| 제목 | gpac MP4Box MP4Box - GPAC version 2.5-DEV-rev2167-gcc9d617c0-master and earlier Stack-based Buffer Overflow |
|---|
| 설명 | Vulnerability Details: A stack-based buffer overflow vulnerability exists in the swf_def_bits_jpeg function within GPAC's scene_manager/swf_parse.c. The vulnerability arises because the program uses sprintf to write into a fixed-size stack buffer szName[1024] without validating the length of read->localPath.
An attacker can trigger this overflow by providing a long directory path (e.g., via the command line or a crafted environment) when processing a SWF file. Since read->localPath can be controlled by the user, a path exceeding the buffer limits will overwrite the stack, as confirmed by AddressSanitizer (ASan) showing a WRITE of size 1100 into a 1024-byte buffer.
Impact: This vulnerability could lead to a Denial of Service (DoS) through application crashes. In certain environments, it could potentially be leveraged for Remote Code Execution (RCE) by overwriting the return address on the stack.
Reproduction Steps:
Compile GPAC with AddressSanitizer enabled (--enable-sanitizer).
Create a deeply nested directory structure to exceed 1024 bytes:
export LONG_NAME=$(python3 -c "print('A'*250 + '/' + 'B'*250 + '/' + 'C'*250 + '/' + 'D'*250)")
mkdir -p $LONG_NAME && cp test.swf $LONG_NAME/
Run MP4Box to process the file:
MP4Box -add $PWD/$LONG_NAME/test.swf test.mp4
Observe the ASan error: ERROR: AddressSanitizer: stack-buffer-overflow on address...
Suggested Fix: Replace the unsafe sprintf with snprintf to ensure boundary checking, or use dynamic memory allocation (e.g., gf_malloc) to accommodate paths of arbitrary length. |
|---|
| 원천 | ⚠️ https://github.com/gpac/gpac/issues/3436 |
|---|
| 사용자 | peterx (UID 94522) |
|---|
| 제출 | 2026. 03. 02. AM 09:35 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 03. 14. PM 11:01 (13 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 351091 [GPAC 까지 2.5-DEV-rev2167-gcc9d617c0-master MP4Box swf_parse.c swf_def_bits_jpeg szName 메모리 손상] |
|---|
| 포인트들 | 20 |
|---|