GPAC MP4Box Heap Buffer Overflow Vulnerability in MPEG-2 TS Demuxer

A heap buffer overflow vulnerability has been identified in GPAC MP4Box version 2.5-DEV-rev1644-g8e3b5e1dd-master, specifically within the 'm2tsdmx_send_packet' function of the MPEG-2 Transport Stream demuxer. This vulnerability allows attackers to cause a denial-of-service condition by processing a crafted MP4 file that exploits the demuxer's failure to properly validate data sizes before memory copy operations. The issue arises when the demuxer encounters corrupted packet structures, which can lead to an invalidly large copy size being used, triggering the heap buffer overflow.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, where the 'memcpy' operation reads and writes an excessive amount of data (approximately 4 GB) of heap memory. This overflow occurs just past the end of a normally allocated buffer, which can lead to memory corruption. While the immediate effect is a crash of the MP4Box process, the nature of the overflow could potentially be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by using the MP4Box command-line tool with the '-dash 100' option, followed by a crafted MPEG-2 TS file that contains missing sync markers, corrupted Program Map Table (PMT) descriptor sizes, and conflicting Packet Identifier (PID) assignments. This file should be processed by the MP4Box version that contains the vulnerability, such as the one referenced in this advisory.

Remediation

Users are advised to upgrade to the latest version of GPAC MP4Box that includes the fix for this vulnerability. The fix has been applied in the official GPAC repository. Instructions for downloading the latest version can be found on the GPAC GitHub page.