Skip to content

Invalid free in gf_svg_delete_attribute_value() #1975

Closed
@AiDaiP

Description

@AiDaiP

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid free was discovered in gf_svg_delete_attribute_value(). The vulnerability causes a segmentation fault and application crash.

Version:

MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

command:

./MP4Box -lsr ./poc/poc_12

poc_12.zip

Result

./MP4Box -lsr ./poc/poc_12
[iso file] Box "stco" (start 2057) has 6144 extra bytes
[iso file] Box "stco" is larger than container box
[iso file] Box "stbl" size 1814 (start 415) invalid (read 7894)
[iso file] Unknown box type 00040000 in parent dref
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Incomplete box mdat - start 11495 size 803523
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Box "stco" (start 2057) has 6144 extra bytes
[iso file] Box "stco" is larger than container box
[iso file] Box "stbl" size 1814 (start 415) invalid (read 7894)
[iso file] Unknown box type 00040000 in parent dref
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Incomplete box mdat - start 11495 size 803523
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[MP4 Loading] Unable to fetch sample 1 from track ID 7 - aborting track import
[LASeR] sametext coded in bitstream but no text defined !
[LASeR] samerect coded in bitstream but no rect defined !
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[MP4 Loading] decoding sample 1 from track ID 8 failed
[1]    4148207 segmentation fault  ./MP4Box -lsr ./poc/poc_12

gdb

Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x4183400000000000) at malloc.c:3102
3102    malloc.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x1
 RCX  0x0
 RDX  0x7ffff7e0d800 ◂— 0xffaba7feffaba850
 RDI  0x4183400000000000
 RSI  0x5555555dfce0 ◂— 0x4183400000000000
 R8   0x7
 R9   0xfffffff6
 R10  0x7ffff775ba72 ◂— 'gf_node_unregister_children'
 R11  0x7ffff784a6d0 (gf_node_unregister_children) ◂— endbr64
 R12  0x5555555d40d0 ◂— 0x0
 R13  0x2a
 R14  0x8
 R15  0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000
 RBP  0x5555555dfce0 ◂— 0x4183400000000000
 RSP  0x7fffffff7040 ◂— 0x0
 RIP  0x7ffff75d9870 (free+32) ◂— mov    rax, qword ptr [rdi - 8]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
 ► 0x7ffff75d9870 <free+32>         mov    rax, qword ptr [rdi - 8]
   0x7ffff75d9874 <free+36>         lea    rsi, [rdi - 0x10]
   0x7ffff75d9878 <free+40>         test   al, 2
   0x7ffff75d987a <free+42>         jne    free+96                <free+96>
    ↓
   0x7ffff75d98b0 <free+96>         mov    edx, dword ptr [rip + 0x14d9fe] <0x7ffff77272b4>
   0x7ffff75d98b6 <free+102>        test   edx, edx
   0x7ffff75d98b8 <free+104>        jne    free+123                <free+123>
    ↓
   0x7ffff75d98cb <free+123>        mov    rdi, rsi
   0x7ffff75d98ce <free+126>        add    rsp, 0x18
   0x7ffff75d98d2 <free+130>        jmp    munmap_chunk                <munmap_chunk>
    ↓
   0x7ffff75d4630 <munmap_chunk>    sub    rsp, 8
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff7040 ◂— 0x0
... ↓        2 skipped
03:0018│     0x7fffffff7058 —▸ 0x7ffff78c805d (gf_svg_delete_attribute_value+173) ◂— jmp    0x7ffff78c7ffe
04:0020│     0x7fffffff7060 ◂— 0x0
05:0028│     0x7fffffff7068 ◂— 0x1
06:0030│     0x7fffffff7070 —▸ 0x5555555dfca0 ◂— 0x101
07:0038│     0x7fffffff7078 —▸ 0x5555555d40d0 ◂— 0x0
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff75d9870 free+32
   f 1   0x7ffff78c805d gf_svg_delete_attribute_value+173
   f 2   0x7ffff78c815b gf_svg_delete_attribute_value+427
   f 3   0x7ffff78e1b65 gf_node_delete_attributes+69
   f 4   0x7ffff78c7c2a gf_svg_node_del+282
   f 5   0x7ffff784a51d gf_node_unregister+349
   f 6   0x7ffff784a6f4 gf_node_unregister_children+36
   f 7   0x7ffff784a731 gf_sg_parent_reset+17
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  __GI___libc_free (mem=0x4183400000000000) at malloc.c:3102
#1  0x00007ffff78c805d in gf_svg_delete_attribute_value () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2  0x00007ffff78c815b in gf_svg_delete_attribute_value () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3  0x00007ffff78e1b65 in gf_node_delete_attributes () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4  0x00007ffff78c7c2a in gf_svg_node_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5  0x00007ffff784a51d in gf_node_unregister () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6  0x00007ffff784a6f4 in gf_node_unregister_children () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#7  0x00007ffff784a731 in gf_sg_parent_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#8  0x00007ffff78c7c32 in gf_svg_node_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#9  0x00007ffff784a51d in gf_node_unregister () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#10 0x00007ffff784a6f4 in gf_node_unregister_children () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#11 0x00007ffff784a731 in gf_sg_parent_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#12 0x00007ffff78c7c32 in gf_svg_node_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#13 0x00007ffff784a51d in gf_node_unregister () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#14 0x00007ffff784f396 in gf_sg_command_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#15 0x00007ffff7a88203 in gf_sm_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#16 0x0000555555584423 in dump_isom_scene ()
#17 0x000055555557b42c in mp4boxMain ()
#18 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at ../csu/libc-start.c:308
#19 0x000055555556c45e in _start ()

break gf_svg_delete_attribute_value

0x00007ffff78c8058 in gf_svg_delete_attribute_value () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x7ffff78c8050 (gf_svg_delete_attribute_value+160) ◂— mov    rdi, qword ptr [rsi]
 RBX  0x1
 RCX  0x0
 RDX  0x7ffff7e0d800 ◂— 0xffaba7feffaba850
 RDI  0x4183400000000000
 RSI  0x5555555dfce0 ◂— 0x4183400000000000
 R8   0x7
 R9   0xfffffff6
 R10  0x7ffff775ba72 ◂— 'gf_node_unregister_children'
 R11  0x7ffff784a6d0 (gf_node_unregister_children) ◂— endbr64
 R12  0x5555555d40d0 ◂— 0x0
 R13  0x2a
 R14  0x8
 R15  0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000
 RBP  0x5555555dfce0 ◂— 0x4183400000000000
 RSP  0x7fffffff7060 ◂— 0x0
*RIP  0x7ffff78c8058 (gf_svg_delete_attribute_value+168) ◂— call   0x7ffff77e2cb0
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
   0x7ffff78c7fda <gf_svg_delete_attribute_value+42>     add    rax, rdx
   0x7ffff78c7fdd <gf_svg_delete_attribute_value+45>     jmp    rax
    ↓
   0x7ffff78c8050 <gf_svg_delete_attribute_value+160>    mov    rdi, qword ptr [rsi]
   0x7ffff78c8053 <gf_svg_delete_attribute_value+163>    test   rdi, rdi
   0x7ffff78c8056 <gf_svg_delete_attribute_value+166>    je     gf_svg_delete_attribute_value+78                <gf_svg_delete_attribute_value+78>

 ► 0x7ffff78c8058 <gf_svg_delete_attribute_value+168>    call   gf_free@plt                <gf_free@plt>
        rdi: 0x4183400000000000
        rsi: 0x5555555dfce0 ◂— 0x4183400000000000
        rdx: 0x7ffff7e0d800 ◂— 0xffaba7feffaba850
        rcx: 0x0

   0x7ffff78c805d <gf_svg_delete_attribute_value+173>    jmp    gf_svg_delete_attribute_value+78                <gf_svg_delete_attribute_value+78>

   0x7ffff78c805f <gf_svg_delete_attribute_value+175>    nop
   0x7ffff78c8060 <gf_svg_delete_attribute_value+176>    mov    r14, qword ptr [rsi]
   0x7ffff78c8063 <gf_svg_delete_attribute_value+179>    xor    ebx, ebx
   0x7ffff78c8065 <gf_svg_delete_attribute_value+181>    mov    rdi, r14
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff7060 ◂— 0x0
01:0008│     0x7fffffff7068 ◂— 0x1
02:0010│     0x7fffffff7070 —▸ 0x5555555dfca0 ◂— 0x101
03:0018│     0x7fffffff7078 —▸ 0x5555555d40d0 ◂— 0x0
04:0020│     0x7fffffff7080 ◂— 0x2a /* '*' */
05:0028│     0x7fffffff7088 ◂— 0x8
06:0030│     0x7fffffff7090 —▸ 0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000
07:0038│     0x7fffffff7098 —▸ 0x7ffff78c815b (gf_svg_delete_attribute_value+427) ◂— cmp    r14d, ebx
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff78c8058 gf_svg_delete_attribute_value+168
   f 1   0x7ffff78c815b gf_svg_delete_attribute_value+427
   f 2   0x7ffff78e1b65 gf_node_delete_attributes+69
   f 3   0x7ffff78c7c2a gf_svg_node_del+282
   f 4   0x7ffff784a51d gf_node_unregister+349
   f 5   0x7ffff784a6f4 gf_node_unregister_children+36
   f 6   0x7ffff784a731 gf_sg_parent_reset+17
   f 7   0x7ffff78c7c32 gf_svg_node_del+290
──────────────────────────────────────────────────────────────────────────────────────────────────────
__GI___libc_free (mem=0x4183400000000000) at malloc.c:3087
3087    malloc.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x7ffff78c8050 (gf_svg_delete_attribute_value+160) ◂— mov    rdi, qword ptr [rsi]
 RBX  0x1
 RCX  0x0
 RDX  0x7ffff7e0d800 ◂— 0xffaba7feffaba850
 RDI  0x4183400000000000
 RSI  0x5555555dfce0 ◂— 0x4183400000000000
 R8   0x7
 R9   0xfffffff6
 R10  0x7ffff775ba72 ◂— 'gf_node_unregister_children'
 R11  0x7ffff784a6d0 (gf_node_unregister_children) ◂— endbr64
 R12  0x5555555d40d0 ◂— 0x0
 R13  0x2a
 R14  0x8
 R15  0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000
 RBP  0x5555555dfce0 ◂— 0x4183400000000000
 RSP  0x7fffffff7058 —▸ 0x7ffff78c805d (gf_svg_delete_attribute_value+173) ◂— jmp    0x7ffff78c7ffe
*RIP  0x7ffff75d9850 (free) ◂— endbr64
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
   0x7ffff77e2cb4 <gf_free@plt+4>    bnd jmp qword ptr [rip + 0x7bc045]   <gf_free>
    ↓
   0x7ffff77f9f30 <gf_free>          endbr64
   0x7ffff77f9f34 <gf_free+4>        jmp    free@plt                <free@plt>
    ↓
   0x7ffff77e2840 <free@plt>         endbr64
   0x7ffff77e2844 <free@plt+4>       bnd jmp qword ptr [rip + 0x7bc27d]   <free>
    ↓
 ► 0x7ffff75d9850 <free>             endbr64
   0x7ffff75d9854 <free+4>           sub    rsp, 0x18
   0x7ffff75d9858 <free+8>           mov    rax, qword ptr [rip + 0x14d699]
   0x7ffff75d985f <free+15>          mov    rax, qword ptr [rax]
   0x7ffff75d9862 <free+18>          test   rax, rax
   0x7ffff75d9865 <free+21>          jne    free+152                <free+152>
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff7058 —▸ 0x7ffff78c805d (gf_svg_delete_attribute_value+173) ◂— jmp    0x7ffff78c7ffe
01:0008│     0x7fffffff7060 ◂— 0x0
02:0010│     0x7fffffff7068 ◂— 0x1
03:0018│     0x7fffffff7070 —▸ 0x5555555dfca0 ◂— 0x101
04:0020│     0x7fffffff7078 —▸ 0x5555555d40d0 ◂— 0x0
05:0028│     0x7fffffff7080 ◂— 0x2a /* '*' */
06:0030│     0x7fffffff7088 ◂— 0x8
07:0038│     0x7fffffff7090 —▸ 0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff75d9850 free
   f 1   0x7ffff78c805d gf_svg_delete_attribute_value+173
   f 2   0x7ffff78c815b gf_svg_delete_attribute_value+427
   f 3   0x7ffff78e1b65 gf_node_delete_attributes+69
   f 4   0x7ffff78c7c2a gf_svg_node_del+282
   f 5   0x7ffff784a51d gf_node_unregister+349
   f 6   0x7ffff784a6f4 gf_node_unregister_children+36
   f 7   0x7ffff784a731 gf_sg_parent_reset+17
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x4183400000000000) at malloc.c:3102
3102    in malloc.c
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
*RAX  0x0
 RBX  0x1
 RCX  0x0
 RDX  0x7ffff7e0d800 ◂— 0xffaba7feffaba850
 RDI  0x4183400000000000
 RSI  0x5555555dfce0 ◂— 0x4183400000000000
 R8   0x7
 R9   0xfffffff6
 R10  0x7ffff775ba72 ◂— 'gf_node_unregister_children'
 R11  0x7ffff784a6d0 (gf_node_unregister_children) ◂— endbr64
 R12  0x5555555d40d0 ◂— 0x0
 R13  0x2a
 R14  0x8
 R15  0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000
 RBP  0x5555555dfce0 ◂— 0x4183400000000000
*RSP  0x7fffffff7040 ◂— 0x0
*RIP  0x7ffff75d9870 (free+32) ◂— mov    rax, qword ptr [rdi - 8]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
 ► 0x7ffff75d9870 <free+32>         mov    rax, qword ptr [rdi - 8]
   0x7ffff75d9874 <free+36>         lea    rsi, [rdi - 0x10]
   0x7ffff75d9878 <free+40>         test   al, 2
   0x7ffff75d987a <free+42>         jne    free+96                <free+96>
    ↓
   0x7ffff75d98b0 <free+96>         mov    edx, dword ptr [rip + 0x14d9fe] <0x7ffff77272b4>
   0x7ffff75d98b6 <free+102>        test   edx, edx
   0x7ffff75d98b8 <free+104>        jne    free+123                <free+123>
    ↓
   0x7ffff75d98cb <free+123>        mov    rdi, rsi
   0x7ffff75d98ce <free+126>        add    rsp, 0x18
   0x7ffff75d98d2 <free+130>        jmp    munmap_chunk                <munmap_chunk>
    ↓
   0x7ffff75d4630 <munmap_chunk>    sub    rsp, 8
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff7040 ◂— 0x0
... ↓        2 skipped
03:0018│     0x7fffffff7058 —▸ 0x7ffff78c805d (gf_svg_delete_attribute_value+173) ◂— jmp    0x7ffff78c7ffe
04:0020│     0x7fffffff7060 ◂— 0x0
05:0028│     0x7fffffff7068 ◂— 0x1
06:0030│     0x7fffffff7070 —▸ 0x5555555dfca0 ◂— 0x101
07:0038│     0x7fffffff7078 —▸ 0x5555555d40d0 ◂— 0x0
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff75d9870 free+32
   f 1   0x7ffff78c805d gf_svg_delete_attribute_value+173
   f 2   0x7ffff78c815b gf_svg_delete_attribute_value+427
   f 3   0x7ffff78e1b65 gf_node_delete_attributes+69
   f 4   0x7ffff78c7c2a gf_svg_node_del+282
   f 5   0x7ffff784a51d gf_node_unregister+349
   f 6   0x7ffff784a6f4 gf_node_unregister_children+36
   f 7   0x7ffff784a731 gf_sg_parent_reset+17
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions