Skip to content

Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c #2346

Closed
@xidoo123

Description

@xidoo123

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Description

Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c

for (i = 0; i < (num_scalability_types - splitting_flag); i++) {
  dimension_id_len[i] = 1 + gf_bs_read_int_log_idx(bs, 3, "dimension_id_len_minus1", i); // overflow at dimension_id_len
}

Version info

MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

compile and run

./configure --enable-sanitizer
make
./MP4Box import -add poc_bof6.mp4

Crash reported by sanitizer

[Core] exp-golomb read failed, not enough bits in bitstream !
[HEVC] Warning: Error parsing NAL unit
media_tools/av_parsers.c:7633:19: runtime error: index 16 out of bounds for type 'u8 [16]'

POC

poc_bof6.zip

Impact

Potentially causing DoS and RCE

Credit

Xdchase

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions