Heap-based Buffer Overflow Affecting gpac4ios package, versions >=0.0.0

GPAC4iOS is a GPAC4iOS is the libgpac library packaged for iOS as a Pod. It is preconfigured and tested to do a single task: create a MP4 file from a raw H.264 and an audio track.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow. The csgp_box_read function is used to parse an atom that uses the csgp FOURCC code. This parser starts out by reading an 8-bit integer, followed by a 24-bit integer at line 68 which contains flags describing the sizes of certain fields within the atom. At line 69, the function will use the get_size_by_code implementation in order to determine how many bits are used for a dependant field. Depending on the bits that are set within the flags, an integer may use 4, 8, 16, or 32-bits for its value. At line 70, the number of bits described by the pattern_size variable is used to read a length from an individual pattern within the atom. If the pattern_size field has all of its bits set, this will result in the length being stored with 32-bits. After reading the length, at line 71, the function will use the product of the length and the size of the u32 type in order to perform an allocation. If the size of the length field is 32-bits, then its product will result in more than 32-bits causing an integer overflow. Due to this integer-overflow, this allocation can be made to be smaller than required by the parser. After reading each individual pattern, the function will iterate through each pattern again in order to load the indices that were specified by the length. At line 72 the inner-most loop will read an integer of index_size bits, and then store them into the array that was allocated for each index. Due to the integer-overflow, this array will be undersized and thus this loop will write outside of its bounds resulting in a heap-based buffer overflow.

• Talos Vulnerability Report