Lucene search
FunctionmainF457DC62-3CFF-47BD-8FD2-1CB2B4A832FCHistoryAug 31, 2023 - 2:45 a.m.
Out of Bounds Read in MPEG12_ParseSeqHdr media_tools/mpeg2_ps.c
2023-08-3102:45:03
functionmain
www.huntr.dev
6
asan
heap-buffer-overflow
mpeg12_parseseqhdr
gpac
mp4box
addresssanitizer
0.0004 Low
EPSS
Percentile
12.7%
Description
Out of Bounds Read in MP4Box.
Version
$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
complie and run
./configure --enable-sanitizer
make
Proof of Concept
./bin/gcc/MP4Box -dash 1000 ./crash000086
poc_crash000086 is here
ASAN
information reported by sanitizer
$ ./bin/gcc/MP4Box -dash 1000 ./crash000086
=================================================================
==3400280==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000059200 at pc 0x7f9f454eb2ad bp 0x7ffc60dd7560 sp 0x7ffc60dd7550
READ of size 1 at 0x629000059200 thread T0
#0 0x7f9f454eb2ac in MPEG12_ParseSeqHdr media_tools/mpeg2_ps.c:273
#1 0x7f9f454ee983 in get_info_from_frame media_tools/mpeg2_ps.c:990
#2 0x7f9f454ee983 in get_info_for_all_streams media_tools/mpeg2_ps.c:1203
#3 0x7f9f454ee983 in mpeg2ps_scan_file media_tools/mpeg2_ps.c:1368
#4 0x7f9f454ee983 in mpeg2ps_init media_tools/mpeg2_ps.c:1625
#5 0x7f9f45b2150c in m2psdmx_process filters/dmx_mpegps.c:327
#6 0x7f9f459ae33e in gf_filter_process_task filter_core/filter.c:2971
#7 0x7f9f4596d66a in gf_fs_thread_proc filter_core/filter_session.c:1962
#8 0x7f9f4597afd6 in gf_fs_run filter_core/filter_session.c:2261
#9 0x7f9f45310a9d in gf_dasher_process media_tools/dash_segmenter.c:1236
#10 0x557a668afbb6 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
#11 0x557a668afbb6 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
#12 0x7f9f425bf082 in __libc_start_main ../csu/libc-start.c:308
#13 0x557a66887f5d in _start (/home/functionmain/Desktop/gpac-master-asan/bin/gcc/MP4Box+0xa5f5d)
0x629000059200 is located 0 bytes to the right of 16384-byte region [0x629000055200,0x629000059200)
allocated by thread T0 here:
#0 0x7f9f485bb808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7f9f454e4eda in mpeg2ps_stream_create media_tools/mpeg2_ps.c:392
#2 0x7f9f454e4eda in add_stream media_tools/mpeg2_ps.c:1116
#3 0x7f9f454ec886 in mpeg2ps_scan_file media_tools/mpeg2_ps.c:1293
#4 0x7f9f454ec886 in mpeg2ps_init media_tools/mpeg2_ps.c:1625
#5 0x7f9f45b2150c in m2psdmx_process filters/dmx_mpegps.c:327
#6 0x7f9f459ae33e in gf_filter_process_task filter_core/filter.c:2971
#7 0x7f9f4596d66a in gf_fs_thread_proc filter_core/filter_session.c:1962
#8 0x7f9f4597afd6 in gf_fs_run filter_core/filter_session.c:2261
#9 0x7f9f45310a9d in gf_dasher_process media_tools/dash_segmenter.c:1236
#10 0x557a668afbb6 in do_dash /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
#11 0x557a668afbb6 in mp4box_main /home/functionmain/Desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
#12 0x7f9f425bf082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow media_tools/mpeg2_ps.c:273 in MPEG12_ParseSeqHdr
Shadow bytes around the buggy address:
0x0c52800031f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5280003200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5280003210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5280003220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5280003230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5280003240:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280003250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280003260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280003270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280003280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280003290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3400280==ABORTING
Impact
This is capable of causing crashes.
References
poc_crash000086 is here
Related
ubuntucve
ubuntucve
CVE-2023-4721
2023-09-01 00:00:00
osv
osv
CVE-2023-4721
2023-09-01 16:15:08
debiancve
debiancve
CVE-2023-4721
2023-09-01 16:15:08
cvelist
cvelist
CVE-2023-4721 Out-of-bounds Read in gpac/gpac
2023-09-01 15:27:41
veracode
veracode
Out-of-bounds Read
2023-09-06 09:26:59
cve
cve
CVE-2023-4721
2023-09-01 16:15:08
prion
prion
Design/Logic Flaw
2023-09-01 16:15:00
nvd
nvd
CVE-2023-4721
2023-09-01 16:15:08
redos
redos
ROS-20230914-08
2023-09-14 00:00:00