Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

off-by-one error in function gf_text_get_utf8_line filters/load_text.c #2397

Closed
rbouqueau opened this issue Feb 13, 2023 · 1 comment
Closed

off-by-one error in function gf_text_get_utf8_line filters/load_text.c #2397

rbouqueau opened this issue Feb 13, 2023 · 1 comment

Comments

@rbouqueau
Copy link
Member

POC

Version

MP4Box - GPAC version 2.3-DEV-rev40-g3602a5ded-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer --verbose
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 

Proof of Concept

➜  gcc git:(master) ✗ ./MP4Box -info ./gf_text_get_utf8_line_poc
filters/load_text.c:362:13: runtime error: index 2048 out of bounds for type 'char [2048]'

Reproduce

./configure --enable-sanitizer --enable-debug
make
./MP4Box -info gf_text_get_utf8_line_poc

Git Log

commit 3602a5ded4e57b0044a949f985ee3792f94a9a36 (HEAD -> master, origin/master, origin/HEAD)
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date:   Thu Feb 9 11:24:23 2023 +0100

    mp3dmx: check truncated frames (#2391)

commit ea7395f39f601a7750d48d606e9d10ea0b7beefe
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date:   Wed Feb 8 16:52:00 2023 +0100

    sgpd box entry: disallow null grouping_type (#2389)

commit 8db20cb634a546c536c31caac94e1f74b778b463
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date:   Tue Feb 7 18:27:19 2023 +0100

    m2ts: check descs_size read from input to prevent overflow (#2388)

Impact

This is capable of causing crashes by using unexpected value.
Occurrences

load_text.c L362

            if (j >= GF_ARRAY_LENGTH(szLineConv) - 1) {
                GF_LOG(GF_LOG_DEBUG, GF_LOG_PARSER, ("[TXTIn] Line too long to convert to utf8 (len: %d)\n", len));
                break;
            }

        }
        szLineConv[j] = 0; // while j == GF_ARRAY_LENGTH(szLineConv) case off-by-one error
        strcpy(szLine, szLineConv);
aureliendavid added a commit that referenced this issue Feb 13, 2023
@aureliendavid
fix a5efec8 to cover more cases (#2397)
377ab25
@aureliendavid
Copy link
Member

that's my bad, I didn't add enough check in the previous fix

should be ok now

aureliendavid added a commit that referenced this issue Apr 24, 2023
@aureliendavid
fix a5efec8 to cover more cases (#2397)
cbbc4d3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rbouqueau @aureliendavid