You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
2、platform
uname -a
Linux returnzero-virtual-machine 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
3、Reproduce
./MP4Box -bt $poc
4、ASCAN
./MP4Box -bt '/home/returnzero/gpac/out/default/crashes/id:000000,sig:06,src:000008,time:167295,execs:4216,op:havoc,rep:6'
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type traI in parent moov
[iso file] Box "stss" (start 9939) has 32 extra bytes
[iso file] extra box maxr found in hinf, deleting
[iso file] Track with no sample description box !
[iso file] Incomplete box mdat - start 11495 size 861217
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type traI in parent moov
[iso file] Box "stss" (start 9939) has 32 extra bytes
[iso file] extra box maxr found in hinf, deleting
[iso file] Track with no sample description box !
[iso file] Incomplete box mdat - start 11495 size 861217
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[MP4 Loading] decoding sample 1 from track ID 8 failed
Error loading scene: BitStream Not Compliant
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x7f0d974b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7f0d95d38b3b in NewSFDouble scenegraph/vrml_tools.c:300 #2 0x7f0d95d38b3b in gf_sg_vrml_field_pointer_new scenegraph/vrml_tools.c:558
SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s).
5、Impact
This vulnerability allows a remote attacker to cause a denial of service on an affected gpac MP4Box. Exploiting this vulnerability requires user interaction, as the target must access a malicious page or open a malicious file.
@ReturnHere I'm sorry but leaking 8 bytes doesn't lead to a Denial of Service : GHSA-84cp-p2p2-jfjr . That was a small memory leak that happens in a rare (if not improbable) scenario. Thanks for reporting anyway.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
Detailed guidelines: http://gpac.io/bug-reporting/
1、version
./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev602-ged8424300-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
2、platform
uname -a
Linux returnzero-virtual-machine 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
3、Reproduce
./MP4Box -bt $poc
4、ASCAN
./MP4Box -bt '/home/returnzero/gpac/out/default/crashes/id:000000,sig:06,src:000008,time:167295,execs:4216,op:havoc,rep:6'
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type traI in parent moov
[iso file] Box "stss" (start 9939) has 32 extra bytes
[iso file] extra box maxr found in hinf, deleting
[iso file] Track with no sample description box !
[iso file] Incomplete box mdat - start 11495 size 861217
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type traI in parent moov
[iso file] Box "stss" (start 9939) has 32 extra bytes
[iso file] extra box maxr found in hinf, deleting
[iso file] Track with no sample description box !
[iso file] Incomplete box mdat - start 11495 size 861217
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[MP4 Loading] decoding sample 1 from track ID 8 failed
Error loading scene: BitStream Not Compliant
=================================================================
==3703==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x7f0d974b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f0d95d38b3b in NewSFDouble scenegraph/vrml_tools.c:300
#2 0x7f0d95d38b3b in gf_sg_vrml_field_pointer_new scenegraph/vrml_tools.c:558
SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s).
5、Impact
This vulnerability allows a remote attacker to cause a denial of service on an affected gpac MP4Box. Exploiting this vulnerability requires user interaction, as the target must access a malicious page or open a malicious file.
6、poc
https://github.com/ReturnHere/CrashReport/blob/main/id%5E%25000000%2Csig%5E%2506%2Csrc%5E%25000008%2Ctime%5E%25167295%2Cexecs%5E%254216%2Cop%5E%25havoc%2Crep%5E%256
The text was updated successfully, but these errors were encountered: