CVE-2022-43254 - Understanding the GPAC v2.1 Memory Leak in `gf_list_new` (utils/list.c) – Insights and Exploit Walkthrough

In October 2022, security researchers published CVE-2022-43254, an important vulnerability affecting the open-source multimedia framework GPAC, specifically in version v2.1-DEV-rev368-gfd054169b-master. This post will walk you through what this issue is, how it happens in the code (utils/list.c), show example code, demonstrate how it can be triggered, and provide links to the original sources. The goal is to keep the language clear and practical, empowering newcomers and professionals alike to understand and identify similar memory bugs.

What is GPAC and Why Does This Matter?

GPAC is an open-source multimedia framework used for complex media handling like packaging, streaming, and playback. Movie streaming apps, video players, and media servers sometimes use such libraries under the hood. A memory leak in such software could be exploited by attackers to create Denial-of-Service (DoS) conditions, or to slowly eat up system resources, degrading server or client performance.

Vulnerable function: gf_list_new

- Location: utils/list.c
- Weakness: Memory leak — the program allocates memory which is never freed under certain code paths

Impact: Possible application slowdown, crash (DoS), or resource leakage

Official vulnerability page:  
CVE-2022-43254 on the National Vulnerability Database (NVD)


## Understanding the Code: gf_list_new Function in utils/list.c

The vulnerable function gf_list_new is supposed to create a new “list” data structure. Let's review a simplified version of the code, illustrating the intended memory allocation.

Vulnerable C code snippet (simplified)

// gpac/src/utils/list.c

GF_List* gf_list_new()
{
    GF_List *list = (GF_List*) gf_malloc(sizeof(GF_List));
    
    if (!list) return NULL; // correct, checks if allocation failed

    list->max_size = ;
    list->size = ;
    list->array = NULL;

    // second allocation
    list->array = (void **)gf_malloc(sizeof(void *) * GF_LIST_INITIAL_SIZE);
    if (!list->array) {
        // <-- PROBLEM: 'list' memory gets leaked if 'array' allocation fails!
        return NULL;
    }
    // ...initialize...
    return list;
}

In plain English:

Then it allocates memory for an internal array.

3. If the second allocation fails, the function returns NULL but does not free the memory already allocated for the struct.

Thus, every time gf_list_new() is called and the second memory allocation fails, there’s a memory leak.

Call gf_list_new() in a loop or from user input.

2. Set system memory low, or use crafted input, forcing the second memory allocation to fail (gf_malloc returns NULL).

Exploit Example: Simulating the Memory Leak

Below is a test harness in C. It intentionally makes the gf_malloc for the internal array fail, so you can observe the leak in action. For demonstration, we'll stub gf_malloc to simulate failure.

#include <stdio.h>
#include <stdlib.h>

#define GF_LIST_INITIAL_SIZE 128

typedef struct {
    int max_size;
    int size;
    void **array;
} GF_List;

// Simulate gpac's gf_malloc
void* gf_malloc(size_t size) {
    static int call_count = ;
    call_count++;
    // First call: succeed, second call: fail
    if (call_count == 2) return NULL;
    return malloc(size);
}

// Vulnerable function
GF_List* gf_list_new()
{
    GF_List *list = (GF_List*) gf_malloc(sizeof(GF_List));
    if (!list) return NULL;

    list->max_size = ;
    list->size = ;
    list->array = NULL;

    list->array = (void **)gf_malloc(sizeof(void *) * GF_LIST_INITIAL_SIZE);
    if (!list->array) {
        // <-- Leaks memory here: should free(list), but doesn't.
        return NULL;
    }
    return list;
}

int main() {
    GF_List *mylist = gf_list_new();
    if (mylist == NULL) {
        printf("Failed to allocate list, but also leaked memory!\n");
    } else {
        printf("List allocated successfully\n");
    }
    // Use a tool like valgrind to see the leak!
    return ;
}

Try this sample with tools like Valgrind

valgrind --leak-check=full ./a.out

Expected output

==...== 12 bytes in 1 blocks are definitely lost in loss record 1 of 1

Original References and Further Reading

- CVE-2022-43254 (NVD)
- GitHub commit fixing this bug

(See the patch where free(list) is added if the second allocation fails)

- GPAC Project on GitHub
- GPAC Official Site
- Memory leaks explained (American fuzzy lop blog)

What’s the Attack Scenario? How Serious Is This?

If an attacker or bad input can trigger the function with forced memory allocation failures (e.g., by opening very large crafted multimedia files or by repeatedly requesting lists under low-memory conditions), they could eventually cause the GPAC-using program to run out of memory and crash. While this is not direct code execution, on server or long-running media-processing software, this can represent a serious Denial-of-Service risk.

How Was It Fixed?

The fix is simple: Make sure to free the first allocated chunk (list) if the second allocation fails!

Fixed code

list->array = (void **)gf_malloc(sizeof(void *) * GF_LIST_INITIAL_SIZE);
if (!list->array) {
    gf_free(list);   // <--- This line fixes the leak!
    return NULL;
}

Conclusion & Takeaways

CVE-2022-43254 is a classic reminder of why it's critical to handle all error paths, especially after partially completed memory allocations in C. A small oversight can lead to leaks, and in long-running services or repeated tasks, this becomes significant.

Stay safe, and happy coding!

*This post is original content, crafted to explain CVE-2022-43254 and its root cause in accessible, American English. For more details, check the links above or contact the maintainers of the GPAC project.*

Timeline

Published on: 11/02/2022 14:15:00 UTC
Last modified on: 05/05/2023 20:03:00 UTC