Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null Pointer Dereference in lsr_read_id.part() #1979

Closed
3 tasks done
AiDaiP opened this issue Dec 11, 2021 · 1 comment
Closed
3 tasks done

Null Pointer Dereference in lsr_read_id.part() #1979

AiDaiP opened this issue Dec 11, 2021 · 1 comment

Comments

@AiDaiP
Copy link

AiDaiP commented Dec 11, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in lsr_read_id.part(). The vulnerability causes a segmentation fault and application crash.

Version:

MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

command:

./MP4Box -bt poc_15
./MP4Box -bt poc_16
./MP4Box -bt poc_18

poc.zip

Result

poc_15

[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 852201
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 852201
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[LASeR] samepolyXXX coded in bitstream but no polyXXX defined !
[LASeR] samepolyXXX coded in bitstream but no polyXXX defined !
[LASeR] samepolyXXX coded in bitstream but no polyXXX defined !
[LASeR] samerect coded in bitstream but no rect defined !
[LASeR] samerect coded in bitstream but no rect defined !
[1]    1501387 segmentation fault  ./MP4Box -bt ./poc/poc_15

poc_16

[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861267
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861267
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[1]    2404995 segmentation fault  ./MP4Box -bt ./poc/poc_16

poc_18

[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861267
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861267
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[1]    1048981 segmentation fault  ./MP4Box -bt ./poc/poc_18

gdb

poc_15

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────[ REGISTERS ]────────────────────────────────
 RAX  0x770000007c
 RBX  0x0
 RCX  0x5555555e5760 ◂— 0x8b374bf60d8b0d94
 RDX  0x0
 RDI  0x5555555deda0 —▸ 0x5555555e4e20 —▸ 0x7fffffff69c0 ◂— 0x5b0000006e /* 'n' */
 RSI  0x0
 R8   0x5555555e5740 —▸ 0x5555555e4730 —▸ 0x5555555e5530 ◂— 0x0
 R9   0x5555555e5a10 ◂— 0x2b0
 R10  0x5555555c6010 ◂— 0x0
 R11  0x7ffff7727be0 (main_arena+96) —▸ 0x5555555e5af0 ◂— 0x3529 /* ')5' */
 R12  0x7fffffff69c0 ◂— 0x5b0000006e /* 'n' */
 R13  0x3
 R14  0xe
 R15  0x0
 RBP  0x5555555dcf10 —▸ 0x5555555d2750 ◂— 0x0
 RSP  0x7fffffff68a0 —▸ 0x5555555e56e0 —▸ 0x5555555e5700 ◂— 0x800000030000042b
 RIP  0x7ffff7b508f8 (lsr_read_id.part+232) ◂— cmp    byte ptr [rax], 0x23
───────────────────────────────────────[ DISASM ]────────────────────────────────────────
 ► 0x7ffff7b508f8 <lsr_read_id.part+232>    cmp    byte ptr [rax], 0x23
   0x7ffff7b508fb <lsr_read_id.part+235>    sete   dl
   0x7ffff7b508fe <lsr_read_id.part+238>    xor    esi, esi
   0x7ffff7b50900 <lsr_read_id.part+240>    lea    rdi, [rax + rdx + 1]
   0x7ffff7b50905 <lsr_read_id.part+245>    mov    edx, 0xa
   0x7ffff7b5090a <lsr_read_id.part+250>    call   strtol@plt                <strtol@plt>

   0x7ffff7b5090f <lsr_read_id.part+255>    cmp    r14d, eax
   0x7ffff7b50912 <lsr_read_id.part+258>    je     lsr_read_id.part+608                <lsr_read_id.part+608>

   0x7ffff7b50918 <lsr_read_id.part+264>    add    r15d, 1
   0x7ffff7b5091c <lsr_read_id.part+268>    cmp    r15d, r13d
   0x7ffff7b5091f <lsr_read_id.part+271>    jb     lsr_read_id.part+208                <lsr_read_id.part+208>
────────────────────────────────────────[ STACK ]────────────────────────────────────────
00:0000│ rsp 0x7fffffff68a0 —▸ 0x5555555e56e0 —▸ 0x5555555e5700 ◂— 0x800000030000042b
... ↓        2 skipped
03:0018│     0x7fffffff68b8 —▸ 0x7ffff784961e (gf_node_setup+30) ◂— mov    qword ptr [rbx], rax
04:0020│     0x7fffffff68c0 ◂— 0x42b
... ↓        2 skipped
07:0038│     0x7fffffff68d8 ◂— 0xaaefd0fae3bbeb00
──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
 ► f 0   0x7ffff7b508f8 lsr_read_id.part+232
   f 1   0x7ffff7b5e4bb lsr_read_rect+139
   f 2   0x7ffff7b5a965 lsr_read_scene_content_model+661
   f 3   0x7ffff7b5b62c lsr_read_group_content.part+316
   f 4   0x7ffff7b5f0fc lsr_read_data+108
   f 5   0x7ffff7b5ab3d lsr_read_scene_content_model+1133
   f 6   0x7ffff7b5b62c lsr_read_group_content.part+316
   f 7   0x7ffff7b5e536 lsr_read_rect+262
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1  0x00007ffff7b5e4bb in lsr_read_rect () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2  0x00007ffff7b5a965 in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3  0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4  0x00007ffff7b5f0fc in lsr_read_data () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5  0x00007ffff7b5ab3d in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6  0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#7  0x00007ffff7b5e536 in lsr_read_rect () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#8  0x00007ffff7b5a965 in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#9  0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#10 0x00007ffff7b5cea8 in lsr_read_audio.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#11 0x00007ffff7b5ac18 in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#12 0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#13 0x00007ffff7b60795 in lsr_read_svg () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#14 0x00007ffff7b575c7 in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#15 0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#16 0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#17 0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#18 0x00005555555844a8 in dump_isom_scene ()
#19 0x000055555557b42c in mp4boxMain ()
#20 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at ../csu/libc-start.c:308
#21 0x000055555556c45e in _start ()

poc_16

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────[ REGISTERS ]────────────────────────────────
 RAX  0x0
 RBX  0x0
 RCX  0x0
 RDX  0x0
 RDI  0x5555555de970 —▸ 0x5555555dee00 —▸ 0x5555555dedb0 ◂— 0x0
 RSI  0x1
 R8   0x1999999999999999
 R9   0x0
 R10  0x7ffff76daac0 (_nl_C_LC_CTYPE_toupper+512) ◂— 0x100000000
 R11  0x7ffff76db3c0 (_nl_C_LC_CTYPE_class+256) ◂— 0x2000200020002
 R12  0x5555555dee88 ◂— 0x0
 R13  0x2
 R14  0x2
 R15  0x1
 RBP  0x5555555dcc30 —▸ 0x5555555d26d0 ◂— 0x0
 RSP  0x7fffffff6d40 —▸ 0x5555555df280 —▸ 0x5555555df2a0 ◂— 0x800000030000041a
 RIP  0x7ffff7b508f8 (lsr_read_id.part+232) ◂— cmp    byte ptr [rax], 0x23
───────────────────────────────────────[ DISASM ]────────────────────────────────────────
 ► 0x7ffff7b508f8 <lsr_read_id.part+232>    cmp    byte ptr [rax], 0x23
   0x7ffff7b508fb <lsr_read_id.part+235>    sete   dl
   0x7ffff7b508fe <lsr_read_id.part+238>    xor    esi, esi
   0x7ffff7b50900 <lsr_read_id.part+240>    lea    rdi, [rax + rdx + 1]
   0x7ffff7b50905 <lsr_read_id.part+245>    mov    edx, 0xa
   0x7ffff7b5090a <lsr_read_id.part+250>    call   strtol@plt                <strtol@plt>

   0x7ffff7b5090f <lsr_read_id.part+255>    cmp    r14d, eax
   0x7ffff7b50912 <lsr_read_id.part+258>    je     lsr_read_id.part+608                <lsr_read_id.part+608>

   0x7ffff7b50918 <lsr_read_id.part+264>    add    r15d, 1
   0x7ffff7b5091c <lsr_read_id.part+268>    cmp    r15d, r13d
   0x7ffff7b5091f <lsr_read_id.part+271>    jb     lsr_read_id.part+208                <lsr_read_id.part+208>
────────────────────────────────────────[ STACK ]────────────────────────────────────────
00:0000│ rsp 0x7fffffff6d40 —▸ 0x5555555df280 —▸ 0x5555555df2a0 ◂— 0x800000030000041a
... ↓        2 skipped
03:0018│     0x7fffffff6d58 —▸ 0x7ffff784961e (gf_node_setup+30) ◂— mov    qword ptr [rbx], rax
04:0020│     0x7fffffff6d60 ◂— 0x41a
... ↓        2 skipped
07:0038│     0x7fffffff6d78 ◂— 0x5c21095cb581c200
──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
 ► f 0   0x7ffff7b508f8 lsr_read_id.part+232
   f 1   0x7ffff7b55c63 lsr_read_foreignObject+99
   f 2   0x7ffff7b5abb0 lsr_read_scene_content_model+1248
   f 3   0x7ffff7b5b62c lsr_read_group_content.part+316
   f 4   0x7ffff7b60795 lsr_read_svg+885
   f 5   0x7ffff7b575c7 lsr_read_command_list+759
   f 6   0x7ffff7b59914 lsr_decode_laser_unit+708
   f 7   0x7ffff7b6204d gf_laser_decode_command_list+333
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1  0x00007ffff7b55c63 in lsr_read_foreignObject () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2  0x00007ffff7b5abb0 in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3  0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4  0x00007ffff7b60795 in lsr_read_svg () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5  0x00007ffff7b575c7 in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6  0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#7  0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#8  0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#9  0x00005555555844a8 in dump_isom_scene ()
#10 0x000055555557b42c in mp4boxMain ()
#11 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at ../csu/libc-start.c:308
#12 0x000055555556c45e in _start ()

poc_18

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────[ REGISTERS ]────────────────────────────────
 RAX  0x0
 RBX  0x0
 RCX  0x0
 RDX  0x0
 RDI  0x5555555de970 —▸ 0x5555555dee00 —▸ 0x5555555dedb0 ◂— 0x0
 RSI  0x1
 R8   0x1999999999999999
 R9   0x0
 R10  0x7ffff76daac0 (_nl_C_LC_CTYPE_toupper+512) ◂— 0x100000000
 R11  0x7ffff76db3c0 (_nl_C_LC_CTYPE_class+256) ◂— 0x2000200020002
 R12  0x5555555dee88 ◂— 0x0
 R13  0x2
 R14  0x4
 R15  0x1
 RBP  0x5555555dcc30 —▸ 0x5555555d26d0 ◂— 0x0
 RSP  0x7fffffff6d80 —▸ 0x5555555df1f0 —▸ 0x5555555df210 ◂— 0x8000000300000415
 RIP  0x7ffff7b508f8 (lsr_read_id.part+232) ◂— cmp    byte ptr [rax], 0x23
───────────────────────────────────────[ DISASM ]────────────────────────────────────────
 ► 0x7ffff7b508f8 <lsr_read_id.part+232>    cmp    byte ptr [rax], 0x23
   0x7ffff7b508fb <lsr_read_id.part+235>    sete   dl
   0x7ffff7b508fe <lsr_read_id.part+238>    xor    esi, esi
   0x7ffff7b50900 <lsr_read_id.part+240>    lea    rdi, [rax + rdx + 1]
   0x7ffff7b50905 <lsr_read_id.part+245>    mov    edx, 0xa
   0x7ffff7b5090a <lsr_read_id.part+250>    call   strtol@plt                <strtol@plt>

   0x7ffff7b5090f <lsr_read_id.part+255>    cmp    r14d, eax
   0x7ffff7b50912 <lsr_read_id.part+258>    je     lsr_read_id.part+608                <lsr_read_id.part+608>

   0x7ffff7b50918 <lsr_read_id.part+264>    add    r15d, 1
   0x7ffff7b5091c <lsr_read_id.part+268>    cmp    r15d, r13d
   0x7ffff7b5091f <lsr_read_id.part+271>    jb     lsr_read_id.part+208                <lsr_read_id.part+208>
────────────────────────────────────────[ STACK ]────────────────────────────────────────
00:0000│ rsp 0x7fffffff6d80 —▸ 0x5555555df1f0 —▸ 0x5555555df210 ◂— 0x8000000300000415
... ↓        2 skipped
03:0018│     0x7fffffff6d98 —▸ 0x7ffff784961e (gf_node_setup+30) ◂— mov    qword ptr [rbx], rax
04:0020│     0x7fffffff6da0 ◂— 0x415
... ↓        2 skipped
07:0038│     0x7fffffff6db8 ◂— 0x812c333cc038400
──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
 ► f 0   0x7ffff7b508f8 lsr_read_id.part+232
   f 1   0x7ffff7b5d22e lsr_read_ellipse+78
   f 2   0x7ffff7b5abc8 lsr_read_scene_content_model+1272
   f 3   0x7ffff7b5b62c lsr_read_group_content.part+316
   f 4   0x7ffff7b60795 lsr_read_svg+885
   f 5   0x7ffff7b575c7 lsr_read_command_list+759
   f 6   0x7ffff7b59914 lsr_decode_laser_unit+708
   f 7   0x7ffff7b6204d gf_laser_decode_command_list+333
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1  0x00007ffff7b5d22e in lsr_read_ellipse () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2  0x00007ffff7b5abc8 in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3  0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4  0x00007ffff7b60795 in lsr_read_svg () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5  0x00007ffff7b575c7 in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6  0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#7  0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#8  0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#9  0x00005555555844a8 in dump_isom_scene ()
#10 0x000055555557b42c in mp4boxMain ()
#11 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at ../csu/libc-start.c:308
#12 0x000055555556c45e in _start ()
@jeanlf
Copy link
Contributor

jeanlf commented Dec 13, 2021

fixed by one of the previous fixes, thanks for the POC

@jeanlf jeanlf closed this as completed Dec 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants