Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null Pointer Dereference in gf_sg_vrml_mf_alloc() #1963

Closed
3 tasks done
AiDaiP opened this issue Dec 10, 2021 · 1 comment
Closed
3 tasks done

Null Pointer Dereference in gf_sg_vrml_mf_alloc() #1963

AiDaiP opened this issue Dec 10, 2021 · 1 comment

Comments

@AiDaiP
Copy link

AiDaiP commented Dec 10, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf_sg_vrml_mf_alloc(). The vulnerability causes a segmentation fault and application crash.

Version:

MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

command:

./MP4Box -lsr ./poc5

poc5.zip

Result

./MP4Box -lsr ./poc5
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861206
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861206
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[1]    1371476 segmentation fault  ./MP4Box -lsr ./poc5

gdb

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78a0f7d in gf_sg_vrml_mf_alloc () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x9f03c
 RCX  0x10
 RDX  0x7ffff7e078a0 (CSWTCH.120) ◂— 0xc080c0804080404
 RDI  0x32
 RSI  0x32
 R8   0x0
 R9   0x0
 R10  0x7ffff775bdeb ◂— 'gf_sg_vrml_mf_alloc'
 R11  0x7ffff78a0f30 (gf_sg_vrml_mf_alloc) ◂— endbr64
 R12  0x0
 R13  0x8
 R14  0x0
 R15  0x7fffffff6d60 ◂— 0x30646c6569665f /* '_field0' */
 RBP  0x32
 RSP  0x7fffffff6bf0 ◂— 0x9f03c
 RIP  0x7ffff78a0f7d (gf_sg_vrml_mf_alloc+77) ◂— cmp    dword ptr [r12], ebx
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
 ► 0x7ffff78a0f7d <gf_sg_vrml_mf_alloc+77>     cmp    dword ptr [r12], ebx
   0x7ffff78a0f81 <gf_sg_vrml_mf_alloc+81>     je     gf_sg_vrml_mf_alloc+125                <gf_sg_vrml_mf_alloc+125>
    ↓
   0x7ffff78a0fad <gf_sg_vrml_mf_alloc+125>    add    rsp, 8
   0x7ffff78a0fb1 <gf_sg_vrml_mf_alloc+129>    pop    rbx
   0x7ffff78a0fb2 <gf_sg_vrml_mf_alloc+130>    pop    rbp
   0x7ffff78a0fb3 <gf_sg_vrml_mf_alloc+131>    pop    r12
   0x7ffff78a0fb5 <gf_sg_vrml_mf_alloc+133>    pop    r13
   0x7ffff78a0fb7 <gf_sg_vrml_mf_alloc+135>    ret

   0x7ffff78a0fb8 <gf_sg_vrml_mf_alloc+136>    nop    dword ptr [rax + rax]
   0x7ffff78a0fc0 <gf_sg_vrml_mf_alloc+144>    mov    edx, ebx
   0x7ffff78a0fc2 <gf_sg_vrml_mf_alloc+146>    imul   r13, rdx
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6bf0 ◂— 0x9f03c
01:0008│     0x7fffffff6bf8 —▸ 0x7fffffff6d30 ◂— 0x3200000000
02:0010│     0x7fffffff6c00 —▸ 0x5555555ded70 ◂— 0x0
03:0018│     0x7fffffff6c08 ◂— 0x555df8c0
04:0020│     0x7fffffff6c10 —▸ 0x5555555d2730 ◂— 0x0
05:0028│     0x7fffffff6c18 —▸ 0x7ffff790f44d (BD_DecMFFieldVec+589) ◂— mov    r14d, eax
06:0030│     0x7fffffff6c20 ◂— 0x0
07:0038│     0x7fffffff6c28 ◂— 0x0
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff78a0f7d gf_sg_vrml_mf_alloc+77
   f 1   0x7ffff790f44d BD_DecMFFieldVec+589
   f 2   0x7ffff7906205 gf_bifs_dec_proto_list+1333
   f 3   0x7ffff7906549 BD_DecSceneReplace+73
   f 4   0x7ffff7914e2e BM_SceneReplace+110
   f 5   0x7ffff7914ff3 BM_ParseCommand+179
   f 6   0x7ffff7915323 gf_bifs_decode_command_list+163
   f 7   0x7ffff7aa1da2 gf_sm_load_run_isom+1218
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00007ffff78a0f7d in gf_sg_vrml_mf_alloc () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#1  0x00007ffff790f44d in BD_DecMFFieldVec () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#2  0x00007ffff7906205 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#3  0x00007ffff7906549 in BD_DecSceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#4  0x00007ffff7914e2e in BM_SceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#5  0x00007ffff7914ff3 in BM_ParseCommand () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#6  0x00007ffff7915323 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#7  0x00007ffff7aa1da2 in gf_sm_load_run_isom () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#8  0x00005555555844a8 in dump_isom_scene ()
#9  0x000055555557b42c in mp4boxMain ()
#10 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:308
#11 0x000055555556c45e in _start ()
jeanlf added a commit that referenced this issue Dec 10, 2021
@jeanlf
Copy link
Member

jeanlf commented Dec 10, 2021

fixed by fixing #1962 - thanks for these reports !

@jeanlf jeanlf closed this as completed Dec 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants