Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A segmentation fault in gf_isom_hint_rtp_read () , isomedia/hinting.c:682 #1958

Closed
ZFeiXQ opened this issue Dec 10, 2021 · 0 comments
Closed

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 10, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
 MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
 GPAC Filters: https://doi.org/10.1145/3339825.3394929
 GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 

System information
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

command:

./bin/gcc/MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null poc

poc.zip

Result

[9]    3114513 segmentation fault

GDB information

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x400788 --> 0x0 
RCX: 0xcffd67 (<__libc_write+23>:	cmp    rax,0xfffffffffffff000)
RDX: 0x0 
RSI: 0x0 
RDI: 0x10f4580 --> 0x0 
RBP: 0x7fffffff9340 --> 0x7fffffff9360 --> 0x7fffffff93c0 --> 0x7fffffff9450 --> 0x7fffffff98b0 --> 0x7fffffffe150 (--> ...)
RSP: 0x7fffffff9300 --> 0x10eb8f0 --> 0x0 
RIP: 0x60afe1 (<gf_isom_hint_rtp_read+414>:	mov    rax,QWORD PTR [rax+0x8])
R8 : 0x0 
R9 : 0x0 
R10: 0x0 
R11: 0x246 
R12: 0xd07990 (<__libc_csu_fini>:	endbr64)
R13: 0x0 
R14: 0x10a3018 --> 0xd7e490 (<__memmove_avx_unaligned_erms>:	endbr64)
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x60afd5 <gf_isom_hint_rtp_read+402>:	mov    rdi,rax
   0x60afd8 <gf_isom_hint_rtp_read+405>:	call   0x444624 <gf_list_add>
   0x60afdd <gf_isom_hint_rtp_read+410>:	mov    rax,QWORD PTR [rbp-0x18]
=> 0x60afe1 <gf_isom_hint_rtp_read+414>:	mov    rax,QWORD PTR [rax+0x8]
   0x60afe5 <gf_isom_hint_rtp_read+418>:	add    DWORD PTR [rbp-0x28],eax
   0x60afe8 <gf_isom_hint_rtp_read+421>:	mov    eax,DWORD PTR [rbp-0x28]
   0x60afeb <gf_isom_hint_rtp_read+424>:	cmp    eax,DWORD PTR [rbp-0x20]
   0x60afee <gf_isom_hint_rtp_read+427>:	jb     0x60afa2 <gf_isom_hint_rtp_read+351>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff9300 --> 0x10eb8f0 --> 0x0 
0008| 0x7fffffff9308 --> 0x10e9510 --> 0xf872747020 
0016| 0x7fffffff9310 --> 0x1000000010050 
0024| 0x7fffffff9318 --> 0x4 
0032| 0x7fffffff9320 --> 0x10001 
0040| 0x7fffffff9328 --> 0x0 
0048| 0x7fffffff9330 --> 0x7fffffff9360 --> 0x7fffffff93c0 --> 0x7fffffff9450 --> 0x7fffffff98b0 --> 0x7fffffffe150 (--> ...)
0056| 0x7fffffff9338 --> 0x5fb0ffd851107300 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000060afe1 in gf_isom_hint_rtp_read (ptr=0x10e9510, bs=0x10eb8f0) at isomedia/hinting.c:682
682				tempSize += (u32) a->size;
gdb-peda$ bt
#0  0x000000000060afe1 in gf_isom_hint_rtp_read (ptr=0x10e9510, bs=0x10eb8f0) at isomedia/hinting.c:682
#1  0x000000000060a32f in gf_isom_hint_pck_read (ptr=0x10e9510, bs=0x10eb8f0) at isomedia/hinting.c:329
#2  0x0000000000609f4e in gf_isom_hint_sample_read (ptr=0x10efdc0, bs=0x10eb8f0, sampleSize=0x20) at isomedia/hinting.c:212
#3  0x000000000058e156 in gf_isom_dump_hint_sample (the_file=0x10dd6c0, trackNumber=0x2, SampleNum=0xf8, trace=0x10e9f30) at isomedia/box_dump.c:2844
#4  0x0000000000419dc3 in dump_isom_rtp (file=0x10dd6c0, inName=0x7fffffffe602 "/dev/null", is_final_name=GF_TRUE) at filedump.c:860
#5  0x00000000004156b0 in mp4boxMain (argc=0xb, argv=0x7fffffffe2a8) at main.c:6090
#6  0x000000000041719b in main (argc=0xb, argv=0x7fffffffe2a8) at main.c:6496
#7  0x0000000000d07120 in __libc_start_main ()
#8  0x000000000040211e in _start ()

@jeanlf jeanlf closed this as completed in 3dafcb5 Dec 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant