An issue was discovered in Softing OPC UA C++ SDK before 6.10. A buffer overflow or an excess allocation happens due to unchecked array and matrix bounds in structure data types.

Publisher: Softing Industrial Automation GmbH

Document category: csaf\_security\_advisory

Initial release date: 2022-10-14T16:00:00.000Z

Engine: Secvisogram 2.0.0

Current release date: 2022-10-14T16:00:00.000Z

Build Date: 2022-10-14T15:35:16.013Z

Current version: 1.0.0

Status: interim

CVSSv3.1 Base Score: 7.5

Severity: high

Original language: en-US

Language:

Also referred to:

**Vulnerabilities****(CVE-2022-37453)**

A malformed write request may cause an excess memory allocation or an out-of-bounds memory access. The server or client process may crash unexpectedly and must be restarted

CWE:

CWE-20:Improper Input Validation

Discovery date:

2022-10-14T10:00:00.000Z

**Product status****Known affected**

Product

CVSS-Vector

CVSS Base Score

Softing OPC UA C++ SDK <= 6.00

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

Softing OPC Suite <= V5.22

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

Softing Secure Integration Server <= V1.22

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

Softing edgeConnector < V3.50

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

Softing edgeAggregator < V3.50

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

Softing uaGates <= V1,74

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

**Fixed**

*   Softing OPC UA C++ SDK V6.10

**Remediations****Mitigation**

Disable the posibility to establish unauthenticated sessions to the OPC UA server, because the atttack works on an established OPC UA session.

**For products:**

*   Softing OPC UA C++ SDK <= 6.00
*   Softing OPC Suite <= V5.22
*   Softing Secure Integration Server <= V1.22
*   Softing edgeConnector < V3.50
*   Softing edgeAggregator < V3.50
*   Softing uaGates <= V1,74

**None available**

Fix will be available with this version:

**For products:**

*   Softing OPC Suite V5.30
*   Softing Secure Integration Server V1.30
*   Softing edgeConnector V3.50
*   Softing edgeAggregator V3.50
*   uaGate V1.75

**Softing Industrial Automation GmbH**

Namespace: https://industrial.softing.com

Softing PSIRT - contact us at \[email protected\]

**Revision history**

Version

Date of the revision

Summary of the revision

1.0.0

2022-10-14T16:00:00.000Z

Initial version

**Disclaimer**

The information provided in this disclosure is provided "as is" without warranty of any kind. Softing disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Softing or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Softing or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2022-37453: SYT-2022-9: Improper input validation vulnerability in OPC UA C++ SDK, Secure Integration Server, edgeConnector, edgeAggregator, uaGate and OPC Suite

Bento4 1.6.0 has memory leaks via the mp4fragment.

**CVE-2022-40884**

**I use AFL when fuzzing and got some crashes.**

**Following is the detail.**

\==3780==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 48 byte(s) in 1 object(s) allocated from: #0 0x4c470d in operator new(unsigned long) (/home/hjsz/Bento4/cmakebuild/mp4fragment+0x4c470d) #1 0x653b06 in AP4\_StdcFileByteStream::Create(AP4\_FileByteStream\*, char const\*, AP4\_FileByteStream::Mode, AP4\_ByteStream\*&) /home/hjsz/Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:279:14

SUMMARY: AddressSanitizer: 48 byte(s) leaked in 1 allocation(s).

crash

**Command**

*   ./mp4fragment ./POC

**Environment**

Ubuntu 20.04

CLang 10.0.1

Bento4 Version 1.6.0.0

MP4 Fragmenter - Version 1.7.0

CVE-2022-40884: CVE/CVE-2022-40884.md at main · yangfar/CVE

Bento4 v1.6.0-639 has a memory allocation issue that can cause denial of service.

**CVE-2022-40885****Out of memory in Ap4DataBuffer:new AP4\_Byte\[buffer\_size\]**

Hello,I use the fuzzer(AFL) to fuzz binary mp42avc and got some crashes which show that allocator is out of memory trying to allocate 0xXXXXXXXX bytes when method new is called.

There are two functions occur the crashes.

**The following is the details.****Bug1**

./mp42avc ~/out/crashes/id:000017,sig:06,src:000925+000617,op:splice,rep:128 3.avc

\================================================================= ==4126303==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xc4b26d23 bytes #0 0x549287 in operator new\[\](unsigned long) (/root/Bento4/cmakebuild/mp42avc+0x549287) #1 0x558418 in AP4\_DataBuffer::AP4\_DataBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:55:16 #2 0x5ec12a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:513:20 #3 0x5e7b66 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14 #4 0x6563c0 in AP4\_DrefAtom::AP4\_DrefAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4DrefAtom.cpp:84:16 #5 0x6559d7 in AP4\_DrefAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4DrefAtom.cpp:50:16 #6 0x5ec3a5 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:580:20 #7 0x5e7b66 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14 #8 0x62e6b0 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12 #9 0x62e48b in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5

\==4126303==HINT: if you don't care about these errors you may set allocator\_may\_return\_null=1 SUMMARY: AddressSanitizer: out-of-memory (/root/Bento4/cmakebuild/mp42avc+0x549287) in operator new\[\](unsigned long) ==4126303==ABORTING

**Bug 2**

\[root@iZ8vb29flmohv2ga6wdtfbZ cmakebuild\]# ./mp42avc ~/out/crashes/id:000018,sig:06,src:000606,op:havoc,rep:4 3.avc

\================================================================= ==4126299==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x7d727b02 bytes #0 0x549287 in operator new\[\](unsigned long) (/root/Bento4/cmakebuild/mp42avc+0x549287) #1 0x6637c0 in AP4\_HdlrAtom::AP4\_HdlrAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&) /root/Bento4/Source/C++/Core/Ap4HdlrAtom.cpp:88:18

\==4126299==HINT: if you don't care about these errors you may set allocator\_may\_return\_null=1 SUMMARY: AddressSanitizer: out-of-memory (/root/Bento4/cmakebuild/mp42avc+0x549287) in operator new\[\](unsigned long) ==4126299==ABORTING

**Ap4HdlrAtom.cpp:88 and Ap4HdlrAtom.cpp will call new\[Big size\] and then crash.**

**Bug3**

./AFL/afl-fuzz -i ./seed2/ -o ./out3 -d -m none ./Bento4/cmakebuild/aac2mp4 @@ 3.mp4

After testing, the above problems also occur in acc2mp4 function.

**The following is the details.**

\[root@iZ8vb29flmohv2ga6wdtfbZ cmakebuild\]# ./aac2mp4 ~/out3/crashes/id:000008,sig:06,src:000074,op:havoc,rep:4 3.mp4

AAC frame \[000000\]: size = -7, 96000 kHz, 0 ch

\================================================================= ==3788615==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xfffffff9 bytes #0 0x54a287 in operator new\[\](unsigned long) (/root/Bento4/cmakebuild/aac2mp4+0x54a287) #1 0x55b578 in AP4\_DataBuffer::AP4\_DataBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:55:16

\==3788615==HINT: if you don't care about these errors you may set allocator\_may\_return\_null=1 SUMMARY: AddressSanitizer: out-of-memory (/root/Bento4/cmakebuild/aac2mp4+0x54a287) in operator new\[\](unsigned long) ==3788615==ABORTING

**input**

input.zip

**Crashes**

crashes.zip

CVE-2022-40885: CVE/CVE-2022-40885.md at main · yangfar/CVE

jsonlint 1.0 is vulnerable to heap-buffer-overflow via /home/hjsz/jsonlint/src/lexer.

Hi, developers of jsonlint.  
I fuzz the jsonlint with AFL,and some crashes incurred—heap-buffer-overflow.The following is the details.  
**Commond: ./jsonlint input**

**Bug**

\=1492403==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000000df at pc 0x000000508ea7 bp 0x7ffc32b00ef0 sp 0x7ffc32b00ee8  
READ of size 1 at 0x60e0000000df thread T0  
#0 0x508ea6 in jsonlint::details::ReadCharacter\[abi:cxx11\](jsonlint::Lexer&, bool) /home/hjsz/jsonlint/src/lexer.cpp:18:15  
#1 0x509c58 in jsonlint::details::PeekCharacterabi:cxx11 /home/hjsz/jsonlint/src/lexer.cpp:27:52  
#2 0x509c58 in jsonlint::details::ReadString(jsonlint::Lexer&) /home/hjsz/jsonlint/src/lexer.cpp:48:12  
#3 0x512b99 in jsonlint::Tokenize(jsonlint::Lexer&) /home/hjsz/jsonlint/src/lexer.cpp:256:26  
#4 0x4cb5b1 in main /home/hjsz/jsonlint/src/main.cpp:26:21  
#5 0x7f1da2c68082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16  
#6 0x41fced in \_start (/home/hjsz/jsonlint/build/jsonlint+0x41fced)

0x60e0000000df is located 0 bytes to the right of 159-byte region \[0x60e000000040,0x60e0000000df)  
allocated by thread T0 here:  
#0 0x4c7b9d in operator new(unsigned long) (/home/hjsz/jsonlint/build/jsonlint+0x4c7b9d)  
#1 0x52d49c in void std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator >::\_M\_construct<char\*>(char\*, char\*, std::forward\_iterator\_tag) /usr/bin/../lib/gcc/x86\_64-linux-gnu/9/../../../../include/c++/9/bits/basic\_string.tcc:219:14  
#2 0x4cb40f in main /home/hjsz/jsonlint/src/main.cpp:25:19  
#3 0x7f1da2c68082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hjsz/jsonlint/src/lexer.cpp:18:15 in jsonlint::details::ReadCharacter\[abi:cxx11\](jsonlint::Lexer&, bool)  
Shadow bytes around the buggy address:  
0x0c1c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c1c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c1c7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00  
\=>0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00\[07\]fa fa fa fa  
0x0c1c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c1c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c1c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c1c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c1c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==1492403==ABORTING

**Crashes**

crashes.zip

**Environment**

Ubuntu 20.04.5 LTS  
master

Thanks for your time.

CVE-2022-42227: Heap-buffer-overflow in jsonlint/src/lexer.cpp:18:15 · Issue #2 · p-ranav/jsonlint

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_get_meta_item_info at /isomedia/meta.c.

**Description**

SEGV in isomedia/meta.c:177 in gf\_isom\_get\_meta\_item\_info

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -info mp4box-info-segv-1
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-info-segv-1

**ASAN**

    [iso file] Unknown box type i000000 in parent iinf
    [iso file] Unknown top-level box type v000000
    [iso file] Incomplete box v000000 - start 308 size 191662031
    [iso file] Incomplete file while reading for dump - aborting parsing
    # File Meta type: "Meta" - 3 resource item(s)
    ASAN:DEADLYSIGNAL
    =================================================================
    ==52314==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f4d67b428f9 bp 0x000000000000 sp 0x7ffcd749c3c0 T0)
    ==52314==The signal is caused by a READ memory access.
    ==52314==Hint: address points to the zero page.
        #0 0x7f4d67b428f8 in gf_isom_get_meta_item_info isomedia/meta.c:177
        #1 0x55fa2660a89e in DumpMetaItem /gpac/applications/mp4box/filedump.c:2467
        #2 0x55fa26642cc8 in DumpMovieInfo /gpac/applications/mp4box/filedump.c:3820
        #3 0x55fa265efee4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6359
        #4 0x7f4d669cfc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #5 0x55fa265c00a9 in _start (/gpac/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV isomedia/meta.c:177 in gf_isom_get_meta_item_info
    ==52314==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43044: SEGV isomedia/meta.c:177 in gf_isom_get_meta_item_info · Issue #2282 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_meta_restore_items_ref at /isomedia/meta.c.

**Description**

SEGV in isomedia/meta.c:1929 in gf\_isom\_meta\_restore\_items\_ref

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -info mp4box-info-segv-0
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-info-segv-0

**ASAN**

    [iso file] Read Box type 0003E8d (0x0003E864) at position 653 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Missing DataInformationBox
    [iso file] Box "minf" (start 645) has 3400 extra bytes
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [isom] not enough bytes in box A9too: 29 left, reading 41 (file isomedia/box_code_apple.c, line 117)
    [iso file] Read Box "A9too" (start 4122) failed (Invalid IsoMedia File) - skipping
    [iso file] Read Box "ilst" (start 4114) failed (Invalid IsoMedia File) - skipping
    [iso file] Read Box type 000000! (0x00000021) at position 4077 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "meta" (start 4069) has 74 extra bytes
    ASAN:DEADLYSIGNAL
    =================================================================
    ==57686==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000002c (pc 0x7fb4c621a438 bp 0x000000000000 sp 0x7fff370fe330 T0)
    ==57686==The signal is caused by a READ memory access.
    ==57686==Hint: address points to the zero page.
        #0 0x7fb4c621a437 in gf_isom_meta_restore_items_ref isomedia/meta.c:1929
        #1 0x7fb4c60c4127 in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:429
        #2 0x7fb4c60d00e5 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:866
        #3 0x7fb4c60d00e5 in gf_isom_open_file isomedia/isom_intern.c:986
        #4 0x5627a34e0048 in mp4box_main /gpac/applications/mp4box/mp4box.c:6175
        #5 0x7fb4c5089c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #6 0x5627a34b30a9 in _start (/gpac/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV isomedia/meta.c:1929 in gf_isom_meta_restore_items_ref
    ==57686==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43039: SEGV isomedia/meta.c:1929 in gf_isom_meta_restore_items_ref · Issue #2281 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function gf_isom_box_dump_start_ex at /isomedia/box_funcs.c.

**Description**

Heap-buffer-overflow in isomedia/box\_funcs.c:2074 in gf\_isom\_box\_dump\_start\_ex

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -diso mp4box-diso-heap-buffer-over-flow-1
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-diso-heap-buffer-over-flow-1

**ASAN**

    
    [iso file] Read Box type 04@0004 (0x04400004) at position 94 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "meta" (start 32) has 206 extra bytes
    [iso file] Box "uuid" (start 4061) has 58 extra bytes
    [iso file] Incomplete box mdat - start 4151 size 54847
    [iso file] Incomplete file while reading for dump - aborting parsing
    =================================================================
    ==18099==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000540 at pc 0x7f54a04dd880 bp 0x7ffcec3ea7e0 sp 0x7ffcec3ea7d0
    READ of size 1 at 0x604000000540 thread T0
        #0 0x7f54a04dd87f in gf_isom_box_dump_start_ex isomedia/box_funcs.c:2074
        #1 0x7f54a04dd87f in gf_isom_box_dump_start isomedia/box_funcs.c:2093
        #2 0x7f54a04c0ae7 in trgt_box_dump isomedia/box_dump.c:5807
        #3 0x7f54a04ddbb8 in gf_isom_box_dump isomedia/box_funcs.c:2108
        #4 0x7f54a0470ffa in gf_isom_box_array_dump isomedia/box_dump.c:104
        #5 0x7f54a04ddda8 in gf_isom_box_dump_done isomedia/box_funcs.c:2115
        #6 0x7f54a04c09d5 in trgr_box_dump isomedia/box_dump.c:5799
        #7 0x7f54a04ddbb8 in gf_isom_box_dump isomedia/box_funcs.c:2108
        #8 0x7f54a04714d6 in gf_isom_dump isomedia/box_dump.c:138
        #9 0x55e8639f1804 in dump_isom_xml /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/filedump.c:2067
        #10 0x55e8639c1d79 in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6364
        #11 0x7f549f4e0c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #12 0x55e8639920a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    0x604000000540 is located 0 bytes to the right of 48-byte region [0x604000000510,0x604000000540)
    allocated by thread T0 here:
        #0 0x7f54a2a4cb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7f54a041bd12 in trgt_box_new isomedia/box_code_base.c:10623
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box_funcs.c:2074 in gf_isom_box_dump_start_ex
    Shadow bytes around the buggy address:
      0x0c087fff8050: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8060: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
      0x0c087fff8070: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
      0x0c087fff8080: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8090: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
    =>0x0c087fff80a0: fa fa 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
      0x0c087fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==18099==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43040: heap-buffer-overflow isomedia/box_funcs.c:2074 in gf_isom_box_dump_start_ex · Issue #2280 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function FixSDTPInTRAF at isomedia/isom_intern.c.

**Description**

Heap-buffer-overflow in isomedia/isom\_intern.c:227 in FixSDTPInTRAF

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -bt mp4box-bt-heap-buffer-over-flow-0
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-bt-heap-buffer-over-flow-0

**ASAN**

    [iso file] Unknown box type sjhm in parent sinf
    [iso file] Unknown box type sgp00 in parent stbl
    [iso file] Read Box type 00000000 (0x00000000) at position 2168 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "traf" (start 2028) has 458 extra bytes
    [iso file] Unknown box type shgp in parent traf
    =================================================================
    ==31145==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001914 at pc 0x7fe0339cbbf8 bp 0x7ffc2041a330 sp 0x7ffc2041a320
    READ of size 1 at 0x602000001914 thread T0
        #0 0x7fe0339cbbf7 in FixSDTPInTRAF isomedia/isom_intern.c:227
        #1 0x7fe0339cbbf7 in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:663
        #2 0x7fe0339ce0e5 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:866
        #3 0x7fe0339ce0e5 in gf_isom_open_file isomedia/isom_intern.c:986
        #4 0x55ec82396048 in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6175
        #5 0x7fe032987c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #6 0x55ec823690a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    0x602000001914 is located 0 bytes to the right of 4-byte region [0x602000001910,0x602000001914)
    allocated by thread T0 here:
        #0 0x7fe035ef3b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7fe0338a4541 in sdtp_box_read isomedia/box_code_base.c:8354
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/isom_intern.c:227 in FixSDTPInTRAF
    Shadow bytes around the buggy address:
      0x0c047fff82d0: fa fa 00 00 fa fa 00 00 fa fa 01 fa fa fa 00 00
      0x0c047fff82e0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa fd fa
      0x0c047fff82f0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff8300: fa fa 00 fa fa fa 00 00 fa fa 00 07 fa fa 00 00
      0x0c047fff8310: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
    =>0x0c047fff8320: fa fa[04]fa fa fa 00 00 fa fa 00 00 fa fa fa fa
      0x0c047fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==31145==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43042: heap-buffer-overflow isomedia/isom_intern.c:227 in FixSDTPInTRAF · Issue #2278 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_dump_vrml_sffield at /scene_manager/scene_dump.c.

**Description**

SEGV scene\_manager/scene\_dump.c:693 in gf\_dump\_vrml\_sffield

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -bt mp4box-bt-segv-1
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-bt-segv-1

**ASAN**

    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent minf
    [iso file] Missing DataInformationBox
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 20) has 806 extra bytes
    [iso file] Unknown top-level box type 0000
    [iso file] Incomplete box 0000 - start 12356 size 808358436
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent minf
    [iso file] Missing DataInformationBox
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 20) has 806 extra bytes
    [iso file] Unknown top-level box type 0000
    [iso file] Incomplete box 0000 - start 12356 size 808358436
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [ODF] Reading bifs config: shift in sizes (not supported)
    [MP4 Loading] Unable to fetch sample 38 from track ID 8 - aborting track import
    Scene loaded - dumping 1 systems streams
    ASAN:DEADLYSIGNAL
    =================================================================
    ==42376==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f6a20c34c94 bp 0x60b000000720 sp 0x7ffd44396130 T0)
    ==42376==The signal is caused by a READ memory access.
    ==42376==Hint: address points to the zero page.
        #0 0x7f6a20c34c93 in gf_dump_vrml_sffield scene_manager/scene_dump.c:693
        #1 0x7f6a20c69012 in gf_dump_vrml_simple_field scene_manager/scene_dump.c:775
        #2 0x7f6a20c5020c in DumpXReplace scene_manager/scene_dump.c:2291
        #3 0x7f6a20c5020c in gf_sm_dump_command_list scene_manager/scene_dump.c:2901
        #4 0x7f6a20c77d57 in gf_sm_dump scene_manager/scene_dump.c:3519
        #5 0x556786082cef in dump_isom_scene /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/filedump.c:221
        #6 0x55678605d7ff in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6336
        #7 0x7f6a1f3bac86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #8 0x55678602f0a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV scene_manager/scene_dump.c:693 in gf_dump_vrml_sffield
    ==42376==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43045: SEGV scene_manager/scene_dump.c:693 in gf_dump_vrml_sffield · Issue #2277 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function BD_CheckSFTimeOffset at /bifs/field_decode.c.

**Description**

SEGV in BD\_CheckSFTimeOffset bifs/field\_decode.c:58

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -bt mp4box-bt-segv-0
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-bt-segv-0

**ASAN**

    
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent minf
    [iso file] Missing DataInformationBox
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 20) has 806 extra bytes
    [iso file] Unknown top-level box type 0000
    [iso file] Incomplete box 0000 - start 12356 size 808358436
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent minf
    [iso file] Missing DataInformationBox
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 20) has 806 extra bytes
    [iso file] Unknown top-level box type 0000
    [iso file] Incomplete box 0000 - start 12356 size 808358436
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [ODF] Reading bifs config: shift in sizes (not supported)
    ASAN:DEADLYSIGNAL                 | (00/100)
    =================================================================
    ==64022==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f4bf2457608 bp 0x7fff7805fc00 sp 0x7fff7805f360 T0)
    ==64022==The signal is caused by a READ memory access.
    ==64022==Hint: address points to the zero page.
        #0 0x7f4bf2457607  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5b607)
        #1 0x7f4befd4dd1a in BD_CheckSFTimeOffset bifs/field_decode.c:58
        #2 0x7f4befd53e80 in gf_bifs_dec_sf_field bifs/field_decode.c:105
        #3 0x7f4befd6a1be in BM_XReplace bifs/memory_decoder.c:355
        #4 0x7f4befd6a1be in BM_ParseExtendedUpdates bifs/memory_decoder.c:398
        #5 0x7f4befd754ad in BM_ParseInsert bifs/memory_decoder.c:586
        #6 0x7f4befd754ad in BM_ParseCommand bifs/memory_decoder.c:908
        #7 0x7f4befd7660d in gf_bifs_decode_command_list bifs/memory_decoder.c:1038
        #8 0x7f4bf0743bc6 in gf_sm_load_run_isom scene_manager/loader_isom.c:303
        #9 0x562cf53f8dd7 in dump_isom_scene /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/filedump.c:207
        #10 0x562cf53d37ff in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6336
        #11 0x7f4beef6ec86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #12 0x562cf53a50a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5b607) 
    ==64022==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

Tag

#c++