You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 852201
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 852201
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[LASeR] samepolyXXX coded in bitstream but no polyXXX defined !
[LASeR] samepolyXXX coded in bitstream but no polyXXX defined !
[LASeR] samepolyXXX coded in bitstream but no polyXXX defined !
[LASeR] samerect coded in bitstream but no rect defined !
[LASeR] samerect coded in bitstream but no rect defined !
[1] 1501387 segmentation fault ./MP4Box -bt ./poc/poc_15
poc_16
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861267
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861267
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[1] 2404995 segmentation fault ./MP4Box -bt ./poc/poc_16
poc_18
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861267
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861267
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[1] 1048981 segmentation fault ./MP4Box -bt ./poc/poc_18
gdb
poc_15
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────[ REGISTERS ]────────────────────────────────
RAX 0x770000007c
RBX 0x0
RCX 0x5555555e5760 ◂— 0x8b374bf60d8b0d94
RDX 0x0
RDI 0x5555555deda0 —▸ 0x5555555e4e20 —▸ 0x7fffffff69c0 ◂— 0x5b0000006e /* 'n' */
RSI 0x0
R8 0x5555555e5740 —▸ 0x5555555e4730 —▸ 0x5555555e5530 ◂— 0x0
R9 0x5555555e5a10 ◂— 0x2b0
R10 0x5555555c6010 ◂— 0x0
R11 0x7ffff7727be0 (main_arena+96) —▸ 0x5555555e5af0 ◂— 0x3529 /* ')5' */
R12 0x7fffffff69c0 ◂— 0x5b0000006e /* 'n' */
R13 0x3
R14 0xe
R15 0x0
RBP 0x5555555dcf10 —▸ 0x5555555d2750 ◂— 0x0
RSP 0x7fffffff68a0 —▸ 0x5555555e56e0 —▸ 0x5555555e5700 ◂— 0x800000030000042b
RIP 0x7ffff7b508f8 (lsr_read_id.part+232) ◂— cmp byte ptr [rax], 0x23
───────────────────────────────────────[ DISASM ]────────────────────────────────────────
► 0x7ffff7b508f8 <lsr_read_id.part+232> cmp byte ptr [rax], 0x23
0x7ffff7b508fb <lsr_read_id.part+235> sete dl
0x7ffff7b508fe <lsr_read_id.part+238> xor esi, esi
0x7ffff7b50900 <lsr_read_id.part+240> lea rdi, [rax + rdx + 1]
0x7ffff7b50905 <lsr_read_id.part+245> mov edx, 0xa
0x7ffff7b5090a <lsr_read_id.part+250> call strtol@plt <strtol@plt>
0x7ffff7b5090f <lsr_read_id.part+255> cmp r14d, eax
0x7ffff7b50912 <lsr_read_id.part+258> je lsr_read_id.part+608 <lsr_read_id.part+608>
0x7ffff7b50918 <lsr_read_id.part+264> add r15d, 1
0x7ffff7b5091c <lsr_read_id.part+268> cmp r15d, r13d
0x7ffff7b5091f <lsr_read_id.part+271> jb lsr_read_id.part+208 <lsr_read_id.part+208>
────────────────────────────────────────[ STACK ]────────────────────────────────────────
00:0000│ rsp 0x7fffffff68a0 —▸ 0x5555555e56e0 —▸ 0x5555555e5700 ◂— 0x800000030000042b
... ↓ 2 skipped
03:0018│ 0x7fffffff68b8 —▸ 0x7ffff784961e (gf_node_setup+30) ◂— mov qword ptr [rbx], rax
04:0020│ 0x7fffffff68c0 ◂— 0x42b
... ↓ 2 skipped
07:0038│ 0x7fffffff68d8 ◂— 0xaaefd0fae3bbeb00
──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
► f 0 0x7ffff7b508f8 lsr_read_id.part+232
f 1 0x7ffff7b5e4bb lsr_read_rect+139
f 2 0x7ffff7b5a965 lsr_read_scene_content_model+661
f 3 0x7ffff7b5b62c lsr_read_group_content.part+316
f 4 0x7ffff7b5f0fc lsr_read_data+108
f 5 0x7ffff7b5ab3d lsr_read_scene_content_model+1133
f 6 0x7ffff7b5b62c lsr_read_group_content.part+316
f 7 0x7ffff7b5e536 lsr_read_rect+262
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1 0x00007ffff7b5e4bb in lsr_read_rect () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2 0x00007ffff7b5a965 in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3 0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4 0x00007ffff7b5f0fc in lsr_read_data () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5 0x00007ffff7b5ab3d in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6 0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#7 0x00007ffff7b5e536 in lsr_read_rect () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#8 0x00007ffff7b5a965 in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#9 0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#10 0x00007ffff7b5cea8 in lsr_read_audio.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#11 0x00007ffff7b5ac18 in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#12 0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#13 0x00007ffff7b60795 in lsr_read_svg () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#14 0x00007ffff7b575c7 in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#15 0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#16 0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#17 0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#18 0x00005555555844a8 in dump_isom_scene ()
#19 0x000055555557b42c in mp4boxMain ()
#20 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at ../csu/libc-start.c:308
#21 0x000055555556c45e in _start ()
poc_16
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────[ REGISTERS ]────────────────────────────────
RAX 0x0
RBX 0x0
RCX 0x0
RDX 0x0
RDI 0x5555555de970 —▸ 0x5555555dee00 —▸ 0x5555555dedb0 ◂— 0x0
RSI 0x1
R8 0x1999999999999999
R9 0x0
R10 0x7ffff76daac0 (_nl_C_LC_CTYPE_toupper+512) ◂— 0x100000000
R11 0x7ffff76db3c0 (_nl_C_LC_CTYPE_class+256) ◂— 0x2000200020002
R12 0x5555555dee88 ◂— 0x0
R13 0x2
R14 0x2
R15 0x1
RBP 0x5555555dcc30 —▸ 0x5555555d26d0 ◂— 0x0
RSP 0x7fffffff6d40 —▸ 0x5555555df280 —▸ 0x5555555df2a0 ◂— 0x800000030000041a
RIP 0x7ffff7b508f8 (lsr_read_id.part+232) ◂— cmp byte ptr [rax], 0x23
───────────────────────────────────────[ DISASM ]────────────────────────────────────────
► 0x7ffff7b508f8 <lsr_read_id.part+232> cmp byte ptr [rax], 0x23
0x7ffff7b508fb <lsr_read_id.part+235> sete dl
0x7ffff7b508fe <lsr_read_id.part+238> xor esi, esi
0x7ffff7b50900 <lsr_read_id.part+240> lea rdi, [rax + rdx + 1]
0x7ffff7b50905 <lsr_read_id.part+245> mov edx, 0xa
0x7ffff7b5090a <lsr_read_id.part+250> call strtol@plt <strtol@plt>
0x7ffff7b5090f <lsr_read_id.part+255> cmp r14d, eax
0x7ffff7b50912 <lsr_read_id.part+258> je lsr_read_id.part+608 <lsr_read_id.part+608>
0x7ffff7b50918 <lsr_read_id.part+264> add r15d, 1
0x7ffff7b5091c <lsr_read_id.part+268> cmp r15d, r13d
0x7ffff7b5091f <lsr_read_id.part+271> jb lsr_read_id.part+208 <lsr_read_id.part+208>
────────────────────────────────────────[ STACK ]────────────────────────────────────────
00:0000│ rsp 0x7fffffff6d40 —▸ 0x5555555df280 —▸ 0x5555555df2a0 ◂— 0x800000030000041a
... ↓ 2 skipped
03:0018│ 0x7fffffff6d58 —▸ 0x7ffff784961e (gf_node_setup+30) ◂— mov qword ptr [rbx], rax
04:0020│ 0x7fffffff6d60 ◂— 0x41a
... ↓ 2 skipped
07:0038│ 0x7fffffff6d78 ◂— 0x5c21095cb581c200
──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
► f 0 0x7ffff7b508f8 lsr_read_id.part+232
f 1 0x7ffff7b55c63 lsr_read_foreignObject+99
f 2 0x7ffff7b5abb0 lsr_read_scene_content_model+1248
f 3 0x7ffff7b5b62c lsr_read_group_content.part+316
f 4 0x7ffff7b60795 lsr_read_svg+885
f 5 0x7ffff7b575c7 lsr_read_command_list+759
f 6 0x7ffff7b59914 lsr_decode_laser_unit+708
f 7 0x7ffff7b6204d gf_laser_decode_command_list+333
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1 0x00007ffff7b55c63 in lsr_read_foreignObject () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2 0x00007ffff7b5abb0 in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3 0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4 0x00007ffff7b60795 in lsr_read_svg () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5 0x00007ffff7b575c7 in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6 0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#7 0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#8 0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#9 0x00005555555844a8 in dump_isom_scene ()
#10 0x000055555557b42c in mp4boxMain ()
#11 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at ../csu/libc-start.c:308
#12 0x000055555556c45e in _start ()
poc_18
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────[ REGISTERS ]────────────────────────────────
RAX 0x0
RBX 0x0
RCX 0x0
RDX 0x0
RDI 0x5555555de970 —▸ 0x5555555dee00 —▸ 0x5555555dedb0 ◂— 0x0
RSI 0x1
R8 0x1999999999999999
R9 0x0
R10 0x7ffff76daac0 (_nl_C_LC_CTYPE_toupper+512) ◂— 0x100000000
R11 0x7ffff76db3c0 (_nl_C_LC_CTYPE_class+256) ◂— 0x2000200020002
R12 0x5555555dee88 ◂— 0x0
R13 0x2
R14 0x4
R15 0x1
RBP 0x5555555dcc30 —▸ 0x5555555d26d0 ◂— 0x0
RSP 0x7fffffff6d80 —▸ 0x5555555df1f0 —▸ 0x5555555df210 ◂— 0x8000000300000415
RIP 0x7ffff7b508f8 (lsr_read_id.part+232) ◂— cmp byte ptr [rax], 0x23
───────────────────────────────────────[ DISASM ]────────────────────────────────────────
► 0x7ffff7b508f8 <lsr_read_id.part+232> cmp byte ptr [rax], 0x23
0x7ffff7b508fb <lsr_read_id.part+235> sete dl
0x7ffff7b508fe <lsr_read_id.part+238> xor esi, esi
0x7ffff7b50900 <lsr_read_id.part+240> lea rdi, [rax + rdx + 1]
0x7ffff7b50905 <lsr_read_id.part+245> mov edx, 0xa
0x7ffff7b5090a <lsr_read_id.part+250> call strtol@plt <strtol@plt>
0x7ffff7b5090f <lsr_read_id.part+255> cmp r14d, eax
0x7ffff7b50912 <lsr_read_id.part+258> je lsr_read_id.part+608 <lsr_read_id.part+608>
0x7ffff7b50918 <lsr_read_id.part+264> add r15d, 1
0x7ffff7b5091c <lsr_read_id.part+268> cmp r15d, r13d
0x7ffff7b5091f <lsr_read_id.part+271> jb lsr_read_id.part+208 <lsr_read_id.part+208>
────────────────────────────────────────[ STACK ]────────────────────────────────────────
00:0000│ rsp 0x7fffffff6d80 —▸ 0x5555555df1f0 —▸ 0x5555555df210 ◂— 0x8000000300000415
... ↓ 2 skipped
03:0018│ 0x7fffffff6d98 —▸ 0x7ffff784961e (gf_node_setup+30) ◂— mov qword ptr [rbx], rax
04:0020│ 0x7fffffff6da0 ◂— 0x415
... ↓ 2 skipped
07:0038│ 0x7fffffff6db8 ◂— 0x812c333cc038400
──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
► f 0 0x7ffff7b508f8 lsr_read_id.part+232
f 1 0x7ffff7b5d22e lsr_read_ellipse+78
f 2 0x7ffff7b5abc8 lsr_read_scene_content_model+1272
f 3 0x7ffff7b5b62c lsr_read_group_content.part+316
f 4 0x7ffff7b60795 lsr_read_svg+885
f 5 0x7ffff7b575c7 lsr_read_command_list+759
f 6 0x7ffff7b59914 lsr_decode_laser_unit+708
f 7 0x7ffff7b6204d gf_laser_decode_command_list+333
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1 0x00007ffff7b5d22e in lsr_read_ellipse () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2 0x00007ffff7b5abc8 in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3 0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4 0x00007ffff7b60795 in lsr_read_svg () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5 0x00007ffff7b575c7 in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6 0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#7 0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#8 0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#9 0x00005555555844a8 in dump_isom_scene ()
#10 0x000055555557b42c in mp4boxMain ()
#11 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at ../csu/libc-start.c:308
#12 0x000055555556c45e in _start ()
The text was updated successfully, but these errors were encountered:
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
A null pointer dereference was discovered in lsr_read_id.part(). The vulnerability causes a segmentation fault and application crash.
Version:
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
poc.zip
Result
poc_15
poc_16
poc_18
gdb
poc_15
poc_16
poc_18
The text was updated successfully, but these errors were encountered: