GPAC Stack-Based Buffer Overflow Vulnerability in PCM Reframer Filter Allowing Denial-of-Service

A stack-based buffer overflow vulnerability has been identified in GPAC version 2.4.0 within the PCM reframer filter. This vulnerability allows attackers to cause a denial-of-service condition by processing a crafted WAV file with a large channel count, which triggers an out-of-bounds write on the stack. The issue arises when reverse playback is enabled, as the vulnerable function swaps audio samples in place without proper validation of the data being processed.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, causing memory corruption. While this could potentially be exploited, such exploitation was not demonstrated. At a minimum, the vulnerability causes a crash of the application.

Reproduction

The vulnerability can be reproduced by playing a crafted WAV file with 64 channels and a bit depth of 16 bits per sample in a GPAC-based application that supports reverse playback. This can be done using an ASan-enabled build of GPAC, by setting the playback speed to -1 and specifying the 'rfpcm' filter. The crafted WAV file can be generated using a Python script that creates a file with the necessary channel count and bit depth.

Remediation

To address this vulnerability, the fixed-size stack buffer used for sample swapping should be replaced with a dynamically sized buffer that can accommodate variable sample sizes. Alternatively, the function can be modified to include a check that ensures the number of bytes being copied does not exceed the buffer size.