Version

./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev40-g3602a5ded-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer --verbose
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

./configure --enable-sanitizer --enable-debug
make
./MP4Box -info gf_m2ts_process_tdt_tot

Git log

commit 3602a5ded4e57b0044a949f985ee3792f94a9a36 (HEAD -> master, origin/master, origin/HEAD)
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date:   Thu Feb 9 11:24:23 2023 +0100

    mp3dmx: check truncated frames (#2391)

commit ea7395f39f601a7750d48d606e9d10ea0b7beefe
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date:   Wed Feb 8 16:52:00 2023 +0100

    sgpd box entry: disallow null grouping_type (#2389)

Proof of Concept

./MP4Box -info gf_m2ts_process_tdt_tot


=================================================================
==24800==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001b51 at pc 0x7fa11638a599 bp 0x7fff33c01ff0 sp 0x7fff33c01fe0
READ of size 1 at 0x602000001b51 thread T0
    #0 0x7fa11638a598 in gf_m2ts_process_tdt_tot media_tools/mpegts.c:952
    #1 0x7fa11638a598 in gf_m2ts_process_tdt_tot media_tools/mpegts.c:905
    #2 0x7fa11638b936 in gf_m2ts_section_complete media_tools/mpegts.c:623
    #3 0x7fa11638d619 in gf_m2ts_gather_section media_tools/mpegts.c:760
    #4 0x7fa116395c12 in gf_m2ts_process_packet media_tools/mpegts.c:2591
    #5 0x7fa1163982b9 in gf_m2ts_process_data media_tools/mpegts.c:2817
    #6 0x7fa1163a25c5 in gf_m2ts_probe_buffer media_tools/mpegts.c:3201
    #7 0x7fa116aa5fa4 in m2tsdmx_probe_data filters/dmx_m2ts.c:1438
    #8 0x7fa11696b778 in gf_filter_pid_raw_new filter_core/filter.c:4210
    #9 0x7fa116b3a2db in filein_process filters/in_file.c:492
    #10 0x7fa1169730ed in gf_filter_process_task filter_core/filter.c:2828
    #11 0x7fa116935082 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #12 0x7fa116941856 in gf_fs_run filter_core/filter_session.c:2120
    #13 0x7fa11637f806 in gf_media_import media_tools/media_import.c:1228
    #14 0x562a5a4743b1 in convert_file_info /home/qianshuidewajueji/gpac/applications/mp4box/fileimport.c:130
    #15 0x562a5a443db5 in mp4box_main /home/qianshuidewajueji/gpac/applications/mp4box/mp4box.c:6302
    #16 0x7fa113617082 in __libc_start_main ../csu/libc-start.c:308
    #17 0x562a5a417cfd in _start (/home/qianshuidewajueji/gpac/bin/gcc/MP4Box+0xa3cfd)

0x602000001b51 is located 0 bytes to the right of 1-byte region [0x602000001b50,0x602000001b51)
allocated by thread T0 here:
    #0 0x7fa1194ae808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7fa11638b5e9 in gf_m2ts_section_complete media_tools/mpegts.c:566
    #2 0x7fa11638d619 in gf_m2ts_gather_section media_tools/mpegts.c:760
    #3 0x7fa116395c12 in gf_m2ts_process_packet media_tools/mpegts.c:2591
    #4 0x7fa1163982b9 in gf_m2ts_process_data media_tools/mpegts.c:2817
    #5 0x7fa1163a25c5 in gf_m2ts_probe_buffer media_tools/mpegts.c:3201
    #6 0x7fa116aa5fa4 in m2tsdmx_probe_data filters/dmx_m2ts.c:1438
    #7 0x7fa11696b778 in gf_filter_pid_raw_new filter_core/filter.c:4210
    #8 0x7fa116b3a2db in filein_process filters/in_file.c:492
    #9 0x7fa1169730ed in gf_filter_process_task filter_core/filter.c:2828
    #10 0x7fa116935082 in gf_fs_thread_proc filter_core/filter_session.c:1859
    #11 0x7fa116941856 in gf_fs_run filter_core/filter_session.c:2120
    #12 0x7fa11637f806 in gf_media_import media_tools/media_import.c:1228
    #13 0x562a5a4743b1 in convert_file_info /home/qianshuidewajueji/gpac/applications/mp4box/fileimport.c:130
    #14 0x562a5a443db5 in mp4box_main /home/qianshuidewajueji/gpac/applications/mp4box/mp4box.c:6302
    #15 0x7fa113617082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow media_tools/mpegts.c:952 in gf_m2ts_process_tdt_tot
Shadow bytes around the buggy address:
  0x0c047fff8310: fa fa 00 00 fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8320: fa fa 06 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8330: fa fa 00 00 fa fa 00 00 fa fa fd fa fa fa 00 00
  0x0c047fff8340: fa fa 00 00 fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8350: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 03 fa
=>0x0c047fff8360: fa fa 00 00 fa fa 00 00 fa fa[01]fa fa fa 00 fa
  0x0c047fff8370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==24800==ABORTING