GPAC Out-of-Bounds Write Vulnerability in SRT Subtitle Import

A security vulnerability allowing for an out-of-bounds write has been identified in GPAC versions through 2.4.0. This issue arises in the SRT Subtitle Import component, specifically within the function 'gf_text_import_srt_bifs' in 'src/scene_manager/text_to_bifs.c'. The vulnerability is triggered when the software processes SRT subtitles that contain non-UTF-8 bytes, which can be exploited locally. The problem has been publicly disclosed and is associated with a patch that addresses the issue.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, which can commonly result in arbitrary code execution or causing a crash.

Reproduction

The vulnerability can be reproduced by importing SRT subtitles with high-bit byte characters into GPAC version 2.4.0 using the MP4Box command-line tool. The 'gf_text_import_srt_bifs' function will process the subtitles and convert them into a UTF-8-like format. However, the function writes the data into a fixed-size stack buffer without proper bounds checking. This flaw allows the crafted input to exceed the buffer limit, causing an out-of-bounds write. The issue can be verified by compiling GPAC with AddressSanitizer enabled, which will report the out-of-bounds access when the vulnerable SRT file is imported.

Remediation

Users are advised to update to GPAC version 2.4.1 or later, where this vulnerability has been fixed.