Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid free in gf_svg_node_del() #1986

Closed
3 tasks done
AiDaiP opened this issue Dec 14, 2021 · 1 comment
Closed
3 tasks done

Invalid free in gf_svg_node_del() #1986

AiDaiP opened this issue Dec 14, 2021 · 1 comment

Comments

@AiDaiP
Copy link

AiDaiP commented Dec 14, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An Invalid free was discovered in gf_svg_node_del(). The vulnerability causes a segmentation fault and application crash.

Version:

MP4Box - GPAC version 1.1.0-DEV-rev1555-g339e7a736-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --prefix=/root/fuck_bin/gpac/test
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

command:

./MP4Box -bt poc

gf_svg_node_del-gf_node_unregister.zip

Result

┌─[root@aidai-virtual-machine] - [~/fuck_bin/gpac/results/fuckbt2] - [二 12月 14, 10:45]
└─[$] <> ../../test/lib/MP4Box -bt lsr_read_anim_values_ex.part-lsr_read_animateTransform/id:000439,sig:11,src:004575+004803,op:splice,rep:2
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 853091
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 853091
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[LASeR] memory overread - corrupted decoding
[1]    3777658 segmentation fault  ../../test/lib/MP4Box -bt
┌─[root@aidai-virtual-machine] - [~/fuck_bin/gpac/results/fuckbt2] - [二 12月 14, 10:45]
└─[$] <> /root/fuck_bin/gpac/test/lib/MP4Box -bt gf_svg_node_del-gf_node_unregister/id:000409,sig:11,src:004547,op:havoc,rep:8
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 853069
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 853069
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[LASeR] samerect coded in bitstream but no rect defined !
double free or corruption (out)
[1]    3786815 abort      /root/fuck_bin/gpac/test/lib/MP4Box -bt

gdb

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x7ffff72bf040 ◂— 0x7ffff72bf040
 RCX  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
 RDX  0x0
 RDI  0x2
 RSI  0x7fffffff6a30 ◂— 0x0
 R8   0x0
 R9   0x7fffffff6a30 ◂— 0x0
 R10  0x8
 R11  0x246
 R12  0x7fffffff6ca0 ◂— 0x0
 R13  0x10
 R14  0x7ffff7ffb000 ◂— 0x62756f6400001000
 R15  0x1
 RBP  0x7fffffff6d80 —▸ 0x7ffff7727b80 (main_arena) ◂— 0x0
 RSP  0x7fffffff6a30 ◂— 0x0
 RIP  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
 ► 0x7ffff758218b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
   0x7ffff7582193 <raise+211>    xor    rax, qword ptr fs:[0x28]
   0x7ffff758219c <raise+220>    jne    raise+260                <raise+260>
    ↓
   0x7ffff75821c4 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>

   0x7ffff75821c9                nop    dword ptr [rax]
   0x7ffff75821d0 <killpg>       endbr64
   0x7ffff75821d4 <killpg+4>     test   edi, edi
   0x7ffff75821d6 <killpg+6>     js     killpg+16                <killpg+16>

   0x7ffff75821d8 <killpg+8>     neg    edi
   0x7ffff75821da <killpg+10>    jmp    kill                <kill>

   0x7ffff75821df <killpg+15>    nop
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsi r9 rsp 0x7fffffff6a30 ◂— 0x0
01:0008│            0x7fffffff6a38 —▸ 0x7ffff7fe7c2e ◂— mov    r11, rax
02:0010│            0x7fffffff6a40 ◂— 0x2
03:0018│            0x7fffffff6a48 —▸ 0x5555555e06e0 —▸ 0x5555555e0698 ◂— 0x0
04:0020│            0x7fffffff6a50 ◂— 0x18
05:0028│            0x7fffffff6a58 —▸ 0x5555555e06f0 —▸ 0x5555555e2758 ◂— 0x0
06:0030│            0x7fffffff6a60 —▸ 0x5555555e37b0 —▸ 0x5555555e37d0 ◂— 0x8000000300000426
07:0038│            0x7fffffff6a68 —▸ 0x5555555e06f0 —▸ 0x5555555e2758 ◂— 0x0
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff758218b raise+203
   f 1   0x7ffff7561859 abort+299
   f 2   0x7ffff75cc3ee __libc_message+670
   f 3   0x7ffff75d447c
   f 4   0x7ffff75d6120 _int_free+1888
   f 5   0x7ffff7b51c85 lsr_read_id+629
   f 6   0x7ffff7b5e91b lsr_read_path+283
   f 7   0x7ffff7b61822 lsr_read_update_content_model+770
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7561859 in __GI_abort () at abort.c:79
#2  0x00007ffff75cc3ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff76f6285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff75d447c in malloc_printerr (str=str@entry=0x7ffff76f8670 "double free or corruption (out)") at malloc.c:5347
#4  0x00007ffff75d6120 in _int_free (av=0x7ffff7727b80 <main_arena>, p=0x5555555e06e0, have_lock=<optimized out>) at malloc.c:4314
#5  0x00007ffff7b51c85 in lsr_read_id () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#6  0x00007ffff7b5e91b in lsr_read_path () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#7  0x00007ffff7b61822 in lsr_read_update_content_model () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#8  0x00007ffff7b59fc3 in lsr_read_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#9  0x00007ffff7b5ab74 in lsr_decode_laser_unit () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#10 0x00007ffff7b6239d in gf_laser_decode_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#11 0x00007ffff7aa3061 in gf_sm_load_run_isom () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#12 0x00005555555844a8 in dump_isom_scene ()
#13 0x000055555557b42c in mp4boxMain ()
#14 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1d8) at ../csu/libc-start.c:308
#15 0x000055555556c45e in _start ()
Breakpoint 4, __GI___libc_free (mem=0x5555555e06f0) at malloc.c:3087
3087    in malloc.c
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────── RAX  0x5555555e37b0 —▸ 0x5555555e37d0 ◂— 0x8000000300000426
 RBX  0x5555555dc120 —▸ 0x5555555d1a00 ◂— 0x0
*RCX  0x27
*RDX  0xa
*RDI  0x5555555e06f0 —▸ 0x5555555e2758 ◂— 0x0
*RSI  0xfffffff7
 R8   0x1999999999999999
 R9   0x0
 R10  0x7ffff76daac0 (_nl_C_LC_CTYPE_toupper+512) ◂— 0x100000000
 R11  0x7ffff76db3c0 (_nl_C_LC_CTYPE_class+256) ◂— 0x2000200020002
 R12  0x1
*R13  0x3
 R14  0x0
*R15  0x7fffffff6a50 ◂— 0x18
 RBP  0x0
 RSP  0x7fffffff6e18 —▸ 0x7ffff7b51c85 (lsr_read_id+629) ◂— mov    qword ptr [r15 + 8], 0
 RIP  0x7ffff75d9850 (free) ◂— endbr64
──────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────── ► 0x7ffff75d9850 <free>       endbr64
   0x7ffff75d9854 <free+4>     sub    rsp, 0x18
   0x7ffff75d9858 <free+8>     mov    rax, qword ptr [rip + 0x14d699]
   0x7ffff75d985f <free+15>    mov    rax, qword ptr [rax]
   0x7ffff75d9862 <free+18>    test   rax, rax
   0x7ffff75d9865 <free+21>    jne    free+152                <free+152>

   0x7ffff75d986b <free+27>    test   rdi, rdi
   0x7ffff75d986e <free+30>    je     free+144                <free+144>

   0x7ffff75d9870 <free+32>    mov    rax, qword ptr [rdi - 8]
   0x7ffff75d9874 <free+36>    lea    rsi, [rdi - 0x10]
   0x7ffff75d9878 <free+40>    test   al, 2
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────00:0000│ rsp 0x7fffffff6e18 —▸ 0x7ffff7b51c85 (lsr_read_id+629) ◂— mov    qword ptr [r15 + 8], 0
01:0008│     0x7fffffff6e20 —▸ 0x5555555e37b0 —▸ 0x5555555e37d0 ◂— 0x8000000300000426
02:0010│     0x7fffffff6e28 ◂— 0x426
03:0018│     0x7fffffff6e30 —▸ 0x5555555e37b0 —▸ 0x5555555e37d0 ◂— 0x8000000300000426
04:0020│     0x7fffffff6e38 —▸ 0x7ffff784a61e (gf_node_setup+30) ◂— mov    qword ptr [rbx], rax
05:0028│     0x7fffffff6e40 ◂— 0x426
... ↓        2 skipped
────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────── ► f 0   0x7ffff75d9850 free
   f 1   0x7ffff7b51c85 lsr_read_id+629
   f 2   0x7ffff7b5e91b lsr_read_path+283
   f 3   0x7ffff7b61822 lsr_read_update_content_model+770
   f 4   0x7ffff7b59fc3 lsr_read_command_list+6819
   f 5   0x7ffff7b5ab74 lsr_decode_laser_unit+708
   f 6   0x7ffff7b6239d gf_laser_decode_command_list+333
   f 7   0x7ffff7aa3061 gf_sm_load_run_isom+1505
──────────────────────────────────────────────────────────────────────────────────────────────────────pwndbg> bin
tcachebins
0x20 [  1]: 0x5555555e1690 ◂— 0x0
0x50 [  1]: 0x5555555e2ad0 ◂— 0x0
0xb0 [  1]: 0x5555555dc540 ◂— 0x0
0xc0 [  4]: 0x5555555d1d20 —▸ 0x5555555d2060 —▸ 0x5555555d2270 —▸ 0x5555555dc3c0 ◂— 0x0
0x140 [  1]: 0x5555555d1b80 ◂— 0x0
0x1c0 [  1]: 0x5555555d17a0 ◂— 0x0
0x210 [  1]: 0x5555555dd8b0 ◂— 0x0
0x410 [  1]: 0x5555555cee30 ◂— 0x0
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> c
Continuing.
double free or corruption (out)
pwndbg> x/10gx 0x5555555e06f0-0x20
0x5555555e06d0: 0x0000000000000000      0x0000000000000061
0x5555555e06e0: 0x00005555555e0698      0x00007fffffff6a50
0x5555555e06f0: 0x00005555555e2758      0x00005555555e2758
0x5555555e0700: 0x0000000000000000      0x0000000000000000
0x5555555e0710: 0x0000000000000000      0x0000000000000000
@jeanlf
Copy link
Contributor

jeanlf commented Dec 14, 2021

fixed when fixing #1983 and #1984, thanks for the files

@jeanlf jeanlf closed this as completed Dec 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants