incomplete box mdat - start 11495 size 853090
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Unknown box type drzf in parent dinf
[iso file] Missing dref box in dinf
[iso file] Incomplete box mdat - start 11495 size 853090
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[LASeR] sameg coded in bitstream but no g defined !
Reading 515 bits but max should be 64, skipping 451 most significants bits
laser/lsr_dec.c:856:27: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions