Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integer overflow issue in bifs/unquantize.c:298 #2567

Closed
xiaoxiaoafeifei opened this issue Aug 29, 2023 · 1 comment · Fixed by #2568
Closed

Integer overflow issue in bifs/unquantize.c:298 #2567

xiaoxiaoafeifei opened this issue Aug 29, 2023 · 1 comment · Fixed by #2568

Comments

@xiaoxiaoafeifei
Copy link
Contributor

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

  • [Y] I looked for a similar issue and couldn't find any.
  • [Y] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • [Y] I give enough information for contributors to reproduce my issue

Description
There is a integer overflow issue in bifs/unquantize.c:298

System info
Ubuntu 22.04.2 LTS
GPAC-2.2.1

Build command
./configure --enable-sanitizer && make

crash command
/usr/local/bin/MP4Box -xmt poc

poc_file:
poc.zip

Crash output:
[iso file] Unknown box type vref in parent dinf
[iso file] Missing dref box in dinf
[iso file] Incomplete box - start 2637
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Unknown box type vref in parent dinf
[iso file] Missing dref box in dinf
[iso file] Incomplete box - start 2637
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
bifs/unquantize.c:298:43: runtime error: shift exponent 4294967295 is too large for 32-bit type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior bifs/unquantize.c:298:43 in

@xiaoxiaoafeifei
Copy link
Contributor Author

xiaoxiaoafeifei commented Oct 11, 2023

[AFFECTED AND/OR FIXED VERSION(S)]
AFFECTED VERSION: gpac - version <= 2.2.1
FIXED VERSION: current master branch (patch: #2568)

[PROBLEM TYPE] – must contain at least one: Vulnerability Type, Root Cause, or Impact:
Vulnerability Type: Integer Overflow
Impact: Denial of Service

[DESCRIPTION]
An issue in GPAC GPAC v.2.2.1 and before allows a local attacker to cause a denial of service via the Q_DecCoordOnUnitSphere function of file src/bifs/unquantize.c

This issue was assigned CVE-2023-42298

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant