Lucene search
FunctionmainDDFDB41D-E708-4FEC-AFE5-68FF1F88F830HistoryAug 31, 2023 - 2:23 a.m.
signed integer overflow in filters/mux_isom.c:5716:20
2023-08-3102:23:26
functionmain
www.huntr.dev
6
mp4box
signed integer overflow
mux_isom.c
double-free
crash
bug bounty
0.0004 Low
EPSS
Percentile
12.7%
Description
The signed integer overflow in MP4Box, and the program will eventually crash due to double-free,.
It is uncertain whether the signed integer overflow is directly related to double-free
Version
$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
complie and run
./configure --enable-sanitizer
make
Proof of Concept
./bin/gcc/MP4Box -dash 1000 ./crash000173
poc_crash000173 is here.
ASAN details
information reported by sanitizer
$ ../bin/gcc/MP4Box -dash 1000 ./crash000173
[iso file] default sample description set to 241 but only 1 sample description(s), likely broken ! Fixing to 1
[iso file] default sample description set to 241 but only 1 sample description(s), likely broken ! Fixing to 1
[iso file] TFDT timing 3 higher than cumulated timing 12884901123 (last sample got extended in duration)
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No bitrate property assigned to PID V1, computing from bitstream
filters/mux_isom.c:5716:20: runtime error: signed integer overflow: 25769802246 * 1406331903 cannot be represented in type 'long int'
when compile without ASAN:
./gpac-master-noasan/bin/gcc/MP4Box -dash 1000 ./crash000173
[iso file] default sample description set to 241 but only 1 sample description(s), likely broken ! Fixing to 1
[iso file] default sample description set to 241 but only 1 sample description(s), likely broken ! Fixing to 1
[iso file] TFDT timing 3 higher than cumulated timing 12884901123 (last sample got extended in duration)
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No bitrate property assigned to PID V1, computing from bitstream
[IsoMedia] File truncated, aborting read for track 115396044.92s 50 %
[MP4Mux] PID A2 ID 2 Sample 2 with DTS 0 less than previous sample DTS 0, patching DTS
[MP4Mux] PID A2 ID 2 Sample 3 with DTS 0 less than previous sample DTS 1, patching DTS
[MPD] Generating MPD at time 2023-08-31T01:51:21.969Z
[Dasher] End of Period
[Dasher] End of MPD (no more active streams)
free(): double free detected in tcache 2
Impact
This is capable of causing crashes.
References
poc_crash000173 is here.
Related
ubuntucve
ubuntucve
CVE-2023-4722
2023-09-01 00:00:00
veracode
veracode
Integer Overflow
2023-09-06 07:23:21
debiancve
debiancve
CVE-2023-4722
2023-09-01 16:15:08
cve
cve
CVE-2023-4722
2023-09-01 16:15:08
prion
prion
Integer overflow
2023-09-01 16:15:00
nvd
nvd
CVE-2023-4722
2023-09-01 16:15:08
cvelist
cvelist
CVE-2023-4722 Integer Overflow or Wraparound in gpac/gpac
2023-09-01 15:27:41
osv
osv
CVE-2023-4722
2023-09-01 16:15:08
redos
redos
ROS-20230914-08
2023-09-14 00:00:00