stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data

[xidoo123]

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

• I looked for a similar issue and couldn't find any.
• I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
• I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Description

stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data

Version info

latest version atm

MP4Box - GPAC version 2.1-DEV-rev644-g5c4df2a67-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

compile and run

./configure --enable-sanitizer
make
./MP4Box import -cat poc_bof11.mp4

Crash reported by sanitizer

Track Importing AAC  - SampleRate 88200 Num Channels 8
=================================================================
==325854==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc52ec0940 at pc 0x7fa1e477c501 bp 0x7ffc52ebf3a0 sp 0x7ffc52ebf390
WRITE of size 1 at 0x7ffc52ec0940 thread T0
    #0 0x7fa1e477c500 in gf_bs_read_data utils/bitstream.c:732
    #1 0x7fa1e59d0a8c in latm_dmx_sync_frame_bs filters/reframe_latm.c:170
    #2 0x7fa1e59d289f in latm_dmx_sync_frame_bs filters/reframe_latm.c:86
    #3 0x7fa1e59d289f in latm_dmx_process filters/reframe_latm.c:526
    #4 0x7fa1e55eabac in gf_filter_process_task filter_core/filter.c:2795
    #5 0x7fa1e55aa703 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #6 0x7fa1e55b700e in gf_fs_run filter_core/filter_session.c:2120
    #7 0x7fa1e4ff9a21 in gf_media_import media_tools/media_import.c:1551
    #8 0x55a84c1ccb4c in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
    #9 0x55a84c1d75d7 in cat_isomedia_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:2536
    #10 0x55a84c181130 in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4562
    #11 0x55a84c181130 in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
    #12 0x7fa1e2580d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #13 0x7fa1e2580e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #14 0x55a84c15dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)

Address 0x7ffc52ec0940 is located in stack of thread T0 at offset 5088 in frame
    #0 0x7fa1e59d20af in latm_dmx_process filters/reframe_latm.c:456

  This frame has 19 object(s):
    [48, 52) 'pck_size' (line 461)
    [64, 68) 'latm_frame_size' (line 525)
    [80, 84) 'dsi_s' (line 312)
    [96, 104) 'output' (line 460)
    [128, 136) 'dsi_b' (line 311)
    [160, 184) '<unknown>'
    [224, 248) '<unknown>'
    [288, 312) '<unknown>'
    [352, 376) '<unknown>'
    [416, 440) '<unknown>'
    [480, 504) '<unknown>'
    [544, 568) '<unknown>'
    [608, 632) '<unknown>'
    [672, 696) '<unknown>'
    [736, 760) '<unknown>'
    [800, 824) '<unknown>'
    [864, 888) '<unknown>'
    [928, 952) '<unknown>'
    [992, 5088) 'latm_buffer' (line 524) <== Memory access at offset 5088 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow utils/bitstream.c:732 in gf_bs_read_data
Shadow bytes around the buggy address:
  0x10000a5d00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000a5d00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000a5d00f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000a5d0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000a5d0110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10000a5d0120: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3
  0x10000a5d0130: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10000a5d0140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000a5d0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000a5d0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000a5d0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==325854==ABORTING

POC

poc_bof11.zip

Impact

Potentially causing DoS and RCE

Credit

Xdchase