Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact

Summary -(Summarize the bug encountered concisely)

There is a Heap buffer overflow in /tools/tiffcrop.c:3142 in extractContigSamples32bits function

Version - (libtiff version)

    root@ubuntu:/home/libtiff/tools# ./tiffcrop -v
    Library Release: LIBTIFF, Version 4.3.0
    Copyright (c) 1988-1996 Sam Leffler
    Copyright (c) 1991-1996 Silicon Graphics, Inc.
    Tiffcrop version: 2.4, last updated: 12-13-2010
    Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
               : Copyright (c) 1991-1997 Silicon Graphics, Inc
    Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
    

Steps to reproduce - (How one can reproduce the issue - this is very important)

    Clone the latest source from the gitlab repository - git clone https://gitlab.com/libtiff/libtiff.git
    cd libtiff
    
    compile the source using the following command :  
    
    CC=gcc CXX=g++ CFLAGS="-ggdb -fsanitize=address,undefined -fno-sanitize-recover=all" CXXFLAGS="-ggdb -fsanitize=address,undefined -fno-sanitize-recover=all" LDFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -lm" ./configure --disable-shared
    
    Reproduce the crash with the following commmand :  
    
    ./tiffcrop -i -E l -H 10 -V 10 -S 8:4 -R 270 poc.tif a.tif
    

Platform - (Operating system, architecture, compiler details)

    gcc --version
    gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    uname -r
    5.13.0-28-generic
    
    uname -a
    Linux ubuntu 5.13.0-28-generic #31~20.04.1-Ubuntu SMP Wed Jan 19 14:08:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    
    
    lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.3 LTS
    Release:	20.04
    Codename:	focal

*   Address Sanitizer Logs ( ASAN )

    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 57568 (0xe0e0) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 1028 (0x404) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
    TIFFFetchNormalTag: Warning, ASCII value for tag "Model" does not end in null byte.
    TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength.
    TIFFAdvanceDirectory: Error fetching directory count.
    loadImage: Image lacks Photometric interpretation tag.
    =================================================================
    ==2014==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000210 at pc 0x55bbcdc5bb9a bp 0x7fff3dbae7c0 sp 0x7fff3dbae7b0
    READ of size 4 at 0x602000000210 thread T0
        #0 0x55bbcdc5bb99 in extractContigSamples32bits /home/targets/libtiff/tools/tiffcrop.c:3142
        #1 0x55bbcdc70529 in extractContigSamplesToBuffer /home/targets/libtiff/tools/tiffcrop.c:3627
        #2 0x55bbcdc70529 in writeBufferToSeparateStrips /home/targets/libtiff/tools/tiffcrop.c:1218
        #3 0x55bbcdc7d4b9 in writeSingleSection /home/targets/libtiff/tools/tiffcrop.c:7377
        #4 0x55bbcdc3ce20 in writeImageSections /home/targets/libtiff/tools/tiffcrop.c:7104
        #5 0x55bbcdc3ce20 in main /home/targets/libtiff/tools/tiffcrop.c:2451
        #6 0x7f20439f70b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #7 0x55bbcdc434ed in _start (/home/targets/libtiff/tools/tiffcrop+0x324ed)
    
    0x602000000213 is located 0 bytes to the right of 3-byte region [0x602000000210,0x602000000213)
    allocated by thread T0 here:
        #0 0x7f2043e3abc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x55bbcdc3d94d in createImageSection /home/targets/libtiff/tools/tiffcrop.c:7402
        #2 0x55bbcdc3d94d in writeImageSections /home/targets/libtiff/tools/tiffcrop.c:7090
        #3 0x55bbcdc3d94d in main /home/targets/libtiff/tools/tiffcrop.c:2451
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/targets/libtiff/tools/tiffcrop.c:3142 in extractContigSamples32bits
    Shadow bytes around the buggy address:
      0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa 02 fa fa fa fd fa
      0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa fd fa
      0x0c047fff8020: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa 00 fa
      0x0c047fff8030: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 04
    =>0x0c047fff8040: fa fa[03]fa fa fa 02 fa fa fa 02 fa fa fa 06 fa
      0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2014==ABORTING
    
    ```[poc.zip](/uploads/4df5ce99cd3cbed76031489ef39f12fb/poc.zip)

CVE-2022-3570: tools/tiffcrop.c:3142 - Heap Buffer overflow in extractContigSamples32bits (#386) · Issues · libtiff / libtiff · GitLab

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-38108: Published | Zero Day Initiative

CVE-2022-36957: Published | Zero Day Initiative

An issue was discovered in Softing OPC UA C++ SDK 5.66 through 6.x before 6.10. An OPC/UA browse request exceeding the server limit on continuation points may cause a use-after-free error

Softing Automotive ist Spezialist für den gesamten Lebenszyklus elektronischer Steuergeräte und ganzer Fahrzeugsysteme, von der Entwicklung über die Produktion bis in den Service.

Softing Industrial ist Experte für die Implementierung und Verbesserung digitaler Datenaustauschprozesse in industriellen Anwendungen - auf der Feldebene und zwischen der Produktion und der IT.

Softing IT Networks ist Spezialist für Messtechnik zur Qualifizierung, Zertifizierung und Dokumentation der Leistungsfähigkeit von Verkabelungen in IT-Systemen.

Auf den Investor Relations Seiten bieten wir Ihnen detaillierte Informationen zum Unternehmen und der Aktie.

Wenn es um Ihre Zukunft geht, sollten Sie keine Kompromisse eingehen.

CVE-2022-39823: Automobilelektronik, Automatisierungstechnik und Messtechnik in IT-Netzwerken

An issue was discovered in Softing OPC UA C++ SDK before 6.10. A buffer overflow or an excess allocation happens due to unchecked array and matrix bounds in structure data types.

Publisher: Softing Industrial Automation GmbH

Document category: csaf\_security\_advisory

Initial release date: 2022-10-14T16:00:00.000Z

Engine: Secvisogram 2.0.0

Current release date: 2022-10-14T16:00:00.000Z

Build Date: 2022-10-14T15:35:16.013Z

Current version: 1.0.0

Status: interim

CVSSv3.1 Base Score: 7.5

Severity: high

Original language: en-US

Language:

Also referred to:

**Vulnerabilities****(CVE-2022-37453)**

A malformed write request may cause an excess memory allocation or an out-of-bounds memory access. The server or client process may crash unexpectedly and must be restarted

CWE:

CWE-20:Improper Input Validation

Discovery date:

2022-10-14T10:00:00.000Z

**Product status****Known affected**

Product

CVSS-Vector

CVSS Base Score

Softing OPC UA C++ SDK <= 6.00

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

Softing OPC Suite <= V5.22

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

Softing Secure Integration Server <= V1.22

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

Softing edgeConnector < V3.50

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

Softing edgeAggregator < V3.50

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

Softing uaGates <= V1,74

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

**Fixed**

*   Softing OPC UA C++ SDK V6.10

**Remediations****Mitigation**

Disable the posibility to establish unauthenticated sessions to the OPC UA server, because the atttack works on an established OPC UA session.

**For products:**

*   Softing OPC UA C++ SDK <= 6.00
*   Softing OPC Suite <= V5.22
*   Softing Secure Integration Server <= V1.22
*   Softing edgeConnector < V3.50
*   Softing edgeAggregator < V3.50
*   Softing uaGates <= V1,74

**None available**

Fix will be available with this version:

**For products:**

*   Softing OPC Suite V5.30
*   Softing Secure Integration Server V1.30
*   Softing edgeConnector V3.50
*   Softing edgeAggregator V3.50
*   uaGate V1.75

**Softing Industrial Automation GmbH**

Namespace: https://industrial.softing.com

Softing PSIRT - contact us at \[email protected\]

**Revision history**

Version

Date of the revision

Summary of the revision

1.0.0

2022-10-14T16:00:00.000Z

Initial version

**Disclaimer**

The information provided in this disclosure is provided "as is" without warranty of any kind. Softing disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Softing or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Softing or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2022-37453: SYT-2022-9: Improper input validation vulnerability in OPC UA C++ SDK, Secure Integration Server, edgeConnector, edgeAggregator, uaGate and OPC Suite

Bento4 1.6.0 has memory leaks via the mp4fragment.

**CVE-2022-40884**

**I use AFL when fuzzing and got some crashes.**

**Following is the detail.**

\==3780==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 48 byte(s) in 1 object(s) allocated from: #0 0x4c470d in operator new(unsigned long) (/home/hjsz/Bento4/cmakebuild/mp4fragment+0x4c470d) #1 0x653b06 in AP4\_StdcFileByteStream::Create(AP4\_FileByteStream\*, char const\*, AP4\_FileByteStream::Mode, AP4\_ByteStream\*&) /home/hjsz/Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:279:14

SUMMARY: AddressSanitizer: 48 byte(s) leaked in 1 allocation(s).

crash

**Command**

*   ./mp4fragment ./POC

**Environment**

Ubuntu 20.04

CLang 10.0.1

Bento4 Version 1.6.0.0

MP4 Fragmenter - Version 1.7.0

CVE-2022-40884: CVE/CVE-2022-40884.md at main · yangfar/CVE

Bento4 v1.6.0-639 has a memory allocation issue that can cause denial of service.

**CVE-2022-40885****Out of memory in Ap4DataBuffer:new AP4\_Byte\[buffer\_size\]**

Hello,I use the fuzzer(AFL) to fuzz binary mp42avc and got some crashes which show that allocator is out of memory trying to allocate 0xXXXXXXXX bytes when method new is called.

There are two functions occur the crashes.

**The following is the details.****Bug1**

./mp42avc ~/out/crashes/id:000017,sig:06,src:000925+000617,op:splice,rep:128 3.avc

\================================================================= ==4126303==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xc4b26d23 bytes #0 0x549287 in operator new\[\](unsigned long) (/root/Bento4/cmakebuild/mp42avc+0x549287) #1 0x558418 in AP4\_DataBuffer::AP4\_DataBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:55:16 #2 0x5ec12a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:513:20 #3 0x5e7b66 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14 #4 0x6563c0 in AP4\_DrefAtom::AP4\_DrefAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4DrefAtom.cpp:84:16 #5 0x6559d7 in AP4\_DrefAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4DrefAtom.cpp:50:16 #6 0x5ec3a5 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:580:20 #7 0x5e7b66 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14 #8 0x62e6b0 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12 #9 0x62e48b in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5

\==4126303==HINT: if you don't care about these errors you may set allocator\_may\_return\_null=1 SUMMARY: AddressSanitizer: out-of-memory (/root/Bento4/cmakebuild/mp42avc+0x549287) in operator new\[\](unsigned long) ==4126303==ABORTING

**Bug 2**

\[root@iZ8vb29flmohv2ga6wdtfbZ cmakebuild\]# ./mp42avc ~/out/crashes/id:000018,sig:06,src:000606,op:havoc,rep:4 3.avc

\================================================================= ==4126299==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x7d727b02 bytes #0 0x549287 in operator new\[\](unsigned long) (/root/Bento4/cmakebuild/mp42avc+0x549287) #1 0x6637c0 in AP4\_HdlrAtom::AP4\_HdlrAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&) /root/Bento4/Source/C++/Core/Ap4HdlrAtom.cpp:88:18

\==4126299==HINT: if you don't care about these errors you may set allocator\_may\_return\_null=1 SUMMARY: AddressSanitizer: out-of-memory (/root/Bento4/cmakebuild/mp42avc+0x549287) in operator new\[\](unsigned long) ==4126299==ABORTING

**Ap4HdlrAtom.cpp:88 and Ap4HdlrAtom.cpp will call new\[Big size\] and then crash.**

**Bug3**

./AFL/afl-fuzz -i ./seed2/ -o ./out3 -d -m none ./Bento4/cmakebuild/aac2mp4 @@ 3.mp4

After testing, the above problems also occur in acc2mp4 function.

**The following is the details.**

\[root@iZ8vb29flmohv2ga6wdtfbZ cmakebuild\]# ./aac2mp4 ~/out3/crashes/id:000008,sig:06,src:000074,op:havoc,rep:4 3.mp4

AAC frame \[000000\]: size = -7, 96000 kHz, 0 ch

\================================================================= ==3788615==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xfffffff9 bytes #0 0x54a287 in operator new\[\](unsigned long) (/root/Bento4/cmakebuild/aac2mp4+0x54a287) #1 0x55b578 in AP4\_DataBuffer::AP4\_DataBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:55:16

\==3788615==HINT: if you don't care about these errors you may set allocator\_may\_return\_null=1 SUMMARY: AddressSanitizer: out-of-memory (/root/Bento4/cmakebuild/aac2mp4+0x54a287) in operator new\[\](unsigned long) ==3788615==ABORTING

**input**

input.zip

**Crashes**

crashes.zip

CVE-2022-40885: CVE/CVE-2022-40885.md at main · yangfar/CVE

jsonlint 1.0 is vulnerable to heap-buffer-overflow via /home/hjsz/jsonlint/src/lexer.

Hi, developers of jsonlint.  
I fuzz the jsonlint with AFL,and some crashes incurred—heap-buffer-overflow.The following is the details.  
**Commond: ./jsonlint input**

**Bug**

\=1492403==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000000df at pc 0x000000508ea7 bp 0x7ffc32b00ef0 sp 0x7ffc32b00ee8  
READ of size 1 at 0x60e0000000df thread T0  
#0 0x508ea6 in jsonlint::details::ReadCharacter\[abi:cxx11\](jsonlint::Lexer&, bool) /home/hjsz/jsonlint/src/lexer.cpp:18:15  
#1 0x509c58 in jsonlint::details::PeekCharacterabi:cxx11 /home/hjsz/jsonlint/src/lexer.cpp:27:52  
#2 0x509c58 in jsonlint::details::ReadString(jsonlint::Lexer&) /home/hjsz/jsonlint/src/lexer.cpp:48:12  
#3 0x512b99 in jsonlint::Tokenize(jsonlint::Lexer&) /home/hjsz/jsonlint/src/lexer.cpp:256:26  
#4 0x4cb5b1 in main /home/hjsz/jsonlint/src/main.cpp:26:21  
#5 0x7f1da2c68082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16  
#6 0x41fced in \_start (/home/hjsz/jsonlint/build/jsonlint+0x41fced)

0x60e0000000df is located 0 bytes to the right of 159-byte region \[0x60e000000040,0x60e0000000df)  
allocated by thread T0 here:  
#0 0x4c7b9d in operator new(unsigned long) (/home/hjsz/jsonlint/build/jsonlint+0x4c7b9d)  
#1 0x52d49c in void std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator >::\_M\_construct<char\*>(char\*, char\*, std::forward\_iterator\_tag) /usr/bin/../lib/gcc/x86\_64-linux-gnu/9/../../../../include/c++/9/bits/basic\_string.tcc:219:14  
#2 0x4cb40f in main /home/hjsz/jsonlint/src/main.cpp:25:19  
#3 0x7f1da2c68082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hjsz/jsonlint/src/lexer.cpp:18:15 in jsonlint::details::ReadCharacter\[abi:cxx11\](jsonlint::Lexer&, bool)  
Shadow bytes around the buggy address:  
0x0c1c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c1c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c1c7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00  
\=>0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00\[07\]fa fa fa fa  
0x0c1c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c1c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c1c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c1c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c1c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==1492403==ABORTING

**Crashes**

crashes.zip

**Environment**

Ubuntu 20.04.5 LTS  
master

Thanks for your time.

CVE-2022-42227: Heap-buffer-overflow in jsonlint/src/lexer.cpp:18:15 · Issue #2 · p-ranav/jsonlint

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_get_meta_item_info at /isomedia/meta.c.

**Description**

SEGV in isomedia/meta.c:177 in gf\_isom\_get\_meta\_item\_info

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -info mp4box-info-segv-1
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-info-segv-1

**ASAN**

    [iso file] Unknown box type i000000 in parent iinf
    [iso file] Unknown top-level box type v000000
    [iso file] Incomplete box v000000 - start 308 size 191662031
    [iso file] Incomplete file while reading for dump - aborting parsing
    # File Meta type: "Meta" - 3 resource item(s)
    ASAN:DEADLYSIGNAL
    =================================================================
    ==52314==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f4d67b428f9 bp 0x000000000000 sp 0x7ffcd749c3c0 T0)
    ==52314==The signal is caused by a READ memory access.
    ==52314==Hint: address points to the zero page.
        #0 0x7f4d67b428f8 in gf_isom_get_meta_item_info isomedia/meta.c:177
        #1 0x55fa2660a89e in DumpMetaItem /gpac/applications/mp4box/filedump.c:2467
        #2 0x55fa26642cc8 in DumpMovieInfo /gpac/applications/mp4box/filedump.c:3820
        #3 0x55fa265efee4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6359
        #4 0x7f4d669cfc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #5 0x55fa265c00a9 in _start (/gpac/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV isomedia/meta.c:177 in gf_isom_get_meta_item_info
    ==52314==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43044: SEGV isomedia/meta.c:177 in gf_isom_get_meta_item_info · Issue #2282 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_meta_restore_items_ref at /isomedia/meta.c.

**Description**

SEGV in isomedia/meta.c:1929 in gf\_isom\_meta\_restore\_items\_ref

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -info mp4box-info-segv-0
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-info-segv-0

**ASAN**

    [iso file] Read Box type 0003E8d (0x0003E864) at position 653 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Missing DataInformationBox
    [iso file] Box "minf" (start 645) has 3400 extra bytes
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [isom] not enough bytes in box A9too: 29 left, reading 41 (file isomedia/box_code_apple.c, line 117)
    [iso file] Read Box "A9too" (start 4122) failed (Invalid IsoMedia File) - skipping
    [iso file] Read Box "ilst" (start 4114) failed (Invalid IsoMedia File) - skipping
    [iso file] Read Box type 000000! (0x00000021) at position 4077 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "meta" (start 4069) has 74 extra bytes
    ASAN:DEADLYSIGNAL
    =================================================================
    ==57686==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000002c (pc 0x7fb4c621a438 bp 0x000000000000 sp 0x7fff370fe330 T0)
    ==57686==The signal is caused by a READ memory access.
    ==57686==Hint: address points to the zero page.
        #0 0x7fb4c621a437 in gf_isom_meta_restore_items_ref isomedia/meta.c:1929
        #1 0x7fb4c60c4127 in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:429
        #2 0x7fb4c60d00e5 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:866
        #3 0x7fb4c60d00e5 in gf_isom_open_file isomedia/isom_intern.c:986
        #4 0x5627a34e0048 in mp4box_main /gpac/applications/mp4box/mp4box.c:6175
        #5 0x7fb4c5089c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #6 0x5627a34b30a9 in _start (/gpac/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV isomedia/meta.c:1929 in gf_isom_meta_restore_items_ref
    ==57686==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

Tag

#c++