GPAC Out-of-Bounds Read Vulnerability in OGG Demuxer

An out-of-bounds read vulnerability has been identified in GPAC version 2.4.0 within the OGG demuxer component. The issue arises in the 'oggdmx_parse_tags' function, where the code improperly validates the length of metadata, allowing for a read and write operation one byte beyond the intended buffer limit. This flaw can lead to undefined behavior and potential crashes, depending on the application's memory management.

Impact

Exploitation of this vulnerability causes a one-byte out-of-bounds read and write, creating an off-by-one error that can disrupt normal program operation. While the transient nature of the write may complicate exploitation, it still introduces the risk of undefined behavior and possible application crashes.

Reproduction

The vulnerability can be reproduced by building GPAC 2.4.0 with Clang 17, using AddressSanitizer and UndefinedBehaviorSanitizer. After compiling the application, a proof-of-concept OGG file can be generated, which exploits the off-by-one vulnerability in the 'oggdmx_parse_tags' function. This OGG file can then be processed by GPAC, demonstrating the vulnerability in action.

Remediation

To address this vulnerability, the boundary check in the 'oggdmx_parse_tags' function should be modified to disallow equality, ensuring that the code does not read or write beyond the valid buffer range.