Skip to content

Out of bounds heap write  #994

Closed
Closed
@gsingh93

Description

@gsingh93

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/


There is an out of bounds heap write in av_ext.c: https://github.com/gpac/gpac/blob/master/src/isomedia/avc_ext.c#L2415

op->layer_count is read from user input, and then used in the condition of the for loop. This means the user can force the loop to execute up to 256 times. The layers_info array only has 64 elements, and this array is allocated on the heap, so I can craft a file that causes this file to write out of the bounds of the array onto the heap. For example, an attacker could overwrite the top chunk of the glibc heap, which can be used with other bugs to achieve remote code execution in services processing user supplied media files.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions