Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null Pointer Dereference in BD_CheckSFTimeOffset() #1969

Closed
3 tasks done
AiDaiP opened this issue Dec 10, 2021 · 1 comment
Closed
3 tasks done

Null Pointer Dereference in BD_CheckSFTimeOffset() #1969

AiDaiP opened this issue Dec 10, 2021 · 1 comment

Comments

@AiDaiP
Copy link

AiDaiP commented Dec 10, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in BD_CheckSFTimeOffset(). The vulnerability causes a segmentation fault and application crash.

Version:

MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

command:

./MP4Box -lsr poc_7

poc_7.zip

Result

[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 796203
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 796203
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[1]    1900424 segmentation fault  ./MP4Box -lsr ./poc/poc_7

gdb

Program received signal SIGSEGV, Segmentation fault.
__strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:199
199     ../sysdeps/x86_64/multiarch/strcmp-sse42.S: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x5555555decb0 ◂— 0x0
*RCX  0x17
*RDX  0x7ffff77284a0 (_nl_global_locale) —▸ 0x7ffff77246c0 (_nl_C_LC_CTYPE) —▸ 0x7ffff76f4fc6 (_nl_C_name) ◂— 0x636d656d5f5f0043 /* 'C' */
*RDI  0x0
*RSI  0x7ffff7dfd2d7 ◂— 'startTime'
 R8   0x0
 R9   0x0
*R10  0x7ffff775b844 ◂— 'gf_node_get_tag'
*R11  0x7ffff7849790 (gf_node_get_tag) ◂— endbr64
*R12  0x0
 R13  0x5555555dfe70 —▸ 0x5555555dfed0 ◂— 0x100000067 /* 'g' */
 R14  0x5555555dff50 ◂— 0x21e8e8512be35500
 R15  0x0
*RBP  0x7fffffff6740 ◂— 0x200000002
*RSP  0x7fffffff6688 —▸ 0x7ffff790dc51 (BD_CheckSFTimeOffset+49) ◂— test   eax, eax
*RIP  0x7ffff76c4089 (__strcasecmp_l_avx+69) ◂— vmovdqu xmm1, xmmword ptr [rdi]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
   0x7ffff76c4077 <__strcasecmp_l_avx+51>    vmovdqa xmm6, xmmword ptr [rip + 0x378f1]
   0x7ffff76c407f <__strcasecmp_l_avx+59>    cmp    ecx, 0x30
   0x7ffff76c4082 <__strcasecmp_l_avx+62>    ja     __strcasecmp_l_avx+172                <__strcasecmp_l_avx+172>

   0x7ffff76c4084 <__strcasecmp_l_avx+64>    cmp    eax, 0x30
   0x7ffff76c4087 <__strcasecmp_l_avx+67>    ja     __strcasecmp_l_avx+172                <__strcasecmp_l_avx+172>

 ► 0x7ffff76c4089 <__strcasecmp_l_avx+69>    vmovdqu xmm1, xmmword ptr [rdi]
   0x7ffff76c408d <__strcasecmp_l_avx+73>    vmovdqu xmm2, xmmword ptr [rsi]
   0x7ffff76c4091 <__strcasecmp_l_avx+77>    vpcmpgtb xmm7, xmm1, xmm4
   0x7ffff76c4095 <__strcasecmp_l_avx+81>    vpcmpgtb xmm8, xmm1, xmm5
   0x7ffff76c4099 <__strcasecmp_l_avx+85>    vpcmpgtb xmm9, xmm2, xmm4
   0x7ffff76c409d <__strcasecmp_l_avx+89>    vpcmpgtb xmm10, xmm2, xmm5
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6688 —▸ 0x7ffff790dc51 (BD_CheckSFTimeOffset+49) ◂— test   eax, eax
01:0008│     0x7fffffff6690 —▸ 0x5555555decb0 ◂— 0x0
02:0010│     0x7fffffff6698 —▸ 0x5555555d26d0 ◂— 0x0
03:0018│     0x7fffffff66a0 —▸ 0x7fffffff6740 ◂— 0x200000002
04:0020│     0x7fffffff66a8 —▸ 0x7ffff790ed35 (gf_bifs_dec_sf_field+2053) ◂— mov    eax, dword ptr [rbx]
05:0028│     0x7fffffff66b0 —▸ 0x5555555dfe90 ◂— 0x11cb
06:0030│     0x7fffffff66b8 ◂— 0x22 /* '"' */
07:0038│     0x7fffffff66c0 ◂— 0x11cb
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff76c4089 __strcasecmp_l_avx+69
   f 1   0x7ffff790dc51 BD_CheckSFTimeOffset+49
   f 2   0x7ffff790ed35 gf_bifs_dec_sf_field+2053
   f 3   0x7ffff790f4c0 BD_DecMFFieldVec+656
   f 4   0x7ffff790fa3f gf_bifs_dec_node_mask+287
   f 5   0x7ffff790e158 gf_bifs_dec_node+936
   f 6   0x7ffff79062f8 gf_bifs_dec_proto_list+1560
   f 7   0x7ffff7906559 BD_DecSceneReplace+73
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  __strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:199
#1  0x00007ffff790dc51 in BD_CheckSFTimeOffset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2  0x00007ffff790ed35 in gf_bifs_dec_sf_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3  0x00007ffff790f4c0 in BD_DecMFFieldVec () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4  0x00007ffff790fa3f in gf_bifs_dec_node_mask () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5  0x00007ffff790e158 in gf_bifs_dec_node () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6  0x00007ffff79062f8 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#7  0x00007ffff7906559 in BD_DecSceneReplace () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#8  0x00007ffff7914e5e in BM_SceneReplace () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#9  0x00007ffff7915023 in BM_ParseCommand () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#10 0x00007ffff7915353 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#11 0x00007ffff7aa1d91 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#12 0x00005555555844a8 in dump_isom_scene ()
#13 0x000055555557b42c in mp4boxMain ()
#14 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
#15 0x000055555556c45e in _start ()

break BD_CheckSFTimeOffset

0x00007ffff790dc4c in BD_CheckSFTimeOffset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x67
 RBX  0x5555555decb0 ◂— 0x0
 RCX  0x0
 RDX  0x7fffffff6740 ◂— 0x200000002
*RDI  0x0
 RSI  0x7ffff7dfd2d7 ◂— 'startTime'
 R8   0x0
 R9   0x0
 R10  0x7ffff775b844 ◂— 'gf_node_get_tag'
 R11  0x7ffff7849790 (gf_node_get_tag) ◂— endbr64
 R12  0x0
 R13  0x5555555dfe70 —▸ 0x5555555dfed0 ◂— 0x100000067 /* 'g' */
 R14  0x5555555dff50 ◂— 0x21e8e8512be35500
 R15  0x0
 RBP  0x7fffffff6740 ◂— 0x200000002
 RSP  0x7fffffff6690 —▸ 0x5555555decb0 ◂— 0x0
*RIP  0x7ffff790dc4c (BD_CheckSFTimeOffset+44) ◂— call   0x7ffff77e0db0
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
   0x7ffff790dc39 <BD_CheckSFTimeOffset+25>    cmp    eax, 1
   0x7ffff790dc3c <BD_CheckSFTimeOffset+28>    je     BD_CheckSFTimeOffset+144                <BD_CheckSFTimeOffset+144>

   0x7ffff790dc3e <BD_CheckSFTimeOffset+30>    mov    r12, qword ptr [rbp + 0x10]
   0x7ffff790dc42 <BD_CheckSFTimeOffset+34>    lea    rsi, [rip + 0x4ef68e]
   0x7ffff790dc49 <BD_CheckSFTimeOffset+41>    mov    rdi, r12
 ► 0x7ffff790dc4c <BD_CheckSFTimeOffset+44>    call   strcasecmp@plt                <strcasecmp@plt>
        s1: 0x0
        s2: 0x7ffff7dfd2d7 ◂— 'startTime'

   0x7ffff790dc51 <BD_CheckSFTimeOffset+49>    test   eax, eax
   0x7ffff790dc53 <BD_CheckSFTimeOffset+51>    jne    BD_CheckSFTimeOffset+112                <BD_CheckSFTimeOffset+112>

   0x7ffff790dc55 <BD_CheckSFTimeOffset+53>    mov    edx, dword ptr [rbx + 0x6c]
   0x7ffff790dc58 <BD_CheckSFTimeOffset+56>    test   edx, edx
   0x7ffff790dc5a <BD_CheckSFTimeOffset+58>    jne    BD_CheckSFTimeOffset+80                <BD_CheckSFTimeOffset+80>
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6690 —▸ 0x5555555decb0 ◂— 0x0
01:0008│     0x7fffffff6698 —▸ 0x5555555d26d0 ◂— 0x0
02:0010│     0x7fffffff66a0 —▸ 0x7fffffff6740 ◂— 0x200000002
03:0018│     0x7fffffff66a8 —▸ 0x7ffff790ed35 (gf_bifs_dec_sf_field+2053) ◂— mov    eax, dword ptr [rbx]
04:0020│     0x7fffffff66b0 —▸ 0x5555555dfe90 ◂— 0x11cb
05:0028│     0x7fffffff66b8 ◂— 0x22 /* '"' */
06:0030│     0x7fffffff66c0 ◂— 0x11cb
07:0038│     0x7fffffff66c8 —▸ 0x7fffffff67d0 ◂— 0x2200000002
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff790dc4c BD_CheckSFTimeOffset+44
   f 1   0x7ffff790ed35 gf_bifs_dec_sf_field+2053
   f 2   0x7ffff790f4c0 BD_DecMFFieldVec+656
   f 3   0x7ffff790fa3f gf_bifs_dec_node_mask+287
   f 4   0x7ffff790e158 gf_bifs_dec_node+936
   f 5   0x7ffff79062f8 gf_bifs_dec_proto_list+1560
   f 6   0x7ffff7906559 BD_DecSceneReplace+73
   f 7   0x7ffff7914e5e BM_SceneReplace+110
Program received signal SIGSEGV, Segmentation fault.
__strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:199
199     in ../sysdeps/x86_64/multiarch/strcmp-sse42.S
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x5555555decb0 ◂— 0x0
 RCX  0x17
 RDX  0x7ffff77284a0 (_nl_global_locale) —▸ 0x7ffff77246c0 (_nl_C_LC_CTYPE) —▸ 0x7ffff76f4fc6 (_nl_C_name) ◂— 0x636d656d5f5f0043 /* 'C' */
 RDI  0x0
 RSI  0x7ffff7dfd2d7 ◂— 'startTime'
 R8   0x0
 R9   0x0
 R10  0x7ffff775b844 ◂— 'gf_node_get_tag'
 R11  0x7ffff7849790 (gf_node_get_tag) ◂— endbr64
 R12  0x0
 R13  0x5555555dfe70 —▸ 0x5555555dfed0 ◂— 0x100000067 /* 'g' */
 R14  0x5555555dff50 ◂— 0x21e8e8512be35500
 R15  0x0
 RBP  0x7fffffff6740 ◂— 0x200000002
 RSP  0x7fffffff6688 —▸ 0x7ffff790dc51 (BD_CheckSFTimeOffset+49) ◂— test   eax, eax
 RIP  0x7ffff76c4089 (__strcasecmp_l_avx+69) ◂— vmovdqu xmm1, xmmword ptr [rdi]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
   0x7ffff76c4077 <__strcasecmp_l_avx+51>    vmovdqa xmm6, xmmword ptr [rip + 0x378f1]
   0x7ffff76c407f <__strcasecmp_l_avx+59>    cmp    ecx, 0x30
   0x7ffff76c4082 <__strcasecmp_l_avx+62>    ja     __strcasecmp_l_avx+172                <__strcasecmp_l_avx+172>

   0x7ffff76c4084 <__strcasecmp_l_avx+64>    cmp    eax, 0x30
   0x7ffff76c4087 <__strcasecmp_l_avx+67>    ja     __strcasecmp_l_avx+172                <__strcasecmp_l_avx+172>

 ► 0x7ffff76c4089 <__strcasecmp_l_avx+69>    vmovdqu xmm1, xmmword ptr [rdi]
   0x7ffff76c408d <__strcasecmp_l_avx+73>    vmovdqu xmm2, xmmword ptr [rsi]
   0x7ffff76c4091 <__strcasecmp_l_avx+77>    vpcmpgtb xmm7, xmm1, xmm4
   0x7ffff76c4095 <__strcasecmp_l_avx+81>    vpcmpgtb xmm8, xmm1, xmm5
   0x7ffff76c4099 <__strcasecmp_l_avx+85>    vpcmpgtb xmm9, xmm2, xmm4
   0x7ffff76c409d <__strcasecmp_l_avx+89>    vpcmpgtb xmm10, xmm2, xmm5
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6688 —▸ 0x7ffff790dc51 (BD_CheckSFTimeOffset+49) ◂— test   eax, eax
01:0008│     0x7fffffff6690 —▸ 0x5555555decb0 ◂— 0x0
02:0010│     0x7fffffff6698 —▸ 0x5555555d26d0 ◂— 0x0
03:0018│     0x7fffffff66a0 —▸ 0x7fffffff6740 ◂— 0x200000002
04:0020│     0x7fffffff66a8 —▸ 0x7ffff790ed35 (gf_bifs_dec_sf_field+2053) ◂— mov    eax, dword ptr [rbx]
05:0028│     0x7fffffff66b0 —▸ 0x5555555dfe90 ◂— 0x11cb
06:0030│     0x7fffffff66b8 ◂— 0x22 /* '"' */
07:0038│     0x7fffffff66c0 ◂— 0x11cb
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff76c4089 __strcasecmp_l_avx+69
   f 1   0x7ffff790dc51 BD_CheckSFTimeOffset+49
   f 2   0x7ffff790ed35 gf_bifs_dec_sf_field+2053
   f 3   0x7ffff790f4c0 BD_DecMFFieldVec+656
   f 4   0x7ffff790fa3f gf_bifs_dec_node_mask+287
   f 5   0x7ffff790e158 gf_bifs_dec_node+936
   f 6   0x7ffff79062f8 gf_bifs_dec_proto_list+1560
   f 7   0x7ffff7906559 BD_DecSceneReplace+73
@jeanlf
Copy link
Member

jeanlf commented Dec 13, 2021

fixed see #1968, thanks for the POC

@jeanlf jeanlf closed this as completed Dec 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants