إرسال #769840: gpac MP4Box MP4Box - GPAC version 2.5-DEV-rev2167-gcc9d617c0-master and earlier Stack-based Buffer Overflowالمعلومات

عنوانgpac MP4Box MP4Box - GPAC version 2.5-DEV-rev2167-gcc9d617c0-master and earlier Stack-based Buffer Overflow
الوصفVulnerability Details: A stack-based buffer overflow vulnerability exists in the swf_def_bits_jpeg function within GPAC's scene_manager/swf_parse.c. The vulnerability arises because the program uses sprintf to write into a fixed-size stack buffer szName[1024] without validating the length of read->localPath. An attacker can trigger this overflow by providing a long directory path (e.g., via the command line or a crafted environment) when processing a SWF file. Since read->localPath can be controlled by the user, a path exceeding the buffer limits will overwrite the stack, as confirmed by AddressSanitizer (ASan) showing a WRITE of size 1100 into a 1024-byte buffer. Impact: This vulnerability could lead to a Denial of Service (DoS) through application crashes. In certain environments, it could potentially be leveraged for Remote Code Execution (RCE) by overwriting the return address on the stack. Reproduction Steps: Compile GPAC with AddressSanitizer enabled (--enable-sanitizer). Create a deeply nested directory structure to exceed 1024 bytes: export LONG_NAME=$(python3 -c "print('A'*250 + '/' + 'B'*250 + '/' + 'C'*250 + '/' + 'D'*250)") mkdir -p $LONG_NAME && cp test.swf $LONG_NAME/ Run MP4Box to process the file: MP4Box -add $PWD/$LONG_NAME/test.swf test.mp4 Observe the ASan error: ERROR: AddressSanitizer: stack-buffer-overflow on address... Suggested Fix: Replace the unsafe sprintf with snprintf to ensure boundary checking, or use dynamic memory allocation (e.g., gf_malloc) to accommodate paths of arbitrary length.
المصدر⚠️ https://github.com/gpac/gpac/issues/3436
المستخدم
 peterx (UID 94522)
ارسال02/03/2026 09:35 AM (2 أشهر منذ)
الاعتدال14/03/2026 11:01 PM (13 days later)
الحالةتمت الموافقة
إدخال VulDB351091 [GPAC حتى 2.5-DEV-rev2167-gcc9d617c0-master MP4Box swf_parse.c swf_def_bits_jpeg szName تلف الذاكرة]
النقاط20

التالي نظرة عامة السابق

Do you want to use VulDB in your project?

Use the official API to access entries easily!