buffer overflow in gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c
for (i=0; i<sps_rpl1_same_as_rpl0; i++) {
u32 j;
sps->num_ref_pic_lists[i] = gf_bs_read_ue_log_idx(bs, "sps_num_ref_pic_lists", i);
for (j=0; j<sps->num_ref_pic_lists[i]; j++) {
s32 res = vvc_parse_ref_pic_list_struct(bs, sps, i, j, &sps->rps[i][j]); // when j == 64, overflow sps->rpsif (res<0) return res;
}
}
Version info
MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
compile and run
./configure --enable-sanitizer
make
./MP4Box import -add poc.mp4
Crash reported by sanitizer
[VVC] Warning: Error parsing NAL unit
[Core] exp-golomb read failed, not enough bits in bitstream !
media_tools/av_parsers.c:10710:71: runtime error: index 65 out of bounds for type 'VVC_RefPicList [64]'
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Description
buffer overflow in gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c
Version info
Reproduce
compile and run
Crash reported by sanitizer
POC
poc_bof.zip
Impact
Potentially causing DoS and RCE
Credit
xdchase
The text was updated successfully, but these errors were encountered: