GPAC MP4Box Out-of-Bounds Read and Write Vulnerability in elng Box Handling

A heap out-of-bounds read and write vulnerability has been identified in GPAC versions prior to 26.03-DEV-rev105-g8f39a1eb3-master. The issue arises in the MP4Box component, specifically within the 'elng_box_read' function of 'src/isomedia/box_code_base.c'. This vulnerability is triggered by an integer truncation error when the 'elng' box's payload size, stored as a 64-bit value, is incorrectly cast to a 32-bit integer for memory allocation. As a result, the function can read and potentially write data approximately 4 GB beyond the allocated buffer, leading to memory corruption.

Impact

Exploitation of this vulnerability causes a segmentation fault due to a read access violation, crashing the application. However, if the out-of-bounds write is reached, it could corrupt heap metadata, potentially allowing for further exploitation.

Reproduction

The vulnerability can be reproduced by crafting an MP4 file that includes an 'elng' box with a large payload size that exceeds the 32-bit limit. This can be done using a Python script that writes the necessary box data into a sparse file, which tricks the GPAC parser into bypassing its size checks. Once the file is created, it can be processed with the GPAC MP4Box tool, which will trigger the vulnerability and cause the application to crash.

Remediation

Users are advised to upgrade to GPAC version 26.03-DEV or later. The specific patch for this vulnerability is included in the latest release.