Lucene search
Functionmain526954E6-8683-4697-BFA2-886C3204A1D5HistoryJun 13, 2023 - 9:33 a.m.
heap-buffer-overflow in function id3dmx_flush filters/reframe_mp3.c
2023-06-1309:33:01
functionmain
www.huntr.dev
11
mp4box
heap buffer overflow
information security
0.0004 Low
EPSS
Percentile
15.7%
Description
Heap-buffer-overflow in MP4Box.
Version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
complie and run
./configure --enable-sanitizer
make
Proof of Concept
./MP4Box -info ./poc.mp3
poc is here!
ASAN
information reported by sanitizer
==32961==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001bb8 at pc 0x7fe8c604bcc3 bp 0x7ffc04e06160 sp 0x7ffc04e06150
WRITE of size 1 at 0x602000001bb8 thread T0
#0 0x7fe8c604bcc2 in id3dmx_flush filters/reframe_mp3.c:274
#1 0x7fe8c604de18 in mp3_dmx_flush_id3 filters/reframe_mp3.c:344
#2 0x7fe8c604de18 in mp3_dmx_check_pid filters/reframe_mp3.c:417
#3 0x7fe8c604de18 in mp3_dmx_process filters/reframe_mp3.c:657
#4 0x7fe8c5bee15e in gf_filter_process_task filter_core/filter.c:2901
#5 0x7fe8c5badd1a in gf_fs_thread_proc filter_core/filter_session.c:1962
#6 0x7fe8c5bbb686 in gf_fs_run filter_core/filter_session.c:2264
#7 0x7fe8c55ea3c6 in gf_media_import media_tools/media_import.c:1239
#8 0x55a1aa648da1 in convert_file_info /home/functionmain/Desktop/gpac-master/applications/mp4box/fileimport.c:130
#9 0x55a1aa6123a7 in mp4box_main /home/functionmain/Desktop/gpac-master/applications/mp4box/mp4box.c:6371
#10 0x7fe8c2814082 in __libc_start_main ../csu/libc-start.c:308
#11 0x55a1aa5eaebd in _start (/home/functionmain/Desktop/gpac-master/bin/gcc/MP4Box+0xa4ebd)
0x602000001bb8 is located 0 bytes to the right of 8-byte region [0x602000001bb0,0x602000001bb8)
allocated by thread T0 here:
#0 0x7fe8c87e2c3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
#1 0x7fe8c604b37a in id3dmx_flush filters/reframe_mp3.c:269
#2 0x7fe8c604de18 in mp3_dmx_flush_id3 filters/reframe_mp3.c:344
#3 0x7fe8c604de18 in mp3_dmx_check_pid filters/reframe_mp3.c:417
#4 0x7fe8c604de18 in mp3_dmx_process filters/reframe_mp3.c:657
#5 0x7fe8c5bee15e in gf_filter_process_task filter_core/filter.c:2901
#6 0x7fe8c5badd1a in gf_fs_thread_proc filter_core/filter_session.c:1962
#7 0x7fe8c5bbb686 in gf_fs_run filter_core/filter_session.c:2264
#8 0x7fe8c55ea3c6 in gf_media_import media_tools/media_import.c:1239
#9 0x55a1aa648da1 in convert_file_info /home/functionmain/Desktop/gpac-master/applications/mp4box/fileimport.c:130
#10 0x55a1aa6123a7 in mp4box_main /home/functionmain/Desktop/gpac-master/applications/mp4box/mp4box.c:6371
#11 0x7fe8c2814082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow filters/reframe_mp3.c:274 in id3dmx_flush
Shadow bytes around the buggy address:
0x0c047fff8320: fa fa fd fd fa fa 06 fa fa fa 00 01 fa fa 00 00
0x0c047fff8330: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8340: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8350: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8360: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa fd fa
=>0x0c047fff8370: fa fa 06 fa fa fa 00[fa]fa fa 05 fa fa fa 03 fa
0x0c047fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==32961==ABORTING
Impact
This is capable of causing crashes.
References
Related
ubuntucve
ubuntucve
CVE-2023-3291
2023-06-16 00:00:00
prion
prion
Heap overflow
2023-06-16 02:15:00
cvelist
cvelist
CVE-2023-3291 Heap-based Buffer Overflow in gpac/gpac
2023-06-16 00:00:00
nvd
nvd
CVE-2023-3291
2023-06-16 02:15:08
veracode
veracode
Heap Buffer Overflow
2023-06-26 10:52:47
cve
cve
CVE-2023-3291
2023-06-16 02:15:08
debiancve
debiancve
CVE-2023-3291
2023-06-16 02:15:08
osv
osv
CVE-2023-3291
2023-06-16 02:15:08
gpac - security update
2023-07-14 00:00:00
openvas
openvas
Mageia: Security Advisory (MGASA-2024-0027)
2024-02-09 00:00:00
Debian: Security Advisory (DSA-5452-1)
2023-07-17 00:00:00
Tenable Nessus Agent Multiple Vulnerabilities (TNS-2024-09)
2024-05-21 00:00:00
mageia
mageia
Updated gpac packages fix security vulnerabilities
2024-02-09 04:34:03
debian
debian
[SECURITY] [DSA 5452-1] gpac security update
2023-07-14 18:47:04
nessus
nessus
Debian DSA-5452-1 : gpac - security update
2023-07-15 00:00:00