Red Hat Security Advisory 2023-0021-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security update  
Advisory ID:       RHSA-2023:0021-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0021  
Issue date:        2023-01-04  
CVE Names:         CVE-2022-42856   
=====================================================================

1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: processing maliciously crafted web content may lead to an  
arbitrary code execution (CVE-2022-42856)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2153683 - CVE-2022-42856 webkitgtk: processing maliciously crafted web content may lead to an arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
webkit2gtk3-2.36.7-1.el9_1.1.src.rpm

aarch64:  
webkit2gtk3-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.aarch64.rpm

ppc64le:  
webkit2gtk3-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.ppc64le.rpm

s390x:  
webkit2gtk3-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.s390x.rpm

x86_64:  
webkit2gtk3-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42856  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7Wqj9zjgjWX9erEAQg9lg/+MOfUiSATG58e1aJdZzVtFA5hv1x1PWC3  
/F+rP2/89vYYk/PLOSjySGdelAEYgw7Uq8UW6sPMkleTRvyakUaYhE9joubGcYNM  
XKAtZDbLVGVzQxEggI7VxHRaFZvyMNWItb8SKloiD14EPuuI/W32g9Seep3L6xZ3  
ufdqgmCyVLILPRMREXYZgfYo0PsJqLL0qOwfL4KWhh6BDQpgdLvndjWzbfZiVKzO  
Rnr/x7o62SiEtgcSCCowoR35/NEJkzoCnbrD91UlgFUKby1siTbSr1KItPbP1y7L  
QiWSOBWph5pVZHKAiThYFHmGNbL04s10D3gVhB+MKZ+6AO/NjdmlU27Rg49ps9GV  
yLam6qcuWhNKbMafeOHleBeTRizSWmnKVefOWil/2FnNnzFhcEKJ3dILzjXIQSB/  
WyFAUqYG8qkha2buYpx4zEjq20jLngQQ/s00fDAnJlsjasMhyBLSGy+fvgmaQ6wN  
xs7gYg9+ouhnA3qJytkcQXj9Qaryvf9YmmY6uBLa7F5BUwtJ/w3E9n4pVFNmqEFq  
GD1SabvR9BfwO/7wQgyIBKSFMSRUtXpGV1MZp+FaQFKgJ/7Bgh0wNOy2t5MstPEf  
jvzsYdVUFZRfYwUNMNyA7Vsm6E2cnE52cLNEKuBxRdESAO11qrNzPIkYaF9DTmW3  
jFzs9D1IFKw=  
=FE4s  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0021-01

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is contains an Integer overflow vulnerability in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8316

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Integer overflow in gf\_hevc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c:8316

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_int.mov
    

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Warning: Error parsing NAL unit
    media_tools/av_parsers.c:8316:25: runtime error: shift exponent 146 is too large for 32-bit type 'int'

CVE-2022-47092: Integer overflow in gf_hevc_read_sps_bs_internal function of media_tools/av_parsers.c:8316 · Issue #2347 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow via gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_vvc\_read\_sps\_bs\_internal function of media\_tools/av\_parsers.c

for (i=0; i<sps\_rpl1\_same\_as\_rpl0; i++) {
  u32 j;
  sps->num\_ref\_pic\_lists\[i\] = gf\_bs\_read\_ue\_log\_idx(bs, "sps\_num\_ref\_pic\_lists", i);
  for (j=0; j<sps->num\_ref\_pic\_lists\[i\]; j++) {
	  s32 res = vvc\_parse\_ref\_pic\_list\_struct(bs, sps, i, j, &sps->rps\[i\]\[j\]); // when j == 64, overflow sps->rps
	  if (res<0) return res;
  }
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc.mp4
    

Crash reported by sanitizer

    [VVC] Warning: Error parsing NAL unit
    [Core] exp-golomb read failed, not enough bits in bitstream !
    media_tools/av_parsers.c:10710:71: runtime error: index 65 out of bounds for type 'VVC_RefPicList [64]'
    

**POC**

poc\_bof.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

xdchase

CVE-2022-47089: Buffer overflow in gf_vvc_read_sps_bs_internal function of media_tools/av_parsers.c · Issue #2338 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to heap use-after-free via filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

heap-use-after-free filters/dmx\_m2ts.c:470 in m2tsdmx\_declare\_pid

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_uaf.avi
    

**Crash reported by sanitizer**

    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    [MPEG-2 TS] PID 1863: Bad Adaptation Descriptor found (tag 100) size is 100 but only 93 bytes available
    stream type DSM CC user private sections on pid 32 
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 32
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5364
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    [MPEG-2 TS] PID 1863: Bad Adaptation Descriptor found (tag 100) size is 100 but only 93 bytes available
    stream type DSM CC user private sections on pid 32 
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 32
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5364
    =================================================================
    ==583780==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000004548 at pc 0x7fa6cb05f685 bp 0x7ffc93e21020 sp 0x7ffc93e21010
    READ of size 8 at 0x607000004548 thread T0
        #0 0x7fa6cb05f684 in m2tsdmx_declare_pid filters/dmx_m2ts.c:470
        #1 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
        #2 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
        #3 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
        #4 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
        #5 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
        #6 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
        #7 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
        #8 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
        #9 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
        #10 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
        #11 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #12 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
        #13 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
        #14 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #15 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #16 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #17 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #18 0x7fa6c7ec3e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #19 0x55f87201ecb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    0x607000004548 is located 8 bytes inside of 80-byte region [0x607000004540,0x607000004590)
    freed by thread T0 here:
        #0 0x7fa6cda1ec18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
        #1 0x7fa6ca0aff20 in realloc_chain utils/list.c:621
        #2 0x7fa6ca0aff20 in gf_list_add utils/list.c:630
        #3 0x7fa6caed06d0 in gf_props_set_property filter_core/filter_props.c:1098
        #4 0x7fa6cae8a35d in gf_filter_pid_set_property_full filter_core/filter_pid.c:5411
        #5 0x7fa6cae8a35d in gf_filter_pid_set_property filter_core/filter_pid.c:5418
        #6 0x7fa6cb05c6b3 in m2tsdmx_declare_pid filters/dmx_m2ts.c:454
        #7 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
        #8 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
        #9 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
        #10 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
        #11 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
        #12 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
        #13 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
        #14 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
        #15 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
        #16 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
        #17 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #18 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
        #19 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
        #20 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #21 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #22 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #23 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    previously allocated by thread T0 here:
        #0 0x7fa6cda1ec18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
        #1 0x7fa6ca0aff20 in realloc_chain utils/list.c:621
        #2 0x7fa6ca0aff20 in gf_list_add utils/list.c:630
        #3 0x7fa6caed0d5f in gf_props_merge_property filter_core/filter_props.c:1199
        #4 0x7fa6cae9661b in gf_filter_pid_new filter_core/filter_pid.c:5258
        #5 0x7fa6cb05adf9 in m2tsdmx_declare_pid filters/dmx_m2ts.c:411
        #6 0x7fa6cb05f98a in m2tsdmx_setup_program filters/dmx_m2ts.c:592
        #7 0x7fa6cb06245b in m2tsdmx_on_event filters/dmx_m2ts.c:876
        #8 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1779
        #9 0x7fa6ca9507d4 in gf_m2ts_process_pmt media_tools/mpegts.c:1132
        #10 0x7fa6ca9439b6 in gf_m2ts_section_complete media_tools/mpegts.c:624
        #11 0x7fa6ca9452af in gf_m2ts_gather_section media_tools/mpegts.c:755
        #12 0x7fa6ca94a532 in gf_m2ts_process_packet media_tools/mpegts.c:2721
        #13 0x7fa6ca94dd68 in gf_m2ts_process_data media_tools/mpegts.c:2813
        #14 0x7fa6cb05a250 in m2tsdmx_process filters/dmx_m2ts.c:1420
        #15 0x7fa6caf29bcc in gf_filter_process_task filter_core/filter.c:2750
        #16 0x7fa6caee9af3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #17 0x7fa6caef63ee in gf_fs_run filter_core/filter_session.c:2120
        #18 0x7fa6ca938fd1 in gf_media_import media_tools/media_import.c:1551
        #19 0x55f87208daec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #20 0x55f8720423db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #21 0x55f8720423db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #22 0x7fa6c7ec3d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-use-after-free filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid
    Shadow bytes around the buggy address:
      0x0c0e7fff8850: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
      0x0c0e7fff8860: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
      0x0c0e7fff8870: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
      0x0c0e7fff8880: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
      0x0c0e7fff8890: 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 00 00
    =>0x0c0e7fff88a0: 00 00 00 00 fa fa fa fa fd[fd]fd fd fd fd fd fd
      0x0c0e7fff88b0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==583780==ABORTING
    

**POC**

poc\_uaf.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47093: heap-use-after-free filters/dmx_m2ts.c:470 in m2tsdmx_declare_pid · Issue #2344 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b has a Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

buffer overflow in gf\_vvc\_read\_pps\_bs\_internal function of media\_tools/av\_parsers.c

while (nb\_ctb\_left >= uni\_size\_ctb) {
	nb\_ctb\_left -= uni\_size\_ctb;
	pps->tile\_rows\_height\_ctb\[pps->num\_tile\_rows\] = uni\_size\_ctb; // when pps->num\_tile\_rows == 32, overflow at pps->tile\_rows\_height\_ctb
	pps->num\_tile\_rows++;
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof2.mp4
    

Crash reported by sanitizer

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [VVC] Warning: Error parsing NAL unit
    media_tools/av_parsers.c:10985:29: runtime error: index 33 out of bounds for type 'u32 [33]'
    

**POC**

poc\_bof2.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47087: Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c · Issue #2339 · gpac/gpac

GPAC MP4Box v2.1-DEV-rev574-g9d5bb184b contains a segmentation violation via the function gf_sm_load_init_swf at scene_manager/swf_parse.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Forget to check the return value of gf_swf_read_header in gf\_sm\_load\_init\_swf. gf_swf_read_header should fall fast if error is detected.

gf\_swf\_read\_header(read);
load->ctx->scene\_width = FIX2INT(read->width);
load->ctx->scene\_height = FIX2INT(read->height);
load->ctx->is\_pixel\_metrics = 1;

**Verison info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile with

    ./configure --enable-sanitizer
    make
    

run with poc.swf (in attachment)

    ./MP4Box import -add poc.swf
    

crash triggered

    [TXTLoad] Unknown text format for poc.swf
    Failed to connect filter fin PID poc.swf to filter txtin: Feature Not Supported
    Blacklisting txtin as output from fin and retrying connections
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==215517==ERROR: AddressSanitizer: SEGV on unknown address 0x615100000035 (pc 0x7f022cad9afb bp 0x7ffdc954ed70 sp 0x7ffdc954dc40 T0)
    ==215517==The signal is caused by a READ memory access.
        #0 0x7f022cad9afb in gf_sm_load_init_swf scene_manager/swf_parse.c:2667
        #1 0x7f022ca5125f in gf_sm_load_init scene_manager/scene_manager.c:692
        #2 0x7f022d169cea in ctxload_process filters/load_bt_xmt.c:476
        #3 0x7f022cecfbcc in gf_filter_process_task filter_core/filter.c:2750
        #4 0x7f022ce8faf3 in gf_fs_thread_proc filter_core/filter_session.c:1859
        #5 0x7f022ce9c3ee in gf_fs_run filter_core/filter_session.c:2120
        #6 0x7f022c8defd1 in gf_media_import media_tools/media_import.c:1551
        #7 0x56297ebccaec in import_file /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/fileimport.c:1498
        #8 0x56297eb813db in do_add_cat /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:4508
        #9 0x56297eb813db in mp4box_main /home/sumuchuan/Desktop/gpac_fuzz/gpac/applications/mp4box/mp4box.c:6124
        #10 0x7f0229e69d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #11 0x7f0229e69e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #12 0x56297eb5dcb4 in _start (/home/sumuchuan/Desktop/gpac_fuzz/gpac/bin/gcc/MP4Box+0xabcb4)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV scene_manager/swf_parse.c:2667 in gf_sm_load_init_swf
    ==215517==ABORTING
    

**Gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007f2d4fe54afb in gf_sm_load_init_swf (load=load@entry=0x6110000084f0) at scene_manager/swf_parse.c:2667
    2667		load->ctx->scene_width = FIX2INT(read->width);
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────────────────────────────────
    *RAX  0x611000008508 —▸ 0x604000002a90 —▸ 0x616000001280 ◂— 0x0
     RBX  0xfffecf4d70a ◂— 0x0
     RCX  0xfffecf4d6ea ◂— 0x0
     RDX  0x0
    *RDI  0x615100000035 ◂— 0x0
     RSI  0x0
    *R8   0x611000008528 ◂— 0xa9
     R9   0x610000000bd0 —▸ 0x200000002 ◂— 0x0
     R10  0x610000000bd4 —▸ 0x20000000002 ◂— 0x0
     R11  0x610000000bd0 —▸ 0x200000002 ◂— 0x0
     R12  0x6110000084f0 ◂— 9 /* '\t' */
    *R13  0x6150fffffffd ◂— 0x0
    *R14  0x615000013e4c —▸ 0xb40000000a9 ◂— 0x0
    *R15  0x611000008508 —▸ 0x604000002a90 —▸ 0x616000001280 ◂— 0x0
    *RBP  0x7fff67a6c940 —▸ 0x7fff67a6ca60 —▸ 0x7fff67a6dd60 —▸ 0x7fff67a6ddf0 —▸ 0x7fff67a6def0 ◂— ...
    *RSP  0x7fff67a6b810 ◂— 0xf4dc4ae
    *RIP  0x7f2d4fe54afb (gf_sm_load_init_swf+747) ◂— cvttss2si ecx, dword ptr [r13 + 0x38]
    ────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────────────────────────────────
     ► 0x7f2d4fe54afb <gf_sm_load_init_swf+747>    cvttss2si ecx, dword ptr [r13 + 0x38]
       0x7f2d4fe54b01 <gf_sm_load_init_swf+753>    shr    rax, 3
       0x7f2d4fe54b05 <gf_sm_load_init_swf+757>    cmp    byte ptr [rax + 0x7fff8000], 0
       0x7f2d4fe54b0c <gf_sm_load_init_swf+764>    jne    gf_sm_load_init_swf+2550                <gf_sm_load_init_swf+2550>
     
       0x7f2d4fe54b12 <gf_sm_load_init_swf+770>    mov    rsi, qword ptr [r12 + 0x18]
       0x7f2d4fe54b17 <gf_sm_load_init_swf+775>    test   rsi, rsi
       0x7f2d4fe54b1a <gf_sm_load_init_swf+778>    je     gf_sm_load_init_swf+2570                <gf_sm_load_init_swf+2570>
     
       0x7f2d4fe54b20 <gf_sm_load_init_swf+784>    test   sil, 7
       0x7f2d4fe54b24 <gf_sm_load_init_swf+788>    jne    gf_sm_load_init_swf+2570                <gf_sm_load_init_swf+2570>
     
       0x7f2d4fe54b2a <gf_sm_load_init_swf+794>    lea    rdx, [rsi + 0x18]
       0x7f2d4fe54b2e <gf_sm_load_init_swf+798>    cmp    rsi, -0x18
    ──────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────────────────────────
    In file: /home/sumuchuan/Desktop/gpac_fuzz/gpac/src/scene_manager/swf_parse.c
       2662         read->flags = load->swf_import_flags;
       2663         read->flat_limit = FLT2FIX(load->swf_flatten_limit);
       2664         load->loader_priv = read;
       2665 
       2666         gf_swf_read_header(read);
     ► 2667         load->ctx->scene_width = FIX2INT(read->width);
       2668         load->ctx->scene_height = FIX2INT(read->height);
       2669         load->ctx->is_pixel_metrics = 1;
       2670 
       2671         if (!(load->swf_import_flags & GF_SM_SWF_SPLIT_TIMELINE) ) {
       2672                 swf_report(read, GF_OK, "ActionScript disabled");
    ──────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsp 0x7fff67a6b810 ◂— 0xf4dc4ae
    01:0008│     0x7fff67a6b818 —▸ 0x7fff67a6c910 —▸ 0x7fff67a6c9b0 —▸ 0x60e000667773 ◂— 0x0
    02:0010│     0x7fff67a6b820 —▸ 0x61100000852c —▸ 0x2b000000000 ◂— 0x0
    03:0018│     0x7fff67a6b828 —▸ 0x611000008528 ◂— 0xa9
    04:0020│     0x7fff67a6b830 —▸ 0x7fff67a6b850 ◂— 0x41b58ab3
    05:0028│     0x7fff67a6b838 —▸ 0x611000008530 —▸ 0x6020000002b0 ◂— '/tmp/gpac_cache'
    06:0030│     0x7fff67a6b840 —▸ 0x611000008548 —▸ 0x615000013e00 —▸ 0x6110000084f0 ◂— 9 /* '\t' */
    07:0038│     0x7fff67a6b848 —▸ 0x7fff67a6b850 ◂— 0x41b58ab3
    ────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────────────────
     ► f 0   0x7f2d4fe54afb gf_sm_load_init_swf+747
       f 1   0x7f2d4fdcc260 gf_sm_load_init+896
       f 2   0x7f2d504e4ceb ctxload_process+2283
       f 3   0x7f2d5024abcd gf_filter_process_task+3181
       f 4   0x7f2d5020aaf4 gf_fs_thread_proc+2244
       f 5   0x7f2d502173ef gf_fs_run+447
       f 6   0x7f2d4fc59fd2 gf_media_import+16210
       f 7   0x565119c9faed import_file+15133
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    
    

**Backtrace**

    pwndbg> bt
    #0  0x00007f2d4fe54afb in gf_sm_load_init_swf (load=load@entry=0x6110000084f0) at scene_manager/swf_parse.c:2667
    #1  0x00007f2d4fdcc260 in gf_sm_load_init (load=load@entry=0x6110000084f0) at scene_manager/scene_manager.c:692
    #2  0x00007f2d504e4ceb in ctxload_process (filter=<optimized out>) at filters/load_bt_xmt.c:476
    #3  0x00007f2d5024abcd in gf_filter_process_task (task=0x607000001520) at filter_core/filter.c:2750
    #4  0x00007f2d5020aaf4 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x616000000410) at filter_core/filter_session.c:1859
    #5  0x00007f2d502173ef in gf_fs_run (fsess=fsess@entry=0x616000000380) at filter_core/filter_session.c:2120
    #6  0x00007f2d4fc59fd2 in gf_media_import (importer=importer@entry=0x7fff67a6ee20) at media_tools/media_import.c:1551
    #7  0x0000565119c9faed in import_file (dest=<optimized out>, inName=inName@entry=0x7fff67a832c8 "fake.swf", import_flags=0, force_fps=..., frames_per_sample=0, fsess=fsess@entry=0x0, mux_args_if_first_pass=<optimized out>, mux_sid_if_first_pass=<optimized out>, tk_idx=<optimized out>) at fileimport.c:1498
    #8  0x0000565119c543dc in do_add_cat (argv=<optimized out>, argc=<optimized out>) at mp4box.c:4508
    #9  mp4box_main (argc=<optimized out>, argv=<optimized out>) at mp4box.c:6124
    #10 0x00007f2d4d1e4d90 in __libc_start_call_main (main=main@entry=0x565119c30bc0 <main>, argc=argc@entry=4, argv=argv@entry=0x7fff67a82d98) at ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x00007f2d4d1e4e40 in __libc_start_main_impl (main=0x565119c30bc0 <main>, argc=4, argv=0x7fff67a82d98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff67a82d88) at ../csu/libc-start.c:392
    #12 0x0000565119c30cb5 in _start ()
    

**Credit**

xdchase

**POC**

poc-segfault.zip

CVE-2022-47086: missing check in gf_sm_load_init_swf, causing Segmentation fault · Issue #2337 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer Overflow.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

buffer overflow in gf\_vvc\_read\_pps\_bs\_internal function of media\_tools/av\_parsers.c

while (nb\_ctb\_left >= uni\_size\_ctb) {
	nb\_ctb\_left -= uni\_size\_ctb;
	pps->tile\_cols\_width\_ctb\[pps->num\_tile\_cols\] = uni\_size\_ctb; // when pps->num\_tile\_cols == 30, overflow at pps->tile\_cols\_width\_ctb
	pps->num\_tile\_cols++;
}

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof3.mp4
    

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [VVC] Warning: Error parsing NAL unit
    [Core] exp-golomb read failed, not enough bits in bitstream !
    media_tools/av_parsers.c:10964:28: runtime error: index 30 out of bounds for type 'u32 [30]'

CVE-2022-47088: Another Buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c · Issue #2340 · gpac/gpac

GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the afrt_box_read function at box_code_adobe.c.

A memory leak has occurred when running program MP4Box, this can reproduce on the lattest commit.

**Version**

    $ ./MP4Box -version                              
    MP4Box - GPAC version 2.1-DEV-rev505-gb9577e6ad-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-build --extra-cflags=-fsanitize=address -g --extra-ldflags=-fsanitize=address -g
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
    

git log

    commit b9577e6ad91ef96decbcd369227ab02b2842c77f (HEAD -> master, origin/master, origin/HEAD)
    Author: jeanlf <jeanlf@gpac.io>
    Date:   Fri Nov 25 16:53:55 2022 +0100
    

**Verification steps**

    export CFLAGS='-fsanitize=address -g'
    export CC=/usr/bin/clang
    export CXX=/usr/bin/clang++ 
    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --static-build --extra-cflags="${CFLAGS}" --extra-ldflags="${CFLAGS}"
    make
    cd bin/gcc
    ./MP4Box -info $poc
    

**POC file**

https://github.com/HotSpurzzZ/testcases/blob/main/gpac/gpac\_Direct\_leak\_afrt\_box\_read.mp4

**AddressSanitizer output**

    $ ./MP4Box -info gpac_Direct_leak_afrt_box_read.mp4       
    [isom] not enough bytes in box afrt: 0 left, reading 1 (file isomedia/box_code_adobe.c, line 713)
    [iso file] Read Box "afrt" (start 0) failed (Invalid IsoMedia File) - skipping
    Error opening file gpac_Direct_leak_afrt_box_read.mp4: Invalid IsoMedia File
    
    =================================================================
    ==10525==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 24 byte(s) in 1 object(s) allocated from:
        #0 0x4a186d in malloc (/root/Desktop/gpac/bin/gcc/MP4Box+0x4a186d)
        #1 0x902c18 in afrt_box_read /root/Desktop/gpac/src/isomedia/box_code_adobe.c:706:35
    
    SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s).

CVE-2022-46490: Memory leak in afrt_box_read function of box_code_adobe.c:706:35 · Issue #2327 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Null pointer dereference via filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Null pointer dereference filters/dmx\_m2ts.c:343 in m2tsdmx\_declare\_pid

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_nderef.avi
    

**Crash reported by sanitizer**

    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PMT descriptor! size 54, desc size 48 but position 5
    MORE sections on pid 4144
    Broken PMT descriptor! size 54, desc size 48 but position 10
    Broken PMT descriptor! size 54, desc size 48 but position 15
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    Broken PMT descriptor! size 54, desc size 48 but position 20
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    MORE sections on pid 4144
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5859
    [MPEG-2 TS] TS Packet 3 is scrambled - not supported
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PAT found reserved PID 0, ignoring
    Broken PMT descriptor! size 54, desc size 48 but position 5
    MORE sections on pid 4144
    Broken PMT descriptor! size 54, desc size 48 but position 10
    Broken PMT descriptor! size 54, desc size 48 but position 15
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    Broken PMT descriptor! size 54, desc size 48 but position 20
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    MORE sections on pid 4144
    [MPEG-2 TS] PID 4144 reused across programs 8192 and 8192, not completely supported
    [MPEG-2 TS] Invalid PMT es descriptor size for PID 5859
    [M2TSDmx] Stream type 0x30 not supported - ignoring pid
    filters/dmx_m2ts.c:343:51: runtime error: member access within null pointer of type 'struct GF_InitialObjectDescriptor'
    

**POC**

poc\_nderef.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47094: Null pointer dereference filters/dmx_m2ts.c:343 in m2tsdmx_declare_pid · Issue #2345 · gpac/gpac

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b is vulnerable to Buffer overflow in hevc_parse_vps_extension function of media_tools/av_parsers.c

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Description**

Buffer overflow in hevc\_parse\_vps\_extension function of media\_tools/av\_parsers.c

for (i = 0; i < (num\_scalability\_types - splitting\_flag); i++) {
  dimension\_id\_len\[i\] = 1 + gf\_bs\_read\_int\_log\_idx(bs, 3, "dimension\_id\_len\_minus1", i); // overflow at dimension\_id\_len
}

**Version info**

    MP4Box - GPAC version 2.1-DEV-rev574-g9d5bb184b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**Reproduce**

compile and run

    ./configure --enable-sanitizer
    make
    ./MP4Box import -add poc_bof6.mp4
    

Crash reported by sanitizer

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [HEVC] Warning: Error parsing NAL unit
    media_tools/av_parsers.c:7633:19: runtime error: index 16 out of bounds for type 'u8 [16]'
    

**POC**

poc\_bof6.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

Tag

#js