Lucene search
Qianshuidewajueji7D3C5792-D20B-4CB6-9C6D-BB14F3430D7FHistoryFeb 15, 2023 - 12:04 p.m.
heap-buffer-overflow in function adts_dmx_process filters/reframe_adts.c
2023-02-1512:04:07
qianshuidewajueji
www.huntr.dev
10
heap buffer overflow
adts dmx process
reframe adts
gpac
version 2.3
sanitizer
configuration
research document
unsupported multi-block adts frame header
patch welcome
0.001 Low
EPSS
Percentile
23.6%
Version
MP4Box - GPAC version 2.3-DEV-rev44-gbe9f8d395-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer --verbose
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
complie and run
./configure --enable-sanitizer
make
./MP4Box -info poc
information reported by sanitizer
ā gcc git:(master) ā ./MP4Box -info ./adts_dmx_process_poc
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
[ADTSDmx] Unsupported multi-block ADTS frame header - patch welcome
=================================================================
==6277==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e00000fb8e at pc 0x7f68193a0490 bp 0x7fff943fa890 sp 0x7fff943fa038
READ of size 6134 at 0x61e00000fb8e thread T0
#0 0x7f68193a048f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
#1 0x7f6816cc2268 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#2 0x7f6816cc2268 in adts_dmx_process filters/reframe_adts.c:831
#3 0x7f68168d612d in gf_filter_process_task filter_core/filter.c:2828
#4 0x7f68168980c2 in gf_fs_thread_proc filter_core/filter_session.c:1859
#5 0x7f68168a4896 in gf_fs_run filter_core/filter_session.c:2120
#6 0x7f68162e2806 in gf_media_import media_tools/media_import.c:1228
#7 0x5636382583b1 in convert_file_info /home/qianshuidewajueji/gpac/applications/mp4box/fileimport.c:130
#8 0x563638227db5 in mp4box_main /home/qianshuidewajueji/gpac/applications/mp4box/mp4box.c:6302
#9 0x7f6813579082 in __libc_start_main ../csu/libc-start.c:308
#10 0x5636381fbcfd in _start (/home/qianshuidewajueji/gpac/bin/gcc/MP4Box+0xa3cfd)
0x61e00000fb8e is located 0 bytes to the right of 2830-byte region [0x61e00000f080,0x61e00000fb8e)
allocated by thread T0 here:
#0 0x7f6819412c3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
#1 0x7f6816cc2cee in adts_dmx_process filters/reframe_adts.c:606
#2 0x7f68168d612d in gf_filter_process_task filter_core/filter.c:2828
#3 0x7f68168980c2 in gf_fs_thread_proc filter_core/filter_session.c:1859
#4 0x7f68168a4896 in gf_fs_run filter_core/filter_session.c:2120
#5 0x7f68162e2806 in gf_media_import media_tools/media_import.c:1228
#6 0x5636382583b1 in convert_file_info /home/qianshuidewajueji/gpac/applications/mp4box/fileimport.c:130
#7 0x563638227db5 in mp4box_main /home/qianshuidewajueji/gpac/applications/mp4box/mp4box.c:6302
#8 0x7f6813579082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0c3c7fff9f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff9f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff9f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff9f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff9f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff9f70: 00[06]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff9fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==6277==ABORTING
Git log
commit be9f8d395bbd196e3812e9cd80708f06bcc206f7 (HEAD -> master, origin/master, origin/HEAD)
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date: Mon Feb 13 15:42:23 2023 +0100
mhas: check idx not oob (#2398)
commit 377ab25f3e502db2934a9cf4b54739e1c89a02ff
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date: Mon Feb 13 15:42:10 2023 +0100
fix a5efec8 to cover more cases (#2397)
Credit
qianshuidewajueji@QAX src
Related
ubuntucve
ubuntucve
CVE-2023-0866
2023-02-16 00:00:00
cvelist
cvelist
CVE-2023-0866 Heap-based Buffer Overflow in gpac/gpac
2023-02-16 00:00:00
osv
osv
CVE-2023-0866
2023-02-16 20:15:15
gpac - security update
2023-05-26 00:00:00
debiancve
debiancve
CVE-2023-0866
2023-02-16 20:15:15
prion
prion
Heap overflow
2023-02-16 20:15:00
nvd
nvd
CVE-2023-0866
2023-02-16 20:15:15
veracode
veracode
Heap-based Buffer Overflow
2023-02-21 07:40:03
cve
cve
CVE-2023-0866
2023-02-16 20:15:15
nessus
nessus
Debian DSA-5411-1 : gpac - security update
2023-05-27 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-5411-1)
2023-05-29 00:00:00
debian
debian
[SECURITY] [DSA 5411-1] gpac security update
2023-05-26 14:00:08