Buffer overflow in gf_text_process_sub function of filters/load_text.c
while (szLine[i+1+j] && szLine[i+1+j]!='}') {
szTime[i] = szLine[i+1+j]; // overflow at szTime
i++;
}
Version info
MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
compile and run
./configure --enable-sanitizer
make
./MP4Box import -add poc_bof5.avi
Crash reported by sanitizer
Track Importing Timed Text - Text track 400 x 60 font Serif (size 18) layer 0
[TXTIn] Bad SUB file - expecting "{" got "{"
[TXTIn] corrupted SUB frame (line 2) - ends (at 0 ms) before start of current frame (6 ms) - skipping
filters/load_text.c:2569:10: runtime error: index 20 out of bounds for type 'char [20]'
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Description
Buffer overflow in gf_text_process_sub function of filters/load_text.c
Version info
Reproduce
compile and run
Crash reported by sanitizer
POC
poc_bof5.zip
Impact
Potentially causing DoS and RCE
Credit
Xdchase
The text was updated successfully, but these errors were encountered: