heap-buffer-overflow in ffdmx_parse_side_data /afltest/gpac/src/filters/ff_dmx.c:202:14 in gpac/MP4Box

[Frank-Z7]

heap-buffer-overflow in ffdmx_parse_side_data /afltest/gpac/src/filters/ff_dmx.c:202:14 in gpac/gpac

Description

Heap-buffer-overflow in MP4Box.

Version

MP4Box - GPAC version 2.3-DEV-rev605-gfc9e29089-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_FFMPEG GPAC_HAS_VORBIS GPAC_HAS_LINUX_DVB

ASAN Log

./MP4Box -dash 1000 -diod -ts -dynamic -out /dev/null poc4gpac

=================================================================
==2427334==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000008f2c at pc 0x7ffff7382cb6 bp 0x7ffffffebc30 sp 0x7ffffffebc28
READ of size 4 at 0x602000008f2c thread T0
    #0 0x7ffff7382cb5 in ffdmx_parse_side_data /afltest/gpac/src/filters/ff_dmx.c:202:14
    #1 0x7ffff7382cb5 in ffdmx_init_common /afltest/gpac/src/filters/ff_dmx.c:1240:4
    #2 0x7ffff738a0ca in ffdmx_initialize /afltest/gpac/src/filters/ff_dmx.c:1457:9
    #3 0x7ffff6e7fa09 in gf_filter_new_finalize /afltest/gpac/src/filter_core/filter.c:543:8
    #4 0x7ffff6e6f252 in gf_fs_load_source_dest_internal /afltest/gpac/src/filter_core/filter_session.c:3558:7
    #5 0x7ffff6e94cf0 in gf_filter_swap_source_register /afltest/gpac/src/filter_core/filter.c:3824:2
    #6 0x7ffff6e0c7be in gf_filter_pid_resolve_link_internal /afltest/gpac/src/filter_core/filter_pid.c:3545:11
    #7 0x7ffff6e1b131 in gf_filter_pid_resolve_link_check_loaded /afltest/gpac/src/filter_core/filter_pid.c:3824:9
    #8 0x7ffff6e1b131 in gf_filter_pid_init_task /afltest/gpac/src/filter_core/filter_pid.c:5111:12
    #9 0x7ffff6e63b29 in gf_fs_thread_proc /afltest/gpac/src/filter_core/filter_session.c:2105:3
    #10 0x7ffff6e6257d in gf_fs_run /afltest/gpac/src/filter_core/filter_session.c:2405:3
    #11 0x7ffff67a6e5c in gf_dasher_process /afltest/gpac/src/media_tools/dash_segmenter.c:1236:6
    #12 0x50dfc7 in do_dash /afltest/gpac/applications/mp4box/mp4box.c:4831:15
    #13 0x50dfc7 in mp4box_main /afltest/gpac/applications/mp4box/mp4box.c:6245:7
    #14 0x7ffff58cc082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
    #15 0x42adad in _start (/afltest/gpac/bin/gcc/MP4Box+0x42adad)

0x602000008f2c is located 4 bytes to the left of 16-byte region [0x602000008f30,0x602000008f40)
allocated by thread T0 here:
    #0 0x4a3809 in realloc (/afltest/gpac/bin/gcc/MP4Box+0x4a3809)
    #1 0x7ffff3bafda6 in av_stream_add_side_data (/lib/x86_64-linux-gnu/libavformat.so.58+0x1bdda6)

SUMMARY: AddressSanitizer: heap-buffer-overflow /afltest/gpac/src/filters/ff_dmx.c:202:14 in ffdmx_parse_side_data
Shadow bytes around the buggy address:
  0x0c047fff9190: fa fa 02 fa fa fa 00 05 fa fa 00 06 fa fa fd fa
  0x0c047fff91a0: fa fa 07 fa fa fa 00 fa fa fa fd fd fa fa 00 06
  0x0c047fff91b0: fa fa 00 01 fa fa 04 fa fa fa 00 fa fa fa 00 07
  0x0c047fff91c0: fa fa 00 00 fa fa 07 fa fa fa 00 fa fa fa fd fd
  0x0c047fff91d0: fa fa 00 06 fa fa 00 01 fa fa 04 fa fa fa 00 fa
=>0x0c047fff91e0: fa fa 00 00 fa[fa]00 00 fa fa fd fd fa fa fd fa
  0x0c047fff91f0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff9200: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9210: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff9220: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fff9230: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2427334==ABORTING

Reproduction

git clone https://github.com/gpac/gpac.git
cd gpac
./configure --enable-sanitizer
make -j24

./bin/gcc/MP4Box -dash 1000 -diod -ts -dynamic -out /dev/null poc4gpac

Thanks for your time!

PoC

poc4gpac: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc4gpac

Impact

This vulnerability is capable of causing crashes.

Reference

https://github.com/gpac/gpac

Environment

ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09

Credit

Zeng Yunxiang

Song Jiaxuan