Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

infinite loop in gf_get_bit_size() #1973

Closed
ZFeiXQ opened this issue Dec 10, 2021 · 2 comments
Closed

infinite loop in gf_get_bit_size() #1973

ZFeiXQ opened this issue Dec 10, 2021 · 2 comments

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 10, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
 MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
 GPAC Filters: https://doi.org/10.1145/3339825.3394929
 GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 

System information
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

command:

./bin/gcc/MP4Box -hint POC

Result

...

**GDB information **

[----------------------------------registers-----------------------------------]
RAX: 0x20000 
RBX: 0x80 
RCX: 0xe9b05a71 
RDX: 0x1 
RSI: 0x6a6a6ab8 
RDI: 0x6a6a6ab8 
RBP: 0x5555555e1630 --> 0x1 
RSP: 0x7fffffff8078 --> 0x7ffff7875506 (<gf_rtp_builder_init+2342>:	mov    ebx,DWORD PTR [rbp+0x90])
RIP: 0x7ffff7788927 (<gf_get_bit_size+23>:	cmp    eax,edi)
R8 : 0x0 
R9 : 0x20 (' ')
R10: 0x7ffff76d955a ("gf_rtp_builder_init")
R11: 0x2 
R12: 0x59e 
R13: 0x60 ('`')
R14: 0x5555555e1750 --> 0x0 
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7788920 <gf_get_bit_size+16>:	add    ecx,0x1
   0x7ffff7788923 <gf_get_bit_size+19>:	mov    eax,edx
   0x7ffff7788925 <gf_get_bit_size+21>:	shl    eax,cl
=> 0x7ffff7788927 <gf_get_bit_size+23>:	cmp    eax,edi
   0x7ffff7788929 <gf_get_bit_size+25>:	jle    0x7ffff7788920 <gf_get_bit_size+16>
   0x7ffff778892b <gf_get_bit_size+27>:	mov    eax,ecx
   0x7ffff778892d <gf_get_bit_size+29>:	ret    
   0x7ffff778892e:	xchg   ax,ax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff8078 --> 0x7ffff7875506 (<gf_rtp_builder_init+2342>:	mov    ebx,DWORD PTR [rbp+0x90])
0008| 0x7fffffff8080 --> 0x24a 
0016| 0x7fffffff8088 --> 0xfc7 
0024| 0x7fffffff8090 --> 0x32ce10ac 
0032| 0x7fffffff8098 --> 0x6a6a6ab800000020 
0040| 0x7fffffff80a0 --> 0x2 
0048| 0x7fffffff80a8 --> 0x62 ('b')
0056| 0x7fffffff80b0 --> 0x5555555dfb90 --> 0x5555555da930 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGINT
0x00007ffff7788927 in gf_get_bit_size () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
gdb-peda$ bt
#0  0x00007ffff7788927 in gf_get_bit_size () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
#1  0x00007ffff7875506 in gf_rtp_builder_init () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
#2  0x00007ffff7a0ec5c in gf_hinter_track_new () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
#3  0x000055555557958b in HintFile ()
#4  0x000055555557d257 in mp4boxMain ()
#5  0x00007ffff74df0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x3, argv=0x7fffffffe308, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe2f8)
    at ../csu/libc-start.c:308
#6  0x000055555556d45e in _start ()
gdb-peda$ 

@jeanlf
Copy link
Contributor

jeanlf commented Dec 13, 2021

could you update the POC ?

@ZFeiXQ
Copy link
Author

ZFeiXQ commented Dec 14, 2021

POC.zip

@jeanlf jeanlf closed this as completed in fb13af3 Dec 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants