GPAC Heap Overflow Vulnerability in UNCV Decoder Component Allowing Denial-of-Service

A heap overflow vulnerability has been identified in GPAC version 2.4.0 within the UNCV decoder filter. This vulnerability allows attackers to cause a denial-of-service by exploiting the 'cpat' box in crafted MP4 files. The issue arises from incorrect two-dimensional indexing in the 'uncv_parse_config()' function, leading to out-of-bounds writes in heap memory. When the 'fa_height' exceeds 'fa_width', the vulnerability can be triggered, causing memory corruption that could potentially be exploited further.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, causing a process crash. However, such heap memory corruption could be exploited, depending on the allocator, heap layout, and subsequent code paths.

Reproduction

The vulnerability can be reproduced by using an AddressSanitizer-enabled build of GPAC. After compiling GPAC with AddressSanitizer support, the 'poc_uncv_cpat_oobwrite.mp4' file, which contains a crafted 'cpat' box triggering the out-of-bounds write, can be processed with the UNCV decoder. AddressSanitizer will report a heap-buffer-overflow error, indicating the vulnerability has been successfully exploited.