Lucene search
Functionmain2F496261-1090-45AC-BC89-CC93C82090D6HistoryAug 28, 2023 - 1:02 p.m.
heap-buffer-overflow in function avi_parse_input_file media_tools/avilib.c:2083
2023-08-2813:02:28
functionmain
www.huntr.dev
7
mp4box
avi_parse_input_file
heap-buffer-overflow
media_tools
avilib.c
addresssanitizer
0.0004 Low
EPSS
Percentile
12.7%
Description
Heap-buffer-overflow in MP4Box.
Version
$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
complie and run
./configure --enable-sanitizer
make
Proof of Concept
./bin/gcc/MP4Box -dash 1000 -out /dev/null ./crash4
poc is here
ASAN
information reported by sanitizer
$ ./bin/gcc/MP4Box -dash 1000 -out /dev/null ./crash4
=================================================================
==1177213==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000015330 at pc 0x7f22f9f75490 bp 0x7fffd30752c0 sp 0x7fffd3074a68
READ of size 1769512 at 0x621000015330 thread T0
#0 0x7f22f9f7548f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
#1 0x7f22f6f007c6 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#2 0x7f22f6f007c6 in avi_parse_input_file media_tools/avilib.c:2083
#3 0x7f22f6f0d03d in AVI_open_input_file media_tools/avilib.c:1840
#4 0x7f22f74fcdd0 in avidmx_process filters/dmx_avi.c:490
#5 0x7f22f73da33e in gf_filter_process_task filter_core/filter.c:2971
#6 0x7f22f739966a in gf_fs_thread_proc filter_core/filter_session.c:1962
#7 0x7f22f73a6fd6 in gf_fs_run filter_core/filter_session.c:2261
#8 0x7f22f6d3ca9d in gf_dasher_process media_tools/dash_segmenter.c:1236
#9 0x55b8698dcbb6 in do_dash /home/functionmain/desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
#10 0x55b8698dcbb6 in mp4box_main /home/functionmain/desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
#11 0x7f22f3feb082 in __libc_start_main ../csu/libc-start.c:308
#12 0x55b8698b4f5d in _start (/home/functionmain/desktop/gpac-master-asan/bin/gcc/MP4Box+0xa5f5d)
0x621000015330 is located 0 bytes to the right of 4656-byte region [0x621000014100,0x621000015330)
allocated by thread T0 here:
#0 0x7f22f9fe7808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7f22f6eff2be in avi_parse_input_file media_tools/avilib.c:1944
#2 0x7f22f6f0d03d in AVI_open_input_file media_tools/avilib.c:1840
#3 0x7f22f74fcdd0 in avidmx_process filters/dmx_avi.c:490
#4 0x7f22f73da33e in gf_filter_process_task filter_core/filter.c:2971
#5 0x7f22f739966a in gf_fs_thread_proc filter_core/filter_session.c:1962
#6 0x7f22f73a6fd6 in gf_fs_run filter_core/filter_session.c:2261
#7 0x7f22f6d3ca9d in gf_dasher_process media_tools/dash_segmenter.c:1236
#8 0x55b8698dcbb6 in do_dash /home/functionmain/desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
#9 0x55b8698dcbb6 in mp4box_main /home/functionmain/desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
#10 0x7f22f3feb082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0c427fffaa10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffaa20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffaa30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffaa40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffaa50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffaa60: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
0x0c427fffaa70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaa80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaa90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffaab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1177213==ABORTING
Impact
This is capable of causing crashes.
References
Related
osv
osv
CVE-2023-4758
2023-09-04 16:15:08
cve
cve
CVE-2023-4758
2023-09-04 16:15:08
prion
prion
Buffer overflow
2023-09-04 16:15:00
cvelist
cvelist
CVE-2023-4758 Buffer Over-read in gpac/gpac
2023-09-04 15:47:36
nvd
nvd
CVE-2023-4758
2023-09-04 16:15:08
veracode
veracode
Heap Buffer Overflow
2023-09-07 09:39:13
ubuntucve
ubuntucve
CVE-2023-4758
2023-09-04 00:00:00
debiancve
debiancve
CVE-2023-4758
2023-09-04 16:15:08
redos
redos
ROS-20230918-03
2023-09-18 00:00:00