Description

Out of Bounds Read in MP4Box.

Version

$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

complie and run

./configure --enable-sanitizer
make

Proof of Concept

./bin/gcc/MP4Box -dash 1000 -out /dev/null ./crash000362

POC_crash000362 is here.

ASAN

information reported by sanitizer

$ ./bin/gcc/MP4Box -dash 1000 ./crash000362
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No template assigned, using $File$_dash$FS$$Number$
Failed to connect filter btplay PID crash000362 to filter dasher: Feature Not Supported
Blacklisting dasher as output from btplay and retrying connections
BT: X3D (WRL) Scene Parsing      | (70/100)
scene_manager/loader_bt.c:478:21: runtime error: index 500 out of bounds for type 'char [500]'

Impact

This is capable of causing crashes.

References

POC_crash000362 is here.