Skip to content

NULL POINTER DEREFERENCE in AP4_Track::GetSampleIndexForTimeStampMs() #366

Open
@SegfaultMasters

Description

@SegfaultMasters

Description - we observed a NULL pointer dereference occured in AP4_Track::GetSampleIndexForTimeStampMs() located in Ap4Track.cpp.The same be triggered by sending a crafted file to the mp4audioclip binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Command - ./mp4audioclip --start 0 --duration 100 $POC OUTPUTFILE

POC - REPRODUCER

Debug -

GDB -

0x00000000004585cb in AP4_Track::GetSampleIndexForTimeStampMs (this=0x6040000001d0, ts_ms=0x0, index=@0x7fffffffdb10: 0x0) at /home/ace/Downloads/sources/Bento4/Source/C++/Core/Ap4Track.cpp:485
485        return m_SampleTable->GetSampleIndexForTimeStamp(ts, index);
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax   : 0x0               
$rbx   : 0x7fffffffdd70      →  0x0000000000000000
$rcx   : 0x0               
$rdx   : 0x0               
$rsp   : 0x7fffffffd9d0      →  0x00007fffffffda00  →  0x00007fffffffdda0  →  0x0000000000578490  →  <__libc_csu_init+0> push r15
$rbp   : 0x7fffffffda00      →  0x00007fffffffdda0  →  0x0000000000578490  →  <__libc_csu_init+0> push r15
$rsi   : 0x0               
$rdi   : 0x0               
$rip   : 0x4585cb            →  <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> mov rax, QWORD PTR [rax]
$r8    : 0x0               
$r9    : 0x0               
$r10   : 0x60b0000000e0      →  0x14ffffff00000002
$r11   : 0x7fffffffd1d8      →  0x000060c000000090  →  0x00000000005caca0  →  0x00000000004809d6  →  <AP4_List<AP4_TrakAtom>::~AP4_List()+0> push rbp
$r12   : 0xffffffffb56       →  0x0000000000000000
$r13   : 0x7fffffffdab0      →  0x0000000041b58ab3
$r14   : 0x60b0000000f0      →  0x00000000005ecdb0  →  0x000000000048acd4  →  <AP4_SyntheticSampleTable::~AP4_SyntheticSampleTable()+0> push rbp
$r15   : 0x0               
$eflags: [carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$ss: 0x002b  $fs: 0x0000  $es: 0x0000  $ds: 0x0000  $gs: 0x0000  $cs: 0x0033  
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffd9d0│+0x00: 0x00007fffffffda00  →  0x00007fffffffdda0  →  0x0000000000578490  →  <__libc_csu_init+0> push r15     ← $rsp
0x00007fffffffd9d8│+0x08: 0x00007fffffffdb10  →  0x00007fff00000000
0x00007fffffffd9e0│+0x10: 0x000000000000bb80
0x00007fffffffd9e8│+0x18: 0x00006040000001d0  →  0x0000000000596420  →  0x000000000045725e  →  <AP4_Track::~AP4_Track()+0> push rbp
0x00007fffffffd9f0│+0x20: 0x0000000a00000000  →  0x0000000000000000
0x00007fffffffd9f8│+0x28: 0x0000000000000000
0x00007fffffffda00│+0x30: 0x00007fffffffdda0  →  0x0000000000578490  →  <__libc_csu_init+0> push r15     ← $rbp
0x00007fffffffda08│+0x38: 0x0000000000451b68  →  <main+1950> test eax, eax
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
     0x4585c0 <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> div    BYTE PTR [rax+rcx*1+0x48]
     0x4585c4 <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> mov    edi, edx
     0x4585c6 <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> call   0x451140 <__asan_report_load8@plt>
→   0x4585cb <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> mov    rax, QWORD PTR [rax]
     0x4585ce <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> add    rax, 0x40
     0x4585d2 <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> mov    rdx, rax
     0x4585d5 <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> mov    rsi, rdx
     0x4585d8 <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> shr    rsi, 0x3
     0x4585dc <AP4_Track::GetSampleIndexForTimeStampMs(unsigned+0> add    rsi, 0x7fff8000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:/home/ace/Downloads/sources/Bento4/Source/C++/Core/Ap4Track.cpp+485 ]────
    480     AP4_Track::GetSampleIndexForTimeStampMs(AP4_UI32 ts_ms, AP4_Ordinal& index)
    481     {
    482         // convert the ts in the timescale of the track's media
    483         AP4_UI64 ts = AP4_ConvertTime(ts_ms, 1000, GetMediaTimeScale());
    484     
→  485         return m_SampleTable->GetSampleIndexForTimeStamp(ts, index);
    486     }
    487     
    488     /*----------------------------------------------------------------------
    489     |   AP4_Track::GetNearestSyncSampleIndex
    490     +---------------------------------------------------------------------*/
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "mp4audioclip", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x4585cb → Name: AP4_Track::GetSampleIndexForTimeStampMs(this=0x6040000001d0, ts_ms=0x0, index=@0x7fffffffdb10)
[#1] 0x451b68 → Name: main(argc=0x7, argv=0x7fffffffdec0)

gef➤  p ts
$4 = 0x0
gef➤  p index
$5 = (AP4_Ordinal &) @0x7fffffffdb10: 0x0
gef➤  p  m_SampleTable
$6 = (AP4_SampleTable *) 0x0
gef➤  p m_SampleTable->GetSampleIndexForTimeStamp(ts, index)
Cannot access memory at address 0x0

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions