Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrFunctionmainB7ED24AD-7D0B-40B7-8F4D-3C18A906620C
HistorySep 01, 2023 - 3:19 a.m.

heap-buffer-overflow in function swf_def_font scene_manager/swf_parse.c:1449

2023-09-0103:19:34
functionmain
www.huntr.dev
7
mp4box
buffer overflow
gpac
version
address sanitizer
scene manager
swf
parsing
asan
heap
overflow
error
enable
sanitizer
report.

0.0004 Low

EPSS

Percentile

12.7%

JSON

Description

Heap-buffer-overflow in MP4Box.

Version

$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

complie and run

./configure --enable-sanitizer
make

Proof of Concept

./bin/gcc/MP4Box -dash 1000 -out /dev/null ./crash1

POC_crash000394 is here

ASAN

information reported by sanitizer

$ ./bin/gcc/MP4Box -dash 1000 ./crash000394
SWF Import - Scene Size 37.7x-30.65 - 512 frames @ 0 FPS
[TXTIn] swf -> svg not fully migrated, using SWF flags 0 and no flatten angle. Patch welcome
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No bitrate property assigned to PID crash000394, computing from bitstream
[SWF Parsing] Tag UnknownTag (0x1a4) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x1bd) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x12f) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x15b) not implemented - skipping (frame 1)
[SWF Parsing] tag DefineShape3 over-read of 20608 bytes (size 23) (frame 1)
[SWF Parsing] Tag UnknownTag (0x1d0) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x1d5) not implemented - skipping (frame 1)
[SWF Parsing] Tag UnknownTag (0x144) not implemented - skipping (frame 1)
=================================================================
==491931==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002750 at pc 0x7f555206c5d3 bp 0x7fff4f3717c0 sp 0x7fff4f3717b0
WRITE of size 4 at 0x602000002750 thread T0
    #0 0x7f555206c5d2 in swf_def_font scene_manager/swf_parse.c:1449
    #1 0x7f555206c5d2 in swf_process_tag scene_manager/swf_parse.c:2350
    #2 0x7f555206c5d2 in swf_parse_tag scene_manager/swf_parse.c:2422
    #3 0x7f555275c089 in gf_text_process_swf filters/load_text.c:2542
    #4 0x7f555275c089 in gf_text_process_swf filters/load_text.c:2519
    #5 0x7f55527714a2 in txtin_process filters/load_text.c:3992
    #6 0x7f5552469dbe in gf_filter_process_task filter_core/filter.c:2971
    #7 0x7f55524290ea in gf_fs_thread_proc filter_core/filter_session.c:1962
    #8 0x7f5552436a56 in gf_fs_run filter_core/filter_session.c:2261
    #9 0x7f5551dcc03d in gf_dasher_process media_tools/dash_segmenter.c:1236
    #10 0x560d3aaebc26 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
    #11 0x560d3aaebc26 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
    #12 0x7f554f078082 in __libc_start_main ../csu/libc-start.c:308
    #13 0x560d3aac3fcd in _start (/home/functionmain/Desktop/gpac-master-asan/bin/gcc/MP4Box+0xa5fcd)

0x602000002751 is located 0 bytes to the right of 1-byte region [0x602000002750,0x602000002751)
allocated by thread T0 here:
    #0 0x7f5555079808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7f5552068180 in swf_def_font scene_manager/swf_parse.c:1448
    #2 0x7f5552068180 in swf_process_tag scene_manager/swf_parse.c:2350
    #3 0x7f5552068180 in swf_parse_tag scene_manager/swf_parse.c:2422
    #4 0x7f555275c089 in gf_text_process_swf filters/load_text.c:2542
    #5 0x7f555275c089 in gf_text_process_swf filters/load_text.c:2519
    #6 0x7f55527714a2 in txtin_process filters/load_text.c:3992
    #7 0x7f5552469dbe in gf_filter_process_task filter_core/filter.c:2971
    #8 0x7f55524290ea in gf_fs_thread_proc filter_core/filter_session.c:1962
    #9 0x7f5552436a56 in gf_fs_run filter_core/filter_session.c:2261
    #10 0x7f5551dcc03d in gf_dasher_process media_tools/dash_segmenter.c:1236
    #11 0x560d3aaebc26 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
    #12 0x560d3aaebc26 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
    #13 0x7f554f078082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow scene_manager/swf_parse.c:1449 in swf_def_font
Shadow bytes around the buggy address:
  0x0c047fff8490: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff84a0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fff84b0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff84c0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff84d0: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff84e0: fa fa 00 00 fa fa 00 00 fa fa[01]fa fa fa fa fa
  0x0c047fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==491931==ABORTING

Impact

This is capable of causing crashes.

References

POC_crash000394 is here

Related

cvelist 1
osv 1
nvd 1
veracode 1
cve 1
prion 1
ubuntucve 1
debiancve 1
redos 1
cvelist
cvelist
CVE-2023-4754 Out-of-bounds Write in gpac/gpac
2023-09-04 08:24:38
osv
osv
CVE-2023-4754
2023-09-04 09:15:07
nvd
nvd
CVE-2023-4754
2023-09-04 09:15:07
veracode
veracode
Heap Buffer Overflow
2023-09-07 07:21:14
cve
cve
CVE-2023-4754
2023-09-04 09:15:07
prion
prion
Design/Logic Flaw
2023-09-04 09:15:00
ubuntucve
ubuntucve
CVE-2023-4754
2023-09-04 00:00:00
debiancve
debiancve
CVE-2023-4754
2023-09-04 09:15:07
redos
redos
ROS-20230918-03
2023-09-18 00:00:00

0.0004 Low

EPSS

Percentile

12.7%

JSON
Related for B7ED24AD-7D0B-40B7-8F4D-3C18A906620C
cvelist1osv1nvd1veracode1cve1prion1ubuntucve1debiancve1redos1