Version
./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev40-g3602a5ded-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer --verbose
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
./configure --enable-sanitizer --enable-debug
make
./MP4Box -info gf_m2ts_process_tdt_tot
Git log
commit 3602a5ded4e57b0044a949f985ee3792f94a9a36 (HEAD -> master, origin/master, origin/HEAD)
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date: Thu Feb 9 11:24:23 2023 +0100
mp3dmx: check truncated frames (#2391)
commit ea7395f39f601a7750d48d606e9d10ea0b7beefe
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date: Wed Feb 8 16:52:00 2023 +0100
sgpd box entry: disallow null grouping_type (#2389)
Proof of Concept
./MP4Box -info gf_m2ts_process_tdt_tot
=================================================================
==24800==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001b51 at pc 0x7fa11638a599 bp 0x7fff33c01ff0 sp 0x7fff33c01fe0
READ of size 1 at 0x602000001b51 thread T0
0x602000001b51 is located 0 bytes to the right of 1-byte region [0x602000001b50,0x602000001b51)
allocated by thread T0 here:
SUMMARY: AddressSanitizer: heap-buffer-overflow media_tools/mpegts.c:952 in gf_m2ts_process_tdt_tot
Shadow bytes around the buggy address:
0x0c047fff8310: fa fa 00 00 fa fa 04 fa fa fa 04 fa fa fa 04 fa
0x0c047fff8320: fa fa 06 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8330: fa fa 00 00 fa fa 00 00 fa fa fd fa fa fa 00 00
0x0c047fff8340: fa fa 00 00 fa fa 04 fa fa fa 04 fa fa fa 04 fa
0x0c047fff8350: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 03 fa
=>0x0c047fff8360: fa fa 00 00 fa fa 00 00 fa fa[01]fa fa fa 00 fa
0x0c047fff8370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==24800==ABORTING