Skip to content

Invalid memory address dereference in gf_sg_vrml_mf_reset() #1978

Closed
@AiDaiP

Description

@AiDaiP

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in gf_sg_vrml_mf_reset(). The vulnerability causes a segmentation fault and application crash.

Version:

MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

command:

./MP4Box -lsr poc_14

poc_14.zip

Result

./MP4Box -lsr ./poc/poc_14
[iso file] Box "stco" (start 2057) has 6144 extra bytes
[iso file] Box "stco" is larger than container box
[iso file] Box "stbl" size 1814 (start 415) invalid (read 7894)
[iso file] Unknown box type 00040000 in parent dref
[iso file] extra box maxr found in hinf, deleting
[iso file] Box "stss" (start 9939) has 32 extra bytes
[iso file] extra box maxr found in hinf, deleting
[iso file] Track with no sample description box !
[iso file] Incomplete box mdat - start 11495 size 859244
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Box "stco" (start 2057) has 6144 extra bytes
[iso file] Box "stco" is larger than container box
[iso file] Box "stbl" size 1814 (start 415) invalid (read 7894)
[iso file] Unknown box type 00040000 in parent dref
[iso file] extra box maxr found in hinf, deleting
[iso file] Box "stss" (start 9939) has 32 extra bytes
[iso file] extra box maxr found in hinf, deleting
[iso file] Track with no sample description box !
[iso file] Incomplete box mdat - start 11495 size 859244
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[1]    250723 segmentation fault  ./MP4Box -lsr ./poc/poc_14

gdb

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78a0d66 in gf_sg_vrml_mf_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────[ REGISTERS ]────────────────────────────────
 RAX  0x0
 RBX  0x0
 RCX  0x7fffffff6160 ◂— 0x3f00000004
 RDX  0x8
 RDI  0x0
 RSI  0x3f
 R8   0x0
 R9   0x0
 R10  0x7ffff775c1f5 ◂— 'gf_sg_script_field_get_info'
 R11  0x7ffff788f770 (gf_sg_script_field_get_info) ◂— endbr64
 R12  0x7fffffff6160 ◂— 0x3f00000004
 R13  0x5555555deb80 ◂— 0x0
 R14  0x5555555dfbb0 —▸ 0x5555555dfbe0 ◂— 0x100000051 /* 'Q' */
 R15  0x1d61
 RBP  0x5555555d5d60 ◂— 0x0
 RSP  0x7fffffff6118 —▸ 0x7ffff790fbe2 (gf_bifs_dec_field+130) ◂— mov    r15d, eax
 RIP  0x7ffff78a0d66 (gf_sg_vrml_mf_reset+6) ◂— cmp    qword ptr [rdi + 8], 0
───────────────────────────────────────[ DISASM ]────────────────────────────────────────
 ► 0x7ffff78a0d66 <gf_sg_vrml_mf_reset+6>      cmp    qword ptr [rdi + 8], 0
   0x7ffff78a0d6b <gf_sg_vrml_mf_reset+11>     je     gf_sg_vrml_mf_reset+144
    <gf_sg_vrml_mf_reset+144>
    ↓
   0x7ffff78a0df0 <gf_sg_vrml_mf_reset+144>    ret

   0x7ffff78a0df1 <gf_sg_vrml_mf_reset+145>    nop    dword ptr [rax]
   0x7ffff78a0df8 <gf_sg_vrml_mf_reset+152>    mov    eax, dword ptr [rbp]
   0x7ffff78a0dfb <gf_sg_vrml_mf_reset+155>    mov    r13, qword ptr [rbp + 8]
   0x7ffff78a0dff <gf_sg_vrml_mf_reset+159>    test   eax, eax
   0x7ffff78a0e01 <gf_sg_vrml_mf_reset+161>    je     gf_sg_vrml_mf_reset+198
    <gf_sg_vrml_mf_reset+198>
    ↓
   0x7ffff78a0e26 <gf_sg_vrml_mf_reset+198>    mov    rdi, r13
   0x7ffff78a0e29 <gf_sg_vrml_mf_reset+201>    call   gf_free@plt                <gf_free@plt>

   0x7ffff78a0e2e <gf_sg_vrml_mf_reset+206>    jmp    gf_sg_vrml_mf_reset+100
    <gf_sg_vrml_mf_reset+100>
────────────────────────────────────────[ STACK ]────────────────────────────────────────
00:0000│ rsp 0x7fffffff6118 —▸ 0x7ffff790fbe2 (gf_bifs_dec_field+130) ◂— mov    r15d, eax
01:0008│     0x7fffffff6120 —▸ 0x7fffffff65b0 —▸ 0x5555555dfbb0 —▸ 0x5555555dfbe0 ◂— 0x100000051 /* 'Q' */
02:0010│     0x7fffffff6128 —▸ 0x7fffffff65b0 —▸ 0x5555555dfbb0 —▸ 0x5555555dfbe0 ◂— 0x100000051 /* 'Q' */
03:0018│     0x7fffffff6130 ◂— 0x0
04:0020│     0x7fffffff6138 —▸ 0x5555555e0210 ◂— 0x3f00000000
05:0028│     0x7fffffff6140 —▸ 0x7fffffff6160 ◂— 0x3f00000004
06:0030│     0x7fffffff6148 —▸ 0x7fffffff65b0 —▸ 0x5555555dfbb0 —▸ 0x5555555dfbe0 ◂— 0x100000051 /* 'Q' */
07:0038│     0x7fffffff6150 ◂— 0x1d61
──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
 ► f 0   0x7ffff78a0d66 gf_sg_vrml_mf_reset+6
   f 1   0x7ffff790fbe2 gf_bifs_dec_field+130
   f 2   0x7ffff7916f02 ParseScriptField+274
   f 3   0x7ffff7919c50 SFScript_Parse+1056
   f 4   0x7ffff790eb3c gf_bifs_dec_sf_field+1548
   f 5   0x7ffff790eff2 BD_DecMFFieldList+242
   f 6   0x7ffff790fac5 gf_bifs_dec_node_mask+421
   f 7   0x7ffff790e158 gf_bifs_dec_node+936
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00007ffff78a0d66 in gf_sg_vrml_mf_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1  0x00007ffff790fbe2 in gf_bifs_dec_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2  0x00007ffff7916f02 in ParseScriptField () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3  0x00007ffff7919c50 in SFScript_Parse () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4  0x00007ffff790eb3c in gf_bifs_dec_sf_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5  0x00007ffff790eff2 in BD_DecMFFieldList () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6  0x00007ffff790fac5 in gf_bifs_dec_node_mask () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#7  0x00007ffff790e158 in gf_bifs_dec_node () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#8  0x00007ffff790f3b4 in BD_DecMFFieldVec () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#9  0x00007ffff790f7f7 in gf_bifs_dec_node_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#10 0x00007ffff790e066 in gf_bifs_dec_node () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#11 0x00007ffff7906580 in BD_DecSceneReplace () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#12 0x00007ffff7914e5e in BM_SceneReplace () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#13 0x00007ffff7915023 in BM_ParseCommand () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#14 0x00007ffff7915353 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#15 0x00007ffff7aa1d91 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#16 0x00005555555844a8 in dump_isom_scene ()
#17 0x000055555557b42c in mp4boxMain ()
#18 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe208, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1f8) at ../csu/libc-start.c:308
#19 0x000055555556c45e in _start ()

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions