Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infinite loop in av1_uvlc media_tools/av_parsers.c:1664 #2698

Closed
hu1y40 opened this issue Dec 1, 2023 · 1 comment
Closed

Infinite loop in av1_uvlc media_tools/av_parsers.c:1664 #2698

hu1y40 opened this issue Dec 1, 2023 · 1 comment

Comments

@hu1y40
Copy link

hu1y40 commented Dec 1, 2023

1.Version
MP4Box - GPAC version 2.3-DEV-rev636-gfbd7e13aa-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - https://gpac.io

Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-bin --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D

2.Program Output
[iso file] Parsing a top-level box at position 0
[iso file] Read Box type ftyp size 32 start 0
[iso file] Parsing a top-level box at position 32
[iso file] Read Box type mv@d size 108 start 32
[iso file] Unknown top-level box type mv@d
[iso file] Parsing a top-level box at position 140
[iso file] Read Box type av1C size 363 start 140
[AV1] parsed AV1 OBU type=7 size=99 at position 152.
[AV1] AV1 unexpected OBU type=152 size=0 found at position 140056310360544. Forwarding.
[AV1] parsed AV1 OBU type=1 size=12 at position 251.
[AV1] parsed AV1 OBU type=1 size=12 at position 263.
[AV1] parsed AV1 OBU type=1 size=12 at position 275.
[AV1] parsed AV1 OBU type=1 size=12 at position 287.
[AV1] parsed AV1 OBU type=2 size=25 at position 299.
[AV1] AV1 unexpected OBU type=299 size=0 found at position 140056310360544. Forwarding.
[AV1] parsed AV1 OBU type=2 size=52 at position 324.
[AV1] AV1 unexpected OBU type=324 size=0 found at position 140056310360544. Forwarding.
[AV1] parsed AV1 OBU type=1 size=12 at position 376.
[AV1] parsed AV1 OBU type=1 size=12 at position 388.
[AV1] parsed AV1 OBU type=1 size=12 at position 400.
[AV1] parsed AV1 OBU type=1 size=12 at position 412.
[AV1] parsed AV1 OBU type=1 size=12 at position 424.
[AV1] parsed AV1 OBU type=1 size=12 at position 436.
[AV1] parsed AV1 OBU type=1 size=12 at position 448.
[AV1] parsed AV1 OBU type=1 size=12 at position 460.
[AV1] parsed AV1 OBU type=1 size=12 at position 472.
[AV1] parsed AV1 OBU type=1 size=12 at position 484.
[BS] Attempt to overread bitstream

3.Reproduction
./MP4Box -v $poc

4.PoC
https://www.mediafire.com/file/fspsarzrcbfceha/hangPoC/file

5.Impact
This vulnerability can result in an infinite loop or lead to a denial-of-service (DoS) condition.

6.Env
Linux ubuntu 5.4.0-84-generic #94~18.04.1-Ubuntu SMP Thu Aug 26 23:17:46 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

7.Credit
hu1y40
@rbouqueau
Copy link
Member

Thanks for reporting !

rbouqueau added a commit that referenced this issue Feb 1, 2024
@rbouqueau
fix #2698
ff83931
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rbouqueau @hu1y40