Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
An invalid free was discovered in gf_svg_delete_attribute_value(). The vulnerability causes a segmentation fault and application crash.
Version:
MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC Configuration: Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
System information Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
./MP4Box -lsr ./poc/poc_12
poc_12.zip
Result
./MP4Box -lsr ./poc/poc_12 [iso file] Box "stco" (start 2057) has 6144 extra bytes [iso file] Box "stco" is larger than container box [iso file] Box "stbl" size 1814 (start 415) invalid (read 7894) [iso file] Unknown box type 00040000 in parent dref [iso file] extra box maxr found in hinf, deleting [iso file] extra box maxr found in hinf, deleting [iso file] Incomplete box mdat - start 11495 size 803523 [iso file] Incomplete file while reading for dump - aborting parsing [iso file] Box "stco" (start 2057) has 6144 extra bytes [iso file] Box "stco" is larger than container box [iso file] Box "stbl" size 1814 (start 415) invalid (read 7894) [iso file] Unknown box type 00040000 in parent dref [iso file] extra box maxr found in hinf, deleting [iso file] extra box maxr found in hinf, deleting [iso file] Incomplete box mdat - start 11495 size 803523 [iso file] Incomplete file while reading for dump - aborting parsing MPEG-4 LASeR Scene Parsing [MP4 Loading] Unable to fetch sample 1 from track ID 7 - aborting track import [LASeR] sametext coded in bitstream but no text defined ! [LASeR] samerect coded in bitstream but no rect defined ! [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [LASeR] memory overread - corrupted decoding [MP4 Loading] decoding sample 1 from track ID 8 failed [1] 4148207 segmentation fault ./MP4Box -lsr ./poc/poc_12
gdb
Program received signal SIGSEGV, Segmentation fault. __GI___libc_free (mem=0x4183400000000000) at malloc.c:3102 3102 malloc.c: No such file or directory. LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────── RAX 0x0 RBX 0x1 RCX 0x0 RDX 0x7ffff7e0d800 ◂— 0xffaba7feffaba850 RDI 0x4183400000000000 RSI 0x5555555dfce0 ◂— 0x4183400000000000 R8 0x7 R9 0xfffffff6 R10 0x7ffff775ba72 ◂— 'gf_node_unregister_children' R11 0x7ffff784a6d0 (gf_node_unregister_children) ◂— endbr64 R12 0x5555555d40d0 ◂— 0x0 R13 0x2a R14 0x8 R15 0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000 RBP 0x5555555dfce0 ◂— 0x4183400000000000 RSP 0x7fffffff7040 ◂— 0x0 RIP 0x7ffff75d9870 (free+32) ◂— mov rax, qword ptr [rdi - 8] ──────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────── ► 0x7ffff75d9870 <free+32> mov rax, qword ptr [rdi - 8] 0x7ffff75d9874 <free+36> lea rsi, [rdi - 0x10] 0x7ffff75d9878 <free+40> test al, 2 0x7ffff75d987a <free+42> jne free+96 <free+96> ↓ 0x7ffff75d98b0 <free+96> mov edx, dword ptr [rip + 0x14d9fe] <0x7ffff77272b4> 0x7ffff75d98b6 <free+102> test edx, edx 0x7ffff75d98b8 <free+104> jne free+123 <free+123> ↓ 0x7ffff75d98cb <free+123> mov rdi, rsi 0x7ffff75d98ce <free+126> add rsp, 0x18 0x7ffff75d98d2 <free+130> jmp munmap_chunk <munmap_chunk> ↓ 0x7ffff75d4630 <munmap_chunk> sub rsp, 8 ──────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────── 00:0000│ rsp 0x7fffffff7040 ◂— 0x0 ... ↓ 2 skipped 03:0018│ 0x7fffffff7058 —▸ 0x7ffff78c805d (gf_svg_delete_attribute_value+173) ◂— jmp 0x7ffff78c7ffe 04:0020│ 0x7fffffff7060 ◂— 0x0 05:0028│ 0x7fffffff7068 ◂— 0x1 06:0030│ 0x7fffffff7070 —▸ 0x5555555dfca0 ◂— 0x101 07:0038│ 0x7fffffff7078 —▸ 0x5555555d40d0 ◂— 0x0 ────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────── ► f 0 0x7ffff75d9870 free+32 f 1 0x7ffff78c805d gf_svg_delete_attribute_value+173 f 2 0x7ffff78c815b gf_svg_delete_attribute_value+427 f 3 0x7ffff78e1b65 gf_node_delete_attributes+69 f 4 0x7ffff78c7c2a gf_svg_node_del+282 f 5 0x7ffff784a51d gf_node_unregister+349 f 6 0x7ffff784a6f4 gf_node_unregister_children+36 f 7 0x7ffff784a731 gf_sg_parent_reset+17 ────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg> bt #0 __GI___libc_free (mem=0x4183400000000000) at malloc.c:3102 #1 0x00007ffff78c805d in gf_svg_delete_attribute_value () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #2 0x00007ffff78c815b in gf_svg_delete_attribute_value () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #3 0x00007ffff78e1b65 in gf_node_delete_attributes () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #4 0x00007ffff78c7c2a in gf_svg_node_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #5 0x00007ffff784a51d in gf_node_unregister () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #6 0x00007ffff784a6f4 in gf_node_unregister_children () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #7 0x00007ffff784a731 in gf_sg_parent_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #8 0x00007ffff78c7c32 in gf_svg_node_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #9 0x00007ffff784a51d in gf_node_unregister () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #10 0x00007ffff784a6f4 in gf_node_unregister_children () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #11 0x00007ffff784a731 in gf_sg_parent_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #12 0x00007ffff78c7c32 in gf_svg_node_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #13 0x00007ffff784a51d in gf_node_unregister () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #14 0x00007ffff784f396 in gf_sg_command_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #15 0x00007ffff7a88203 in gf_sm_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 #16 0x0000555555584423 in dump_isom_scene () #17 0x000055555557b42c in mp4boxMain () #18 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at ../csu/libc-start.c:308 #19 0x000055555556c45e in _start ()
break gf_svg_delete_attribute_value
0x00007ffff78c8058 in gf_svg_delete_attribute_value () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10 LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────── RAX 0x7ffff78c8050 (gf_svg_delete_attribute_value+160) ◂— mov rdi, qword ptr [rsi] RBX 0x1 RCX 0x0 RDX 0x7ffff7e0d800 ◂— 0xffaba7feffaba850 RDI 0x4183400000000000 RSI 0x5555555dfce0 ◂— 0x4183400000000000 R8 0x7 R9 0xfffffff6 R10 0x7ffff775ba72 ◂— 'gf_node_unregister_children' R11 0x7ffff784a6d0 (gf_node_unregister_children) ◂— endbr64 R12 0x5555555d40d0 ◂— 0x0 R13 0x2a R14 0x8 R15 0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000 RBP 0x5555555dfce0 ◂— 0x4183400000000000 RSP 0x7fffffff7060 ◂— 0x0 *RIP 0x7ffff78c8058 (gf_svg_delete_attribute_value+168) ◂— call 0x7ffff77e2cb0 ──────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────── 0x7ffff78c7fda <gf_svg_delete_attribute_value+42> add rax, rdx 0x7ffff78c7fdd <gf_svg_delete_attribute_value+45> jmp rax ↓ 0x7ffff78c8050 <gf_svg_delete_attribute_value+160> mov rdi, qword ptr [rsi] 0x7ffff78c8053 <gf_svg_delete_attribute_value+163> test rdi, rdi 0x7ffff78c8056 <gf_svg_delete_attribute_value+166> je gf_svg_delete_attribute_value+78 <gf_svg_delete_attribute_value+78> ► 0x7ffff78c8058 <gf_svg_delete_attribute_value+168> call gf_free@plt <gf_free@plt> rdi: 0x4183400000000000 rsi: 0x5555555dfce0 ◂— 0x4183400000000000 rdx: 0x7ffff7e0d800 ◂— 0xffaba7feffaba850 rcx: 0x0 0x7ffff78c805d <gf_svg_delete_attribute_value+173> jmp gf_svg_delete_attribute_value+78 <gf_svg_delete_attribute_value+78> 0x7ffff78c805f <gf_svg_delete_attribute_value+175> nop 0x7ffff78c8060 <gf_svg_delete_attribute_value+176> mov r14, qword ptr [rsi] 0x7ffff78c8063 <gf_svg_delete_attribute_value+179> xor ebx, ebx 0x7ffff78c8065 <gf_svg_delete_attribute_value+181> mov rdi, r14 ──────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────── 00:0000│ rsp 0x7fffffff7060 ◂— 0x0 01:0008│ 0x7fffffff7068 ◂— 0x1 02:0010│ 0x7fffffff7070 —▸ 0x5555555dfca0 ◂— 0x101 03:0018│ 0x7fffffff7078 —▸ 0x5555555d40d0 ◂— 0x0 04:0020│ 0x7fffffff7080 ◂— 0x2a /* '*' */ 05:0028│ 0x7fffffff7088 ◂— 0x8 06:0030│ 0x7fffffff7090 —▸ 0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000 07:0038│ 0x7fffffff7098 —▸ 0x7ffff78c815b (gf_svg_delete_attribute_value+427) ◂— cmp r14d, ebx ────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────── ► f 0 0x7ffff78c8058 gf_svg_delete_attribute_value+168 f 1 0x7ffff78c815b gf_svg_delete_attribute_value+427 f 2 0x7ffff78e1b65 gf_node_delete_attributes+69 f 3 0x7ffff78c7c2a gf_svg_node_del+282 f 4 0x7ffff784a51d gf_node_unregister+349 f 5 0x7ffff784a6f4 gf_node_unregister_children+36 f 6 0x7ffff784a731 gf_sg_parent_reset+17 f 7 0x7ffff78c7c32 gf_svg_node_del+290 ────────────────────────────────────────────────────────────────────────────────────────────────────── __GI___libc_free (mem=0x4183400000000000) at malloc.c:3087 3087 malloc.c: No such file or directory. LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────── RAX 0x7ffff78c8050 (gf_svg_delete_attribute_value+160) ◂— mov rdi, qword ptr [rsi] RBX 0x1 RCX 0x0 RDX 0x7ffff7e0d800 ◂— 0xffaba7feffaba850 RDI 0x4183400000000000 RSI 0x5555555dfce0 ◂— 0x4183400000000000 R8 0x7 R9 0xfffffff6 R10 0x7ffff775ba72 ◂— 'gf_node_unregister_children' R11 0x7ffff784a6d0 (gf_node_unregister_children) ◂— endbr64 R12 0x5555555d40d0 ◂— 0x0 R13 0x2a R14 0x8 R15 0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000 RBP 0x5555555dfce0 ◂— 0x4183400000000000 RSP 0x7fffffff7058 —▸ 0x7ffff78c805d (gf_svg_delete_attribute_value+173) ◂— jmp 0x7ffff78c7ffe *RIP 0x7ffff75d9850 (free) ◂— endbr64 ──────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────── 0x7ffff77e2cb4 <gf_free@plt+4> bnd jmp qword ptr [rip + 0x7bc045] <gf_free> ↓ 0x7ffff77f9f30 <gf_free> endbr64 0x7ffff77f9f34 <gf_free+4> jmp free@plt <free@plt> ↓ 0x7ffff77e2840 <free@plt> endbr64 0x7ffff77e2844 <free@plt+4> bnd jmp qword ptr [rip + 0x7bc27d] <free> ↓ ► 0x7ffff75d9850 <free> endbr64 0x7ffff75d9854 <free+4> sub rsp, 0x18 0x7ffff75d9858 <free+8> mov rax, qword ptr [rip + 0x14d699] 0x7ffff75d985f <free+15> mov rax, qword ptr [rax] 0x7ffff75d9862 <free+18> test rax, rax 0x7ffff75d9865 <free+21> jne free+152 <free+152> ──────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────── 00:0000│ rsp 0x7fffffff7058 —▸ 0x7ffff78c805d (gf_svg_delete_attribute_value+173) ◂— jmp 0x7ffff78c7ffe 01:0008│ 0x7fffffff7060 ◂— 0x0 02:0010│ 0x7fffffff7068 ◂— 0x1 03:0018│ 0x7fffffff7070 —▸ 0x5555555dfca0 ◂— 0x101 04:0020│ 0x7fffffff7078 —▸ 0x5555555d40d0 ◂— 0x0 05:0028│ 0x7fffffff7080 ◂— 0x2a /* '*' */ 06:0030│ 0x7fffffff7088 ◂— 0x8 07:0038│ 0x7fffffff7090 —▸ 0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000 ────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────── ► f 0 0x7ffff75d9850 free f 1 0x7ffff78c805d gf_svg_delete_attribute_value+173 f 2 0x7ffff78c815b gf_svg_delete_attribute_value+427 f 3 0x7ffff78e1b65 gf_node_delete_attributes+69 f 4 0x7ffff78c7c2a gf_svg_node_del+282 f 5 0x7ffff784a51d gf_node_unregister+349 f 6 0x7ffff784a6f4 gf_node_unregister_children+36 f 7 0x7ffff784a731 gf_sg_parent_reset+17 ────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg> c Continuing. Program received signal SIGSEGV, Segmentation fault. __GI___libc_free (mem=0x4183400000000000) at malloc.c:3102 3102 in malloc.c LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────── *RAX 0x0 RBX 0x1 RCX 0x0 RDX 0x7ffff7e0d800 ◂— 0xffaba7feffaba850 RDI 0x4183400000000000 RSI 0x5555555dfce0 ◂— 0x4183400000000000 R8 0x7 R9 0xfffffff6 R10 0x7ffff775ba72 ◂— 'gf_node_unregister_children' R11 0x7ffff784a6d0 (gf_node_unregister_children) ◂— endbr64 R12 0x5555555d40d0 ◂— 0x0 R13 0x2a R14 0x8 R15 0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000 RBP 0x5555555dfce0 ◂— 0x4183400000000000 *RSP 0x7fffffff7040 ◂— 0x0 *RIP 0x7ffff75d9870 (free+32) ◂— mov rax, qword ptr [rdi - 8] ──────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────── ► 0x7ffff75d9870 <free+32> mov rax, qword ptr [rdi - 8] 0x7ffff75d9874 <free+36> lea rsi, [rdi - 0x10] 0x7ffff75d9878 <free+40> test al, 2 0x7ffff75d987a <free+42> jne free+96 <free+96> ↓ 0x7ffff75d98b0 <free+96> mov edx, dword ptr [rip + 0x14d9fe] <0x7ffff77272b4> 0x7ffff75d98b6 <free+102> test edx, edx 0x7ffff75d98b8 <free+104> jne free+123 <free+123> ↓ 0x7ffff75d98cb <free+123> mov rdi, rsi 0x7ffff75d98ce <free+126> add rsp, 0x18 0x7ffff75d98d2 <free+130> jmp munmap_chunk <munmap_chunk> ↓ 0x7ffff75d4630 <munmap_chunk> sub rsp, 8 ──────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────── 00:0000│ rsp 0x7fffffff7040 ◂— 0x0 ... ↓ 2 skipped 03:0018│ 0x7fffffff7058 —▸ 0x7ffff78c805d (gf_svg_delete_attribute_value+173) ◂— jmp 0x7ffff78c7ffe 04:0020│ 0x7fffffff7060 ◂— 0x0 05:0028│ 0x7fffffff7068 ◂— 0x1 06:0030│ 0x7fffffff7070 —▸ 0x5555555dfca0 ◂— 0x101 07:0038│ 0x7fffffff7078 —▸ 0x5555555d40d0 ◂— 0x0 ────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────── ► f 0 0x7ffff75d9870 free+32 f 1 0x7ffff78c805d gf_svg_delete_attribute_value+173 f 2 0x7ffff78c815b gf_svg_delete_attribute_value+427 f 3 0x7ffff78e1b65 gf_node_delete_attributes+69 f 4 0x7ffff78c7c2a gf_svg_node_del+282 f 5 0x7ffff784a51d gf_node_unregister+349 f 6 0x7ffff784a6f4 gf_node_unregister_children+36 f 7 0x7ffff784a731 gf_sg_parent_reset+17 ────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg>
The text was updated successfully, but these errors were encountered:
b232648
No branches or pull requests
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
An invalid free was discovered in gf_svg_delete_attribute_value(). The vulnerability causes a segmentation fault and application crash.
Version:
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
poc_12.zip
Result
gdb
break gf_svg_delete_attribute_valueThe text was updated successfully, but these errors were encountered: