Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack-buffer-overflow in /gpac/src/media_tools/av_parsers.c:7735:42 in hevc_parse_vps_extension #2613

Closed
gandalf4a opened this issue Oct 8, 2023 · 0 comments

Comments

@gandalf4a
Copy link

Version

$ ./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master

Platform

$ uname -a
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Asan

/home/user/vul/MP4Box_crash/id000085sig06src003627time38285673execs366724ophavocrep8
[31m[HEVC] Error parsing NAL unit type 2
[0m=================================================================
==833362==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdcf3828d0 at pc 0x7f6e8e6ab0c1 bp 0x7ffdcf382870 sp 0x7ffdcf382868
WRITE of size 1 at 0x7ffdcf3828d0 thread T0
    #0 0x7f6e8e6ab0c0 in hevc_parse_vps_extension /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:7735:42
    #1 0x7f6e8e66492e in gf_hevc_read_vps_bs_internal /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:8095:9
    #2 0x7f6e8e66b0e5 in gf_hevc_parse_nalu_bs /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:8756:30
    #3 0x7f6e8f25c2ca in naludmx_check_dur /home/user/fuzzing_gpac/gpac/src/filters/reframe_nalu.c:576:10
    #4 0x7f6e8f264622 in naludmx_check_pid /home/user/fuzzing_gpac/gpac/src/filters/reframe_nalu.c:1826:3
    #5 0x7f6e8f252dc5 in naludmx_process /home/user/fuzzing_gpac/gpac/src/filters/reframe_nalu.c:3370:4
    #6 0x7f6e8edafa33 in gf_filter_process_task /home/user/fuzzing_gpac/gpac/src/filter_core/filter.c:2971:7
    #7 0x7f6e8ed7d47b in gf_fs_thread_proc /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2105:3
    #8 0x7f6e8ed7b5cf in gf_fs_run /home/user/fuzzing_gpac/gpac/src/filter_core/filter_session.c:2405:3
    #9 0x7f6e8e62ac6a in gf_dasher_process /home/user/fuzzing_gpac/gpac/src/media_tools/dash_segmenter.c:1236:6
    #10 0x5572d97a66dc in do_dash /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:4831:15
    #11 0x5572d9797b6e in mp4box_main /home/user/fuzzing_gpac/gpac/applications/mp4box/mp4box.c:6245:7
    #12 0x7f6e8d629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x7f6e8d629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #14 0x5572d96bfdd4 in _start (/home/user/fuzzing_gpac/gpac/bin/gcc/MP4Box+0x82dd4) (BuildId: 53333ca7bff59dd9a3d1b2821e7c5f3a9aac76b9)

Address 0x7ffdcf3828d0 is located in stack of thread T0 at offset 80 in frame
    #0 0x7f6e8e6a4abf in hevc_parse_vps_extension /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:7690

  This frame has 12 object(s):
    [32, 48) 'dimension_id_len' (line 7693)
    [64, 80) 'dim_bit_offset' (line 7693) <== Memory access at offset 80 overflows this variable
    [96, 100) 'layer_set_idx_for_ols_minus1' (line 7695)
    [112, 117) 'nb_output_layers_in_output_layer_set' (line 7696)
    [144, 149) 'ols_highest_output_layer_id' (line 7697)
    [176, 240) 'num_direct_ref_layers' (line 7700)
    [272, 336) 'num_pred_layers' (line 7700)
    [368, 372) 'num_layers_in_tree_partition' (line 7700)
    [384, 400) 'dependency_flag' (line 7701)
    [416, 672) 'id_pred_layers' (line 7701)
    [736, 800) 'layer_id_in_list_flag' (line 7706)
    [832, 896) 'OutputLayerFlag' (line 7707)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/user/fuzzing_gpac/gpac/src/media_tools/av_parsers.c:7735:42 in hevc_parse_vps_extension
Shadow bytes around the buggy address:
  0x100039e684c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039e684d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039e684e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039e684f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039e68500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100039e68510: f1 f1 f1 f1 00 00 f2 f2 00 00[f2]f2 04 f2 05 f2
  0x100039e68520: f2 f2 05 f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2
  0x100039e68530: f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 04 f2
  0x100039e68540: 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039e68550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039e68560: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==833362==ABORTING

Reproduce

./MP4Box -dash 10000 poc

POC File

https://github.com/gandalf4a/crash_report/blob/main/gpac/MP4Box/sbo_7735

Credit

Gandalf4a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant