You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[iso file] Unknown box type dreFF in parent dinf
[iso file] Missing dref box in dinf
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type FFFFFF80 in parent hinf
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 860062
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Unknown box type dreFF in parent dinf
[iso file] Missing dref box in dinf
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type FFFFFF80 in parent hinf
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 860062
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[1] 878696 segmentation fault ./MP4Box -lsr ./poc/poc_5
poc_6
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type pm00x in parent hinf
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861258
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type pm00x in parent hinf
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861258
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
...
Program received signal SIGSEGV, Segmentation fault.
gdb
poc_5
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0x4
RBX 0x5555555df130 —▸ 0x5555555d4330 ◂— 0x0
RCX 0x5555555df310 ◂— 0x0
RDX 0x7fffffff7050 ◂— 0x4
RDI 0x0
RSI 0x7fffffff7050 ◂— 0x4
R8 0x4
R9 0x0
R10 0x7ffff775bb48 ◂— 'gf_node_get_field'
R11 0x7ffff784acd0 (gf_node_get_field) ◂— endbr64
R12 0xfffffffe
R13 0x5555555df290 ◂— 0x4
R14 0x7fffffff7050 ◂— 0x4
R15 0x5555555dcdc0 —▸ 0x5555555d26b0 ◂— 0x0
RBP 0x80
RSP 0x7fffffff6fa8 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov eax, dword ptr [rsp + 0xa4]
RIP 0x7ffff784acf0 (gf_node_get_field+32) ◂— mov rax, qword ptr [rdi]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
► 0x7ffff784acf0 <gf_node_get_field+32> mov rax, qword ptr [rdi]
0x7ffff784acf3 <gf_node_get_field+35> movzx eax, word ptr [rax]
0x7ffff784acf6 <gf_node_get_field+38> test ax, ax
0x7ffff784acf9 <gf_node_get_field+41> je gf_node_get_field+144 <gf_node_get_field+144>
↓
0x7ffff784ad60 <gf_node_get_field+144> mov eax, 0xffffffff
0x7ffff784ad65 <gf_node_get_field+149> ret
0x7ffff784ad66 nop word ptr cs:[rax + rax]
0x7ffff784ad70 <dirty_children> push r14
0x7ffff784ad72 <dirty_children+2> push r13
0x7ffff784ad74 <dirty_children+4> push r12
0x7ffff784ad76 <dirty_children+6> push rbp
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6fa8 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov eax, dword ptr [rsp + 0xa4]
01:0008│ 0x7fffffff6fb0 ◂— 0x0
02:0010│ 0x7fffffff6fb8 ◂— 0x300000000
03:0018│ 0x7fffffff6fc0 ◂— 0x0
04:0020│ 0x7fffffff6fc8 —▸ 0x5555555df0b0 —▸ 0x5555555df1d0 —▸ 0x5555555df130 —▸ 0x5555555d4330 ◂— ...
05:0028│ 0x7fffffff6fd0 ◂— 0x0
... ↓ 2 skipped
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 0x7ffff784acf0 gf_node_get_field+32
f 1 0x7ffff7b5784a lsr_read_command_list+1402
f 2 0x7ffff7b59914 lsr_decode_laser_unit+708
f 3 0x7ffff7b6204d gf_laser_decode_command_list+333
f 4 0x7ffff7aa1eb1 gf_sm_load_run_isom+1505
f 5 0x5555555844a8 dump_isom_scene+760
f 6 0x55555557b42c mp4boxMain+9228
f 7 0x7ffff75630b3 __libc_start_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1 0x00007ffff7b5784a in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2 0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3 0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4 0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5 0x00005555555844a8 in dump_isom_scene ()
#6 0x000055555557b42c in mp4boxMain ()
#7 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
#8 0x000055555556c45e in _start ()
poc_6
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0xbb
RBX 0x5555555df0f0 —▸ 0x5555555d4300 ◂— 0x0
RCX 0x5555555df2d0 ◂— 0x0
RDX 0x7fffffff7000 ◂— 0xbb
RDI 0x0
RSI 0x7fffffff7000 ◂— 0xbb
R8 0xbb
R9 0x0
R10 0x7ffff775bb48 ◂— 'gf_node_get_field'
R11 0x7ffff784acd0 (gf_node_get_field) ◂— endbr64
R12 0xfffffffe
R13 0x5555555df250 ◂— 0xbb
R14 0x7fffffff7000 ◂— 0xbb
R15 0x5555555dcd80 —▸ 0x5555555d2680 ◂— 0x0
RBP 0x40
RSP 0x7fffffff6f58 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov eax, dword ptr [rsp + 0xa4]
RIP 0x7ffff784acf0 (gf_node_get_field+32) ◂— mov rax, qword ptr [rdi]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
► 0x7ffff784acf0 <gf_node_get_field+32> mov rax, qword ptr [rdi]
0x7ffff784acf3 <gf_node_get_field+35> movzx eax, word ptr [rax]
0x7ffff784acf6 <gf_node_get_field+38> test ax, ax
0x7ffff784acf9 <gf_node_get_field+41> je gf_node_get_field+144 <gf_node_get_field+144>
↓
0x7ffff784ad60 <gf_node_get_field+144> mov eax, 0xffffffff
0x7ffff784ad65 <gf_node_get_field+149> ret
0x7ffff784ad66 nop word ptr cs:[rax + rax]
0x7ffff784ad70 <dirty_children> push r14
0x7ffff784ad72 <dirty_children+2> push r13
0x7ffff784ad74 <dirty_children+4> push r12
0x7ffff784ad76 <dirty_children+6> push rbp
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6f58 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov eax, dword ptr [rsp + 0xa4]
01:0008│ 0x7fffffff6f60 ◂— 0x6469005453414c00
02:0010│ 0x7fffffff6f68 ◂— 0x900000000
03:0018│ 0x7fffffff6f70 ◂— 0x0
04:0020│ 0x7fffffff6f78 —▸ 0x5555555df070 —▸ 0x5555555df190 —▸ 0x5555555df0f0 —▸ 0x5555555d4300 ◂— ...
05:0028│ 0x7fffffff6f80 ◂— 0x0
... ↓ 2 skipped
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 0x7ffff784acf0 gf_node_get_field+32
f 1 0x7ffff7b5784a lsr_read_command_list+1402
f 2 0x7ffff7b59914 lsr_decode_laser_unit+708
f 3 0x7ffff7b6204d gf_laser_decode_command_list+333
f 4 0x7ffff7aa1eb1 gf_sm_load_run_isom+1505
f 5 0x5555555844a8 dump_isom_scene+760
f 6 0x55555557b42c mp4boxMain+9228
f 7 0x7ffff75630b3 __libc_start_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1 0x00007ffff7b5784a in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2 0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3 0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4 0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5 0x00005555555844a8 in dump_isom_scene ()
#6 0x000055555557b42c in mp4boxMain ()
#7 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe138, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe128) at ../csu/libc-start.c:308
#8 0x000055555556c45e in _start ()
The text was updated successfully, but these errors were encountered:
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
A null pointer dereference was discovered in gf_node_get_field(). The vulnerability causes a segmentation fault and application crash.
Version:
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
poc.zip
Result
poc_5
poc_6
gdb
poc_5
poc_6
The text was updated successfully, but these errors were encountered: