GPAC Stack-Based Buffer Overflow Vulnerability in Timed Text Export Function Allowing Denial-of-Service

A stack-based buffer overflow vulnerability has been identified in GPAC version 2.4.0 within the 'dump_ttxt_sample' function, part of the ISO Media box dumping process. This vulnerability allows attackers to cause a denial-of-service by crafting an MP4 file with a timed text sample that includes an excessively large text length field, starting with a UTF-16 byte order mark. The flaw arises from an unchecked 'memcpy' operation, which can overwrite stack memory and potentially lead to exploitable memory corruption, depending on the application's build and environment.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, leading to memory corruption. This results in a crash when the application processes the malicious MP4 file, but such memory corruption could be exploitable under certain conditions.

Reproduction

The vulnerability can be reproduced by using the GPAC 'MP4Box' tool with the '-ttxt' option, applied to an MP4 file containing a crafted 'tx3g' timed text sample. The sample must be designed to exceed the buffer size limit by manipulating the text length field, ensuring it is larger than 20,000 bytes, and including a UTF-16 BE BOM at the beginning. This can be automated with a Python script that generates the malicious MP4 file.

Remediation

To address this vulnerability, GPAC developers should implement proper length validation before the 'memcpy' operation, ensuring that the text length does not exceed the buffer capacity, and consider using dynamically allocated buffers based on validated input.