Open
Description
Description - we observed a NULL pointer dereference occured in AP4_Track::GetSampleIndexForTimeStampMs() located in Ap4Track.cpp.The same be triggered by sending a crafted file to the mp4audioclip binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
Command - ./mp4audioclip --start 0 --duration 100 $POC OUTPUTFILE
POC - REPRODUCER
Debug -
GDB -
0x00000000004585cb in AP4_Track::GetSampleIndexForTimeStampMs (this=0x6040000001d0, ts_ms=0x0, index=@0x7fffffffdb10: 0x0) at /home/ace/Downloads/sources/Bento4/Source/C++/Core/Ap4Track.cpp:485
485 return m_SampleTable->GetSampleIndexForTimeStamp(ts, index);
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x0
$rbx : 0x7fffffffdd70 → 0x0000000000000000
$rcx : 0x0
$rdx : 0x0
$rsp : 0x7fffffffd9d0 → 0x00007fffffffda00 → 0x00007fffffffdda0 → 0x0000000000578490 → <__libc_csu_init+0> push r15
$rbp : 0x7fffffffda00 → 0x00007fffffffdda0 → 0x0000000000578490 → <__libc_csu_init+0> push r15
$rsi : 0x0
$rdi : 0x0
$rip : 0x4585cb → <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> mov rax, QWORD PTR [rax]
$r8 : 0x0
$r9 : 0x0
$r10 : 0x60b0000000e0 → 0x14ffffff00000002
$r11 : 0x7fffffffd1d8 → 0x000060c000000090 → 0x00000000005caca0 → 0x00000000004809d6 → <AP4_List<AP4_TrakAtom>::~AP4_List()+0> push rbp
$r12 : 0xffffffffb56 → 0x0000000000000000
$r13 : 0x7fffffffdab0 → 0x0000000041b58ab3
$r14 : 0x60b0000000f0 → 0x00000000005ecdb0 → 0x000000000048acd4 → <AP4_SyntheticSampleTable::~AP4_SyntheticSampleTable()+0> push rbp
$r15 : 0x0
$eflags: [carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$ss: 0x002b $fs: 0x0000 $es: 0x0000 $ds: 0x0000 $gs: 0x0000 $cs: 0x0033
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffd9d0│+0x00: 0x00007fffffffda00 → 0x00007fffffffdda0 → 0x0000000000578490 → <__libc_csu_init+0> push r15 ← $rsp
0x00007fffffffd9d8│+0x08: 0x00007fffffffdb10 → 0x00007fff00000000
0x00007fffffffd9e0│+0x10: 0x000000000000bb80
0x00007fffffffd9e8│+0x18: 0x00006040000001d0 → 0x0000000000596420 → 0x000000000045725e → <AP4_Track::~AP4_Track()+0> push rbp
0x00007fffffffd9f0│+0x20: 0x0000000a00000000 → 0x0000000000000000
0x00007fffffffd9f8│+0x28: 0x0000000000000000
0x00007fffffffda00│+0x30: 0x00007fffffffdda0 → 0x0000000000578490 → <__libc_csu_init+0> push r15 ← $rbp
0x00007fffffffda08│+0x38: 0x0000000000451b68 → <main+1950> test eax, eax
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x4585c0 <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> div BYTE PTR [rax+rcx*1+0x48]
0x4585c4 <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> mov edi, edx
0x4585c6 <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> call 0x451140 <__asan_report_load8@plt>
→ 0x4585cb <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> mov rax, QWORD PTR [rax]
0x4585ce <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> add rax, 0x40
0x4585d2 <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> mov rdx, rax
0x4585d5 <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> mov rsi, rdx
0x4585d8 <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> shr rsi, 0x3
0x4585dc <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> add rsi, 0x7fff8000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:/home/ace/Downloads/sources/Bento4/Source/C++/Core/Ap4Track.cpp+485 ]────
480 AP4_Track::GetSampleIndexForTimeStampMs(AP4_UI32 ts_ms, AP4_Ordinal& index)
481 {
482 // convert the ts in the timescale of the track's media
483 AP4_UI64 ts = AP4_ConvertTime(ts_ms, 1000, GetMediaTimeScale());
484
→ 485 return m_SampleTable->GetSampleIndexForTimeStamp(ts, index);
486 }
487
488 /*----------------------------------------------------------------------
489 | AP4_Track::GetNearestSyncSampleIndex
490 +---------------------------------------------------------------------*/
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "mp4audioclip", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x4585cb → Name: AP4_Track::GetSampleIndexForTimeStampMs(this=0x6040000001d0, ts_ms=0x0, index=@0x7fffffffdb10)
[#1] 0x451b68 → Name: main(argc=0x7, argv=0x7fffffffdec0)
gef➤ p ts
$4 = 0x0
gef➤ p index
$5 = (AP4_Ordinal &) @0x7fffffffdb10: 0x0
gef➤ p m_SampleTable
$6 = (AP4_SampleTable *) 0x0
gef➤ p m_SampleTable->GetSampleIndexForTimeStamp(ts, index)
Cannot access memory at address 0x0
Metadata
Metadata
Assignees
Labels
No labels