We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
An invalid call was discovered in gf_node_changed(). The vulnerability causes a segmentation fault and application crash.
Version:
MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC Configuration: Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
System information Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
./MP4Box -bt ./poc/poc_11
poc_11.zip
Result
./MP4Box -bt ./poc/poc_10 [iso file] extra box maxr found in hinf, deleting [iso file] Unknown box type traI in parent moov [iso file] Box "stss" (start 9939) has 32 extra bytes [iso file] extra box maxr found in hinf, deleting [iso file] Track with no sample description box ! [iso file] Incomplete box mdat - start 11495 size 861261 [iso file] Incomplete file while reading for dump - aborting parsing [iso file] extra box maxr found in hinf, deleting [iso file] Unknown box type traI in parent moov [iso file] Box "stss" (start 9939) has 32 extra bytes [iso file] extra box maxr found in hinf, deleting [iso file] Track with no sample description box ! [iso file] Incomplete box mdat - start 11495 size 861261 [iso file] Incomplete file while reading for dump - aborting parsing MPEG-4 BIFS Scene Parsing [1] 1142870 segmentation fault ./MP4Box -bt ./poc/poc_10
gdb
Program received signal SIGSEGV, Segmentation fault. 0x0000000000000001 in ?? () LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────── RAX 0x1 RBX 0x7fffffff6bc0 ◂— 0x0 RCX 0x7fffffff6bc0 ◂— 0x0 RDX 0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0 RDI 0x0 RSI 0x1 R8 0x0 R9 0x0 R10 0x7ffff775ba62 ◂— 'gf_node_changed' R11 0x7ffff784a0f0 (gf_node_changed) ◂— endbr64 R12 0x5555555c6010 ◂— 0x200000002 R13 0x5555555e5100 ◂— 0x0 R14 0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0 R15 0x7fffffff6bc0 ◂— 0x0 RBP 0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0 RSP 0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test rbx, rbx RIP 0x1 ──────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────── Invalid address 0x1 ──────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────── 00:0000│ rsp 0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test rbx, rbx 01:0008│ 0x7fffffff6a90 ◂— 0x0 ... ↓ 3 skipped 05:0028│ 0x7fffffff6ab0 ◂— 0x7374636f /* 'octs' */ 06:0030│ 0x7fffffff6ab8 —▸ 0x5555555e4fd0 ◂— 0x7374636f /* 'octs' */ 07:0038│ 0x7fffffff6ac0 ◂— 0x2 ────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────── ► f 0 0x1 f 1 0x7ffff784a1ca gf_node_changed+218 f 2 0x7ffff784b675 gf_sg_reset+805 f 3 0x7ffff784ba47 gf_sg_del+55 f 4 0x7ffff788b7f8 gf_sg_proto_del+424 f 5 0x7ffff7905f88 gf_bifs_dec_proto_list+680 f 6 0x7ffff7913a11 BM_ParseInsert+769 f 7 0x7ffff7914fe1 BM_ParseCommand+113 ────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg> bt #0 0x0000000000000001 in ?? () #1 0x00007ffff784a1ca in gf_node_changed () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #2 0x00007ffff784b675 in gf_sg_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #3 0x00007ffff784ba47 in gf_sg_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #4 0x00007ffff788b7f8 in gf_sg_proto_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #5 0x00007ffff7905f88 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #6 0x00007ffff7913a11 in BM_ParseInsert () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #7 0x00007ffff7914fe1 in BM_ParseCommand () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #8 0x00007ffff7915353 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #9 0x00007ffff7aa1d91 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #10 0x00005555555844a8 in dump_isom_scene () #11 0x000055555557b42c in mp4boxMain () #12 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1b8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1a8) at ../csu/libc-start.c:308 #13 0x000055555556c45e in _start ()
break gf_node_changed
pwndbg> 0x00007ffff784a1c8 in gf_node_changed () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────── RAX 0x1 RBX 0x7fffffff6bc0 ◂— 0x0 RCX 0x7fffffff6bc0 ◂— 0x0 RDX 0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0 RDI 0x0 *RSI 0x1 R8 0x0 R9 0x0 R10 0x7ffff775ba62 ◂— 'gf_node_changed' R11 0x7ffff784a0f0 (gf_node_changed) ◂— endbr64 R12 0x5555555c6010 ◂— 0x200000002 R13 0x5555555e5100 ◂— 0x0 R14 0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0 R15 0x7fffffff6bc0 ◂— 0x0 RBP 0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0 RSP 0x7fffffff6a90 ◂— 0x0 *RIP 0x7ffff784a1c8 (gf_node_changed+216) ◂— call rax ──────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────── 0x7ffff784a1b6 <gf_node_changed+198> je gf_node_changed+223 <gf_node_changed+223> 0x7ffff784a1b8 <gf_node_changed+200> mov rdi, qword ptr [r12 + 0x28] 0x7ffff784a1bd <gf_node_changed+205> mov rcx, rbx 0x7ffff784a1c0 <gf_node_changed+208> mov rdx, rbp 0x7ffff784a1c3 <gf_node_changed+211> mov esi, 1 ► 0x7ffff784a1c8 <gf_node_changed+216> call rax <1> 0x7ffff784a1ca <gf_node_changed+218> test rbx, rbx 0x7ffff784a1cd <gf_node_changed+221> je gf_node_changed+233 <gf_node_changed+233> 0x7ffff784a1cf <gf_node_changed+223> mov eax, dword ptr [rbx] 0x7ffff784a1d1 <gf_node_changed+225> sub eax, 0x63 0x7ffff784a1d4 <gf_node_changed+228> and eax, 0xfffffffd ──────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────── 00:0000│ rsp 0x7fffffff6a90 ◂— 0x0 ... ↓ 3 skipped 04:0020│ 0x7fffffff6ab0 ◂— 0x7374636f /* 'octs' */ 05:0028│ 0x7fffffff6ab8 —▸ 0x5555555e4fd0 ◂— 0x7374636f /* 'octs' */ 06:0030│ 0x7fffffff6ac0 ◂— 0x2 07:0038│ 0x7fffffff6ac8 ◂— 0x8000000000000006 ────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────── ► f 0 0x7ffff784a1c8 gf_node_changed+216 f 1 0x7ffff784b675 gf_sg_reset+805 f 2 0x7ffff784ba47 gf_sg_del+55 f 3 0x7ffff788b7f8 gf_sg_proto_del+424 f 4 0x7ffff7905f88 gf_bifs_dec_proto_list+680 f 5 0x7ffff7913a11 BM_ParseInsert+769 f 6 0x7ffff7914fe1 BM_ParseCommand+113 f 7 0x7ffff7915353 gf_bifs_decode_command_list+163 ────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg> Program received signal SIGSEGV, Segmentation fault. 0x0000000000000001 in ?? () LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────── RAX 0x1 RBX 0x7fffffff6bc0 ◂— 0x0 RCX 0x7fffffff6bc0 ◂— 0x0 RDX 0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0 RDI 0x0 RSI 0x1 R8 0x0 R9 0x0 R10 0x7ffff775ba62 ◂— 'gf_node_changed' R11 0x7ffff784a0f0 (gf_node_changed) ◂— endbr64 R12 0x5555555c6010 ◂— 0x200000002 R13 0x5555555e5100 ◂— 0x0 R14 0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0 R15 0x7fffffff6bc0 ◂— 0x0 RBP 0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0 *RSP 0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test rbx, rbx *RIP 0x1 ──────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────── Invalid address 0x1 ──────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────── 00:0000│ rsp 0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test rbx, rbx 01:0008│ 0x7fffffff6a90 ◂— 0x0 ... ↓ 3 skipped 05:0028│ 0x7fffffff6ab0 ◂— 0x7374636f /* 'octs' */ 06:0030│ 0x7fffffff6ab8 —▸ 0x5555555e4fd0 ◂— 0x7374636f /* 'octs' */ 07:0038│ 0x7fffffff6ac0 ◂— 0x2 ────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────── ► f 0 0x1 f 1 0x7ffff784a1ca gf_node_changed+218 f 2 0x7ffff784b675 gf_sg_reset+805 f 3 0x7ffff784ba47 gf_sg_del+55 f 4 0x7ffff788b7f8 gf_sg_proto_del+424 f 5 0x7ffff7905f88 gf_bifs_dec_proto_list+680 f 6 0x7ffff7913a11 BM_ParseInsert+769 f 7 0x7ffff7914fe1 BM_ParseCommand+113 ────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg>
The text was updated successfully, but these errors were encountered:
d2f74e4
No branches or pull requests
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
An invalid call was discovered in gf_node_changed(). The vulnerability causes a segmentation fault and application crash.
Version:
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
poc_11.zip
Result
gdb
break gf_node_changedThe text was updated successfully, but these errors were encountered: