Skip to content

Invalid call in gf_node_changed() #1974

Closed
@AiDaiP

Description

@AiDaiP

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid call was discovered in gf_node_changed(). The vulnerability causes a segmentation fault and application crash.

Version:

MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

command:

./MP4Box -bt ./poc/poc_11

poc_11.zip

Result

./MP4Box -bt ./poc/poc_10
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type traI in parent moov
[iso file] Box "stss" (start 9939) has 32 extra bytes
[iso file] extra box maxr found in hinf, deleting
[iso file] Track with no sample description box !
[iso file] Incomplete box mdat - start 11495 size 861261
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type traI in parent moov
[iso file] Box "stss" (start 9939) has 32 extra bytes
[iso file] extra box maxr found in hinf, deleting
[iso file] Track with no sample description box !
[iso file] Incomplete box mdat - start 11495 size 861261
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[1]    1142870 segmentation fault  ./MP4Box -bt ./poc/poc_10

gdb

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000001 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x1
 RBX  0x7fffffff6bc0 ◂— 0x0
 RCX  0x7fffffff6bc0 ◂— 0x0
 RDX  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
 RDI  0x0
 RSI  0x1
 R8   0x0
 R9   0x0
 R10  0x7ffff775ba62 ◂— 'gf_node_changed'
 R11  0x7ffff784a0f0 (gf_node_changed) ◂— endbr64
 R12  0x5555555c6010 ◂— 0x200000002
 R13  0x5555555e5100 ◂— 0x0
 R14  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
 R15  0x7fffffff6bc0 ◂— 0x0
 RBP  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
 RSP  0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test   rbx, rbx
 RIP  0x1
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
Invalid address 0x1










──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test   rbx, rbx
01:0008│     0x7fffffff6a90 ◂— 0x0
... ↓        3 skipped
05:0028│     0x7fffffff6ab0 ◂— 0x7374636f /* 'octs' */
06:0030│     0x7fffffff6ab8 —▸ 0x5555555e4fd0 ◂— 0x7374636f /* 'octs' */
07:0038│     0x7fffffff6ac0 ◂— 0x2
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0              0x1
   f 1   0x7ffff784a1ca gf_node_changed+218
   f 2   0x7ffff784b675 gf_sg_reset+805
   f 3   0x7ffff784ba47 gf_sg_del+55
   f 4   0x7ffff788b7f8 gf_sg_proto_del+424
   f 5   0x7ffff7905f88 gf_bifs_dec_proto_list+680
   f 6   0x7ffff7913a11 BM_ParseInsert+769
   f 7   0x7ffff7914fe1 BM_ParseCommand+113
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x0000000000000001 in ?? ()
#1  0x00007ffff784a1ca in gf_node_changed () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2  0x00007ffff784b675 in gf_sg_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3  0x00007ffff784ba47 in gf_sg_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4  0x00007ffff788b7f8 in gf_sg_proto_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5  0x00007ffff7905f88 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6  0x00007ffff7913a11 in BM_ParseInsert () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#7  0x00007ffff7914fe1 in BM_ParseCommand () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#8  0x00007ffff7915353 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#9  0x00007ffff7aa1d91 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#10 0x00005555555844a8 in dump_isom_scene ()
#11 0x000055555557b42c in mp4boxMain ()
#12 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1b8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1a8) at ../csu/libc-start.c:308
#13 0x000055555556c45e in _start ()

break gf_node_changed

pwndbg>
0x00007ffff784a1c8 in gf_node_changed () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x1
 RBX  0x7fffffff6bc0 ◂— 0x0
 RCX  0x7fffffff6bc0 ◂— 0x0
 RDX  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
 RDI  0x0
*RSI  0x1
 R8   0x0
 R9   0x0
 R10  0x7ffff775ba62 ◂— 'gf_node_changed'
 R11  0x7ffff784a0f0 (gf_node_changed) ◂— endbr64
 R12  0x5555555c6010 ◂— 0x200000002
 R13  0x5555555e5100 ◂— 0x0
 R14  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
 R15  0x7fffffff6bc0 ◂— 0x0
 RBP  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
 RSP  0x7fffffff6a90 ◂— 0x0
*RIP  0x7ffff784a1c8 (gf_node_changed+216) ◂— call   rax
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
   0x7ffff784a1b6 <gf_node_changed+198>    je     gf_node_changed+223                <gf_node_changed+223>

   0x7ffff784a1b8 <gf_node_changed+200>    mov    rdi, qword ptr [r12 + 0x28]
   0x7ffff784a1bd <gf_node_changed+205>    mov    rcx, rbx
   0x7ffff784a1c0 <gf_node_changed+208>    mov    rdx, rbp
   0x7ffff784a1c3 <gf_node_changed+211>    mov    esi, 1
 ► 0x7ffff784a1c8 <gf_node_changed+216>    call   rax                           <1>

   0x7ffff784a1ca <gf_node_changed+218>    test   rbx, rbx
   0x7ffff784a1cd <gf_node_changed+221>    je     gf_node_changed+233                <gf_node_changed+233>

   0x7ffff784a1cf <gf_node_changed+223>    mov    eax, dword ptr [rbx]
   0x7ffff784a1d1 <gf_node_changed+225>    sub    eax, 0x63
   0x7ffff784a1d4 <gf_node_changed+228>    and    eax, 0xfffffffd
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6a90 ◂— 0x0
... ↓        3 skipped
04:0020│     0x7fffffff6ab0 ◂— 0x7374636f /* 'octs' */
05:0028│     0x7fffffff6ab8 —▸ 0x5555555e4fd0 ◂— 0x7374636f /* 'octs' */
06:0030│     0x7fffffff6ac0 ◂— 0x2
07:0038│     0x7fffffff6ac8 ◂— 0x8000000000000006
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff784a1c8 gf_node_changed+216
   f 1   0x7ffff784b675 gf_sg_reset+805
   f 2   0x7ffff784ba47 gf_sg_del+55
   f 3   0x7ffff788b7f8 gf_sg_proto_del+424
   f 4   0x7ffff7905f88 gf_bifs_dec_proto_list+680
   f 5   0x7ffff7913a11 BM_ParseInsert+769
   f 6   0x7ffff7914fe1 BM_ParseCommand+113
   f 7   0x7ffff7915353 gf_bifs_decode_command_list+163
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000001 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x1
 RBX  0x7fffffff6bc0 ◂— 0x0
 RCX  0x7fffffff6bc0 ◂— 0x0
 RDX  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
 RDI  0x0
 RSI  0x1
 R8   0x0
 R9   0x0
 R10  0x7ffff775ba62 ◂— 'gf_node_changed'
 R11  0x7ffff784a0f0 (gf_node_changed) ◂— endbr64
 R12  0x5555555c6010 ◂— 0x200000002
 R13  0x5555555e5100 ◂— 0x0
 R14  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
 R15  0x7fffffff6bc0 ◂— 0x0
 RBP  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
*RSP  0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test   rbx, rbx
*RIP  0x1
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
Invalid address 0x1










──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test   rbx, rbx
01:0008│     0x7fffffff6a90 ◂— 0x0
... ↓        3 skipped
05:0028│     0x7fffffff6ab0 ◂— 0x7374636f /* 'octs' */
06:0030│     0x7fffffff6ab8 —▸ 0x5555555e4fd0 ◂— 0x7374636f /* 'octs' */
07:0038│     0x7fffffff6ac0 ◂— 0x2
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0              0x1
   f 1   0x7ffff784a1ca gf_node_changed+218
   f 2   0x7ffff784b675 gf_sg_reset+805
   f 3   0x7ffff784ba47 gf_sg_del+55
   f 4   0x7ffff788b7f8 gf_sg_proto_del+424
   f 5   0x7ffff7905f88 gf_bifs_dec_proto_list+680
   f 6   0x7ffff7913a11 BM_ParseInsert+769
   f 7   0x7ffff7914fe1 BM_ParseCommand+113
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions