Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null Pointer Dereference in gf_isom_parse_movie_boxes_internal() #1964

Closed
3 tasks done
AiDaiP opened this issue Dec 10, 2021 · 0 comments
Closed
3 tasks done

Null Pointer Dereference in gf_isom_parse_movie_boxes_internal() #1964

AiDaiP opened this issue Dec 10, 2021 · 0 comments

Comments

@AiDaiP
Copy link

AiDaiP commented Dec 10, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf_isom_parse_movie_boxes_internal(). The vulnerability causes a segmentation fault and application crash.

Version:

MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

command:

./MP4Box -lsr poc_1

poc_1.zip

Result

[iso file] extra box maxr found in hinf, deleting
[iso file] Read Box type 00000000 (0x00000000) at position 4494 has size 0 but is not at root/file level, skipping
[iso file] Read Box "hinf" (start 4390) failed (End Of Stream / File) - skipping
[iso file] Read Box "udta" (start 4178) failed (End Of Stream / File) - skipping
[iso file] Read Box "trak" (start 2229) failed (End Of Stream / File) - skipping
[iso file] Read Box "moov" (start 20) failed (End Of Stream / File) - skipping
[1]    2155243 segmentation fault  ./MP4Box -lsr ./poc/poc_1

gdb

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7973829 in gf_isom_parse_movie_boxes_internal () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x1
 RBX  0x5555555c72a0 ◂— 0x0
 RCX  0x7ffff764d1e7 (write+23) ◂— cmp    rax, -0x1000 /* 'H=' */
 RDX  0x0
 RDI  0x5555555c62a0 ◂— 0x0
 RSI  0x0
 R8   0x0
 R9   0x0
 R10  0x7ffff7e227df ◂— ') - skipping\n'
 R11  0x246
 R12  0x0
 R13  0x0
 R14  0x5555555c72a0 ◂— 0x0
 R15  0x3
 RBP  0x7fffffff83a0 ◂— 0x0
 RSP  0x7fffffff8310 —▸ 0x7fffffff8350 ◂— 0x0
 RIP  0x7ffff7973829 (gf_isom_parse_movie_boxes_internal+249) ◂— mov    eax, dword ptr [rsi]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
 ► 0x7ffff7973829 <gf_isom_parse_movie_boxes_internal+249>     mov    eax, dword ptr [rsi]
   0x7ffff797382b <gf_isom_parse_movie_boxes_internal+251>     cmp    eax, 0x6d6f6f76
   0x7ffff7973830 <gf_isom_parse_movie_boxes_internal+256>     je     gf_isom_parse_movie_boxes_internal+1688                <gf_isom_parse_movie_boxes_internal+1688>
    ↓
   0x7ffff7973dc8 <gf_isom_parse_movie_boxes_internal+1688>    cmp    qword ptr [r14 + 0x48], 0
   0x7ffff7973dcd <gf_isom_parse_movie_boxes_internal+1693>    jne    gf_isom_parse_movie_boxes_internal+4630                <gf_isom_parse_movie_boxes_internal+4630>
    ↓
   0x7ffff7974946 <gf_isom_parse_movie_boxes_internal+4630>    mov    esi, 1
   0x7ffff797494b <gf_isom_parse_movie_boxes_internal+4635>    mov    edi, 2
   0x7ffff7974950 <gf_isom_parse_movie_boxes_internal+4640>    call   gf_log_tool_level_on@plt                <gf_log_tool_level_on@plt>

   0x7ffff7974955 <gf_isom_parse_movie_boxes_internal+4645>    test   eax, eax
   0x7ffff7974957 <gf_isom_parse_movie_boxes_internal+4647>    je     gf_isom_parse_movie_boxes_internal+4540                <gf_isom_parse_movie_boxes_internal+4540>

   0x7ffff7974959 <gf_isom_parse_movie_boxes_internal+4649>    mov    esi, 2
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff8310 —▸ 0x7fffffff8350 ◂— 0x0
01:0008│     0x7fffffff8318 ◂— 0x0
... ↓        2 skipped
04:0020│     0x7fffffff8330 —▸ 0x5555555c7500 ◂— 0x6d703431 /* '14pm' */
05:0028│     0x7fffffff8338 ◂— 0x0
06:0030│     0x7fffffff8340 ◂— 0x0
07:0038│     0x7fffffff8348 ◂— 0x4
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff7973829 gf_isom_parse_movie_boxes_internal+249
   f 1   0x7ffff7974f97 gf_isom_open_file+311
   f 2   0x55555557dc14 mp4boxMain+19444
   f 3   0x7ffff75630b3 __libc_start_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00007ffff7973829 in gf_isom_parse_movie_boxes_internal () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1  0x00007ffff7974f97 in gf_isom_open_file () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2  0x000055555557dc14 in mp4boxMain ()
#3  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
#4  0x000055555556c45e in _start ()
@jeanlf jeanlf closed this as completed in 5b4a641 Dec 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant