Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null Pointer Dereference in gf_node_get_field() #1968

Closed
3 tasks done
AiDaiP opened this issue Dec 10, 2021 · 0 comments
Closed
3 tasks done

Null Pointer Dereference in gf_node_get_field() #1968

AiDaiP opened this issue Dec 10, 2021 · 0 comments

Comments

@AiDaiP
Copy link

AiDaiP commented Dec 10, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf_node_get_field(). The vulnerability causes a segmentation fault and application crash.

Version:

MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

command:

./MP4Box -lsr poc_5
./MP4Box -lsr poc_6

poc.zip

Result

poc_5

[iso file] Unknown box type dreFF in parent dinf
[iso file] Missing dref box in dinf
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type FFFFFF80 in parent hinf
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 860062
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Unknown box type dreFF in parent dinf
[iso file] Missing dref box in dinf
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type FFFFFF80 in parent hinf
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 860062
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[1]    878696 segmentation fault  ./MP4Box -lsr ./poc/poc_5

poc_6

[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type pm00x in parent hinf
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861258
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type pm00x in parent hinf
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861258
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
...
Program received signal SIGSEGV, Segmentation fault.

gdb

poc_5

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x4
 RBX  0x5555555df130 —▸ 0x5555555d4330 ◂— 0x0
 RCX  0x5555555df310 ◂— 0x0
 RDX  0x7fffffff7050 ◂— 0x4
 RDI  0x0
 RSI  0x7fffffff7050 ◂— 0x4
 R8   0x4
 R9   0x0
 R10  0x7ffff775bb48 ◂— 'gf_node_get_field'
 R11  0x7ffff784acd0 (gf_node_get_field) ◂— endbr64
 R12  0xfffffffe
 R13  0x5555555df290 ◂— 0x4
 R14  0x7fffffff7050 ◂— 0x4
 R15  0x5555555dcdc0 —▸ 0x5555555d26b0 ◂— 0x0
 RBP  0x80
 RSP  0x7fffffff6fa8 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov    eax, dword ptr [rsp + 0xa4]
 RIP  0x7ffff784acf0 (gf_node_get_field+32) ◂— mov    rax, qword ptr [rdi]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
 ► 0x7ffff784acf0 <gf_node_get_field+32>     mov    rax, qword ptr [rdi]
   0x7ffff784acf3 <gf_node_get_field+35>     movzx  eax, word ptr [rax]
   0x7ffff784acf6 <gf_node_get_field+38>     test   ax, ax
   0x7ffff784acf9 <gf_node_get_field+41>     je     gf_node_get_field+144                <gf_node_get_field+144>
    ↓
   0x7ffff784ad60 <gf_node_get_field+144>    mov    eax, 0xffffffff
   0x7ffff784ad65 <gf_node_get_field+149>    ret

   0x7ffff784ad66                            nop    word ptr cs:[rax + rax]
   0x7ffff784ad70 <dirty_children>           push   r14
   0x7ffff784ad72 <dirty_children+2>         push   r13
   0x7ffff784ad74 <dirty_children+4>         push   r12
   0x7ffff784ad76 <dirty_children+6>         push   rbp
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6fa8 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov    eax, dword ptr [rsp + 0xa4]
01:0008│     0x7fffffff6fb0 ◂— 0x0
02:0010│     0x7fffffff6fb8 ◂— 0x300000000
03:0018│     0x7fffffff6fc0 ◂— 0x0
04:0020│     0x7fffffff6fc8 —▸ 0x5555555df0b0 —▸ 0x5555555df1d0 —▸ 0x5555555df130 —▸ 0x5555555d4330 ◂— ...
05:0028│     0x7fffffff6fd0 ◂— 0x0
... ↓        2 skipped
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff784acf0 gf_node_get_field+32
   f 1   0x7ffff7b5784a lsr_read_command_list+1402
   f 2   0x7ffff7b59914 lsr_decode_laser_unit+708
   f 3   0x7ffff7b6204d gf_laser_decode_command_list+333
   f 4   0x7ffff7aa1eb1 gf_sm_load_run_isom+1505
   f 5   0x5555555844a8 dump_isom_scene+760
   f 6   0x55555557b42c mp4boxMain+9228
   f 7   0x7ffff75630b3 __libc_start_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1  0x00007ffff7b5784a in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2  0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3  0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4  0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5  0x00005555555844a8 in dump_isom_scene ()
#6  0x000055555557b42c in mp4boxMain ()
#7  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
#8  0x000055555556c45e in _start ()

poc_6

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0xbb
 RBX  0x5555555df0f0 —▸ 0x5555555d4300 ◂— 0x0
 RCX  0x5555555df2d0 ◂— 0x0
 RDX  0x7fffffff7000 ◂— 0xbb
 RDI  0x0
 RSI  0x7fffffff7000 ◂— 0xbb
 R8   0xbb
 R9   0x0
 R10  0x7ffff775bb48 ◂— 'gf_node_get_field'
 R11  0x7ffff784acd0 (gf_node_get_field) ◂— endbr64
 R12  0xfffffffe
 R13  0x5555555df250 ◂— 0xbb
 R14  0x7fffffff7000 ◂— 0xbb
 R15  0x5555555dcd80 —▸ 0x5555555d2680 ◂— 0x0
 RBP  0x40
 RSP  0x7fffffff6f58 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov    eax, dword ptr [rsp + 0xa4]
 RIP  0x7ffff784acf0 (gf_node_get_field+32) ◂— mov    rax, qword ptr [rdi]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
 ► 0x7ffff784acf0 <gf_node_get_field+32>     mov    rax, qword ptr [rdi]
   0x7ffff784acf3 <gf_node_get_field+35>     movzx  eax, word ptr [rax]
   0x7ffff784acf6 <gf_node_get_field+38>     test   ax, ax
   0x7ffff784acf9 <gf_node_get_field+41>     je     gf_node_get_field+144                <gf_node_get_field+144>
    ↓
   0x7ffff784ad60 <gf_node_get_field+144>    mov    eax, 0xffffffff
   0x7ffff784ad65 <gf_node_get_field+149>    ret

   0x7ffff784ad66                            nop    word ptr cs:[rax + rax]
   0x7ffff784ad70 <dirty_children>           push   r14
   0x7ffff784ad72 <dirty_children+2>         push   r13
   0x7ffff784ad74 <dirty_children+4>         push   r12
   0x7ffff784ad76 <dirty_children+6>         push   rbp
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6f58 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov    eax, dword ptr [rsp + 0xa4]
01:0008│     0x7fffffff6f60 ◂— 0x6469005453414c00
02:0010│     0x7fffffff6f68 ◂— 0x900000000
03:0018│     0x7fffffff6f70 ◂— 0x0
04:0020│     0x7fffffff6f78 —▸ 0x5555555df070 —▸ 0x5555555df190 —▸ 0x5555555df0f0 —▸ 0x5555555d4300 ◂— ...
05:0028│     0x7fffffff6f80 ◂— 0x0
... ↓        2 skipped
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff784acf0 gf_node_get_field+32
   f 1   0x7ffff7b5784a lsr_read_command_list+1402
   f 2   0x7ffff7b59914 lsr_decode_laser_unit+708
   f 3   0x7ffff7b6204d gf_laser_decode_command_list+333
   f 4   0x7ffff7aa1eb1 gf_sm_load_run_isom+1505
   f 5   0x5555555844a8 dump_isom_scene+760
   f 6   0x55555557b42c mp4boxMain+9228
   f 7   0x7ffff75630b3 __libc_start_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1  0x00007ffff7b5784a in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2  0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3  0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4  0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5  0x00005555555844a8 in dump_isom_scene ()
#6  0x000055555557b42c in mp4boxMain ()
#7  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe138, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe128) at ../csu/libc-start.c:308
#8  0x000055555556c45e in _start ()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant