GPAC Buffer Overflow Vulnerability in VobSub Demuxer Component Allowing Denial-of-Service

A buffer overflow vulnerability has been identified in GPAC version 2.4.0 within the VobSub demuxer component. The issue arises in the 'vobsub_get_subpic_duration()' function, where the absence of proper bounds checking on attacker-controlled data sizes leads to a heap-based buffer overflow. This vulnerability can be exploited by parsing a crafted VobSub subtitle file, causing the application to crash. The out-of-bounds read, while primarily a stability issue, could potentially be leveraged for information disclosure under certain conditions.

Impact

Exploitation of this vulnerability causes a crash, leading to a denial-of-service condition. However, as this is an out-of-bounds read, there is a possibility of information disclosure, depending on how the read value is exposed later.

Reproduction

The vulnerability can be reproduced by using the proof-of-concept files 'poc_vobsub.idx' and 'poc_vobsub.sub', which are generated with a Python script that creates a VobSub index file and a corresponding subtitle file. These files should be processed with an AddressSanitizer-enabled build of GPAC, using a command that includes the VobSub index file as input. The AddressSanitizer will detect the heap-buffer-overflow error caused by the vulnerability.