Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null Pointer Dereference in gf_svg_get_attribute_name() #1967

Closed
3 tasks done
AiDaiP opened this issue Dec 10, 2021 · 0 comments
Closed
3 tasks done

Null Pointer Dereference in gf_svg_get_attribute_name() #1967

AiDaiP opened this issue Dec 10, 2021 · 0 comments

Comments

@AiDaiP
Copy link

AiDaiP commented Dec 10, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf_svg_get_attribute_name(). The vulnerability causes a segmentation fault and application crash.

Version:

MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

command:

./MP4Box -lsr poc_4

poc_4.zip

Result

[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 796312
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 796312
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
Scene loaded - dumping 1 systems streams
[1]    3570050 segmentation fault  ./MP4Box -lsr ./poc/poc_4

gdb

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78e16ac in gf_svg_get_attribute_name () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x5555555decb0 —▸ 0x5555555d4350 ◂— 0x0
 RCX  0x0
 RDX  0x7ffff7f7c428 (xml_elements+8) ◂— 0x300000422
 RDI  0x0
 RSI  0x0
 R8   0x0
 R9   0xa
 R10  0x7ffff7e45bd4 ◂— 0x6e696f7020002022 /* '" ' */
 R11  0x7fffffff6ee7 ◂— 0xbffcbef5d8160036 /* '6' */
 R12  0x5555555df180 —▸ 0x5555555d4350 ◂— 0x0
 R13  0x0
 R14  0x7ffff7e10cf4 ◂— 'textContent'
 R15  0x7ffff7df5e9b ◂— 0x663325002f2e2e00
 RBP  0x7fffffff7080 ◂— 0x344e /* 'N4' */
 RSP  0x7fffffff6fe0 ◂— 0x25286574616c736e ('nslate(%')
 RIP  0x7ffff78e16ac (gf_svg_get_attribute_name+28) ◂— mov    rax, qword ptr [rdi]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
 ► 0x7ffff78e16ac <gf_svg_get_attribute_name+28>    mov    rax, qword ptr [rdi]
   0x7ffff78e16af <gf_svg_get_attribute_name+31>    movzx  ecx, word ptr [rax]
   0x7ffff78e16b2 <gf_svg_get_attribute_name+34>    xor    eax, eax
   0x7ffff78e16b4 <gf_svg_get_attribute_name+36>    cmp    cx, 0x408
   0x7ffff78e16b9 <gf_svg_get_attribute_name+41>    jne    gf_svg_get_attribute_name+64
 <gf_svg_get_attribute_name+64>
    ↓
   0x7ffff78e16d0 <gf_svg_get_attribute_name+64>    cmp    dword ptr [rdx], ecx
   0x7ffff78e16d2 <gf_svg_get_attribute_name+66>    jne    gf_svg_get_attribute_name+48
 <gf_svg_get_attribute_name+48>
    ↓
   0x7ffff78e16c0 <gf_svg_get_attribute_name+48>    add    eax, 1
   0x7ffff78e16c3 <gf_svg_get_attribute_name+51>    add    rdx, 0x10
   0x7ffff78e16c7 <gf_svg_get_attribute_name+55>    cmp    eax, 0x4e
   0x7ffff78e16ca <gf_svg_get_attribute_name+58>    je     gf_svg_get_attribute_name+365
  <gf_svg_get_attribute_name+365>
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6fe0 ◂— 0x25286574616c736e ('nslate(%')
01:0008│     0x7fffffff6fe8 —▸ 0x5555555decb0 —▸ 0x5555555d4350 ◂— 0x0
02:0010│     0x7fffffff6ff0 —▸ 0x7fffffff7080 ◂— 0x344e /* 'N4' */
03:0018│     0x7fffffff6ff8 —▸ 0x5555555df180 —▸ 0x5555555d4350 ◂— 0x0
04:0020│     0x7fffffff7000 —▸ 0x5555555df2e0 ◂— 0x0
05:0028│     0x7fffffff7008 —▸ 0x7ffff7e10cf4 ◂— 'textContent'
06:0030│     0x7fffffff7010 —▸ 0x7ffff7df5e9b ◂— 0x663325002f2e2e00
07:0038│     0x7fffffff7018 —▸ 0x7ffff7abae7a (DumpLSRAddReplaceInsert+938) ◂— mov    r14, rax
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff78e16ac gf_svg_get_attribute_name+28
   f 1   0x7ffff7abae7a DumpLSRAddReplaceInsert+938
   f 2   0x7ffff7abb12b gf_sm_dump_command_list+219
   f 3   0x7ffff7ac254c gf_sm_dump+1116
   f 4   0x555555584418 dump_isom_scene+616
   f 5   0x55555557b42c mp4boxMain+9228
   f 6   0x7ffff75630b3 __libc_start_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00007ffff78e16ac in gf_svg_get_attribute_name () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1  0x00007ffff7abae7a in DumpLSRAddReplaceInsert () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2  0x00007ffff7abb12b in gf_sm_dump_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3  0x00007ffff7ac254c in gf_sm_dump () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4  0x0000555555584418 in dump_isom_scene ()
#5  0x000055555557b42c in mp4boxMain ()
#6  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
#7  0x000055555556c45e in _start ()
@jeanlf jeanlf closed this as completed in a5a8dbc Dec 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant