Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in gf_fwrite at utils/os_file.c:1657 #2642

Closed
Janette88 opened this issue Oct 13, 2023 · 1 comment
Closed

heap-buffer-overflow in gf_fwrite at utils/os_file.c:1657 #2642

Janette88 opened this issue Oct 13, 2023 · 1 comment

Comments

@Janette88
Copy link

Description

heap-buffer-overflow in gf_fwrite at utils/os_file.c:1657

Version

git log
commit 7edc40feef23efd8c9948292d269eae76fa475af (HEAD -> master, origin/master, origin/HEAD)
Author: jeanlf <jeanlf@gpac.io>
Date:   Thu Oct 12 16:58:53 2023 +0200

./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev588-g7edc40fee-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

POC

https://github.com/Janette88/test_pocs/blob/main/hbo16

Reproduce

./bin/gcc/MP4Box -dash 1000 /home/fuzz/crashes/hbo16


[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
[SWF Parsing] tag PlaceObject over-read of 4 bytes (size 1) (frame 1)
=================================================================
==60235==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000025d1 at pc 0x7ffff75ed1bd bp 0x7ffffffec720 sp 0x7ffffffebec8
READ of size 53248 at 0x6020000025d1 thread T0
    #0 0x7ffff75ed1bc in __interceptor_fwrite ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1103
    #1 0x7ffff3ba5226 in gf_fwrite utils/os_file.c:1657
    #2 0x7ffff4655f98 in swf_def_bits_jpeg scene_manager/swf_parse.c:2087
    #3 0x7ffff46576d4 in swf_process_tag scene_manager/swf_parse.c:2374
    #4 0x7ffff46576d4 in swf_parse_tag scene_manager/swf_parse.c:2405
    #5 0x7ffff4d55ed9 in gf_text_process_swf filters/load_text.c:2550
    #6 0x7ffff4d55ed9 in gf_text_process_swf filters/load_text.c:2527
    #7 0x7ffff4d6b4f3 in txtin_process filters/load_text.c:4015
    #8 0x7ffff4a5d4ae in gf_filter_process_task filter_core/filter.c:2971
    #9 0x7ffff4a2ab11 in gf_fs_thread_proc filter_core/filter_session.c:2105
    #10 0x7ffff4a2f8b6 in gf_fs_run filter_core/filter_session.c:2405
    #11 0x7ffff43bc0bd in gf_dasher_process media_tools/dash_segmenter.c:1236
    #12 0x555555621d26 in do_dash /home/fuzz/gpac/applications/mp4box/mp4box.c:4831
    #13 0x555555621d26 in mp4box_main /home/fuzz/gpac/applications/mp4box/mp4box.c:6245
    #14 0x7ffff164c082 in __libc_start_main ../csu/libc-start.c:308
    #15 0x5555555fa05d in _start (/home/fuzz/gpac/bin/gcc/MP4Box+0xa605d)

0x6020000025d1 is located 0 bytes to the right of 1-byte region [0x6020000025d0,0x6020000025d1)
allocated by thread T0 here:
    #0 0x7ffff7690808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7ffff465a345 in swf_def_hdr_jpeg scene_manager/swf_parse.c:2044
    #2 0x7ffff465a345 in swf_process_tag scene_manager/swf_parse.c:2372
    #3 0x7ffff465a345 in swf_parse_tag scene_manager/swf_parse.c:2405
    #4 0x7ffff4d55ed9 in gf_text_process_swf filters/load_text.c:2550
    #5 0x7ffff4d55ed9 in gf_text_process_swf filters/load_text.c:2527
    #6 0x7ffff4d6b4f3 in txtin_process filters/load_text.c:4015
    #7 0x7ffff4a5d4ae in gf_filter_process_task filter_core/filter.c:2971
    #8 0x7ffff4a2ab11 in gf_fs_thread_proc filter_core/filter_session.c:2105
    #9 0x7ffff4a2f8b6 in gf_fs_run filter_core/filter_session.c:2405
    #10 0x7ffff43bc0bd in gf_dasher_process media_tools/dash_segmenter.c:1236
    #11 0x555555621d26 in do_dash /home/fuzz/gpac/applications/mp4box/mp4box.c:4831
    #12 0x555555621d26 in mp4box_main /home/fuzz/gpac/applications/mp4box/mp4box.c:6245
    #13 0x7ffff164c082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1103 in __interceptor_fwrite
Shadow bytes around the buggy address:
  0x0c047fff8460: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa fd fa
  0x0c047fff8470: fa fa fd fd fa fa fd fa fa fa 00 07 fa fa 00 07
  0x0c047fff8480: fa fa 04 fa fa fa 00 05 fa fa 00 00 fa fa 00 00
  0x0c047fff8490: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff84a0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff84b0: fa fa 00 00 fa fa 00 00 fa fa[01]fa fa fa fa fa
  0x0c047fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==60235==ABORTING

Impact

This vulnerability allows a remote attacker to cause a denial of service or even arbitrary code execution on an affected gpac MP4Box. Exploiting this vulnerability requires user interaction, as the target must access a malicious page or open a malicious file.

Credit

Janette88 (Jq Wang)

@stevebeattie
Copy link

For reference, this issue was assigned CVE-2023-46426.

(I did not assign this CVE, I just noticed it while triaging new CVEs.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants