We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
An Invalid free was discovered in gf_svg_node_del(). The vulnerability causes a segmentation fault and application crash.
Version:
MP4Box - GPAC version 1.1.0-DEV-rev1555-g339e7a736-master (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io Please cite our work in your research: GPAC Filters: https://doi.org/10.1145/3339825.3394929 GPAC: https://doi.org/10.1145/1291233.1291452 GPAC Configuration: --prefix=/root/fuck_bin/gpac/test Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
System information Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
./MP4Box -bt poc
gf_svg_node_del-gf_node_unregister.zip
Result
┌─[root@aidai-virtual-machine] - [~/fuck_bin/gpac/results/fuckbt2] - [二 12月 14, 10:45] └─[$] <> ../../test/lib/MP4Box -bt lsr_read_anim_values_ex.part-lsr_read_animateTransform/id:000439,sig:11,src:004575+004803,op:splice,rep:2 [iso file] extra box maxr found in hinf, deleting [iso file] extra box maxr found in hinf, deleting [iso file] Unknown box type 80rak in parent moov [iso file] Incomplete box mdat - start 11495 size 853091 [iso file] Incomplete file while reading for dump - aborting parsing [iso file] extra box maxr found in hinf, deleting [iso file] extra box maxr found in hinf, deleting [iso file] Unknown box type 80rak in parent moov [iso file] Incomplete box mdat - start 11495 size 853091 [iso file] Incomplete file while reading for dump - aborting parsing MPEG-4 LASeR Scene Parsing [LASeR] memory overread - corrupted decoding [1] 3777658 segmentation fault ../../test/lib/MP4Box -bt ┌─[root@aidai-virtual-machine] - [~/fuck_bin/gpac/results/fuckbt2] - [二 12月 14, 10:45] └─[$] <> /root/fuck_bin/gpac/test/lib/MP4Box -bt gf_svg_node_del-gf_node_unregister/id:000409,sig:11,src:004547,op:havoc,rep:8 [iso file] extra box maxr found in hinf, deleting [iso file] extra box maxr found in hinf, deleting [iso file] Unknown box type 80rak in parent moov [iso file] Incomplete box mdat - start 11495 size 853069 [iso file] Incomplete file while reading for dump - aborting parsing [iso file] extra box maxr found in hinf, deleting [iso file] extra box maxr found in hinf, deleting [iso file] Unknown box type 80rak in parent moov [iso file] Incomplete box mdat - start 11495 size 853069 [iso file] Incomplete file while reading for dump - aborting parsing MPEG-4 LASeR Scene Parsing [LASeR] samerect coded in bitstream but no rect defined ! double free or corruption (out) [1] 3786815 abort /root/fuck_bin/gpac/test/lib/MP4Box -bt
gdb
Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────── RAX 0x0 RBX 0x7ffff72bf040 ◂— 0x7ffff72bf040 RCX 0x7ffff758218b (raise+203) ◂— mov rax, qword ptr [rsp + 0x108] RDX 0x0 RDI 0x2 RSI 0x7fffffff6a30 ◂— 0x0 R8 0x0 R9 0x7fffffff6a30 ◂— 0x0 R10 0x8 R11 0x246 R12 0x7fffffff6ca0 ◂— 0x0 R13 0x10 R14 0x7ffff7ffb000 ◂— 0x62756f6400001000 R15 0x1 RBP 0x7fffffff6d80 —▸ 0x7ffff7727b80 (main_arena) ◂— 0x0 RSP 0x7fffffff6a30 ◂— 0x0 RIP 0x7ffff758218b (raise+203) ◂— mov rax, qword ptr [rsp + 0x108] ──────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────── ► 0x7ffff758218b <raise+203> mov rax, qword ptr [rsp + 0x108] 0x7ffff7582193 <raise+211> xor rax, qword ptr fs:[0x28] 0x7ffff758219c <raise+220> jne raise+260 <raise+260> ↓ 0x7ffff75821c4 <raise+260> call __stack_chk_fail <__stack_chk_fail> 0x7ffff75821c9 nop dword ptr [rax] 0x7ffff75821d0 <killpg> endbr64 0x7ffff75821d4 <killpg+4> test edi, edi 0x7ffff75821d6 <killpg+6> js killpg+16 <killpg+16> 0x7ffff75821d8 <killpg+8> neg edi 0x7ffff75821da <killpg+10> jmp kill <kill> 0x7ffff75821df <killpg+15> nop ──────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────── 00:0000│ rsi r9 rsp 0x7fffffff6a30 ◂— 0x0 01:0008│ 0x7fffffff6a38 —▸ 0x7ffff7fe7c2e ◂— mov r11, rax 02:0010│ 0x7fffffff6a40 ◂— 0x2 03:0018│ 0x7fffffff6a48 —▸ 0x5555555e06e0 —▸ 0x5555555e0698 ◂— 0x0 04:0020│ 0x7fffffff6a50 ◂— 0x18 05:0028│ 0x7fffffff6a58 —▸ 0x5555555e06f0 —▸ 0x5555555e2758 ◂— 0x0 06:0030│ 0x7fffffff6a60 —▸ 0x5555555e37b0 —▸ 0x5555555e37d0 ◂— 0x8000000300000426 07:0038│ 0x7fffffff6a68 —▸ 0x5555555e06f0 —▸ 0x5555555e2758 ◂— 0x0 ────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────── ► f 0 0x7ffff758218b raise+203 f 1 0x7ffff7561859 abort+299 f 2 0x7ffff75cc3ee __libc_message+670 f 3 0x7ffff75d447c f 4 0x7ffff75d6120 _int_free+1888 f 5 0x7ffff7b51c85 lsr_read_id+629 f 6 0x7ffff7b5e91b lsr_read_path+283 f 7 0x7ffff7b61822 lsr_read_update_content_model+770 ────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg> bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ffff7561859 in __GI_abort () at abort.c:79 #2 0x00007ffff75cc3ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff76f6285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155 #3 0x00007ffff75d447c in malloc_printerr (str=str@entry=0x7ffff76f8670 "double free or corruption (out)") at malloc.c:5347 #4 0x00007ffff75d6120 in _int_free (av=0x7ffff7727b80 <main_arena>, p=0x5555555e06e0, have_lock=<optimized out>) at malloc.c:4314 #5 0x00007ffff7b51c85 in lsr_read_id () from /root/fuck_bin/gpac/test/lib/libgpac.so.10 #6 0x00007ffff7b5e91b in lsr_read_path () from /root/fuck_bin/gpac/test/lib/libgpac.so.10 #7 0x00007ffff7b61822 in lsr_read_update_content_model () from /root/fuck_bin/gpac/test/lib/libgpac.so.10 #8 0x00007ffff7b59fc3 in lsr_read_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10 #9 0x00007ffff7b5ab74 in lsr_decode_laser_unit () from /root/fuck_bin/gpac/test/lib/libgpac.so.10 #10 0x00007ffff7b6239d in gf_laser_decode_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10 #11 0x00007ffff7aa3061 in gf_sm_load_run_isom () from /root/fuck_bin/gpac/test/lib/libgpac.so.10 #12 0x00005555555844a8 in dump_isom_scene () #13 0x000055555557b42c in mp4boxMain () #14 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1d8) at ../csu/libc-start.c:308 #15 0x000055555556c45e in _start ()
Breakpoint 4, __GI___libc_free (mem=0x5555555e06f0) at malloc.c:3087 3087 in malloc.c LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────── RAX 0x5555555e37b0 —▸ 0x5555555e37d0 ◂— 0x8000000300000426 RBX 0x5555555dc120 —▸ 0x5555555d1a00 ◂— 0x0 *RCX 0x27 *RDX 0xa *RDI 0x5555555e06f0 —▸ 0x5555555e2758 ◂— 0x0 *RSI 0xfffffff7 R8 0x1999999999999999 R9 0x0 R10 0x7ffff76daac0 (_nl_C_LC_CTYPE_toupper+512) ◂— 0x100000000 R11 0x7ffff76db3c0 (_nl_C_LC_CTYPE_class+256) ◂— 0x2000200020002 R12 0x1 *R13 0x3 R14 0x0 *R15 0x7fffffff6a50 ◂— 0x18 RBP 0x0 RSP 0x7fffffff6e18 —▸ 0x7ffff7b51c85 (lsr_read_id+629) ◂— mov qword ptr [r15 + 8], 0 RIP 0x7ffff75d9850 (free) ◂— endbr64 ──────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────── ► 0x7ffff75d9850 <free> endbr64 0x7ffff75d9854 <free+4> sub rsp, 0x18 0x7ffff75d9858 <free+8> mov rax, qword ptr [rip + 0x14d699] 0x7ffff75d985f <free+15> mov rax, qword ptr [rax] 0x7ffff75d9862 <free+18> test rax, rax 0x7ffff75d9865 <free+21> jne free+152 <free+152> 0x7ffff75d986b <free+27> test rdi, rdi 0x7ffff75d986e <free+30> je free+144 <free+144> 0x7ffff75d9870 <free+32> mov rax, qword ptr [rdi - 8] 0x7ffff75d9874 <free+36> lea rsi, [rdi - 0x10] 0x7ffff75d9878 <free+40> test al, 2 ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────00:0000│ rsp 0x7fffffff6e18 —▸ 0x7ffff7b51c85 (lsr_read_id+629) ◂— mov qword ptr [r15 + 8], 0 01:0008│ 0x7fffffff6e20 —▸ 0x5555555e37b0 —▸ 0x5555555e37d0 ◂— 0x8000000300000426 02:0010│ 0x7fffffff6e28 ◂— 0x426 03:0018│ 0x7fffffff6e30 —▸ 0x5555555e37b0 —▸ 0x5555555e37d0 ◂— 0x8000000300000426 04:0020│ 0x7fffffff6e38 —▸ 0x7ffff784a61e (gf_node_setup+30) ◂— mov qword ptr [rbx], rax 05:0028│ 0x7fffffff6e40 ◂— 0x426 ... ↓ 2 skipped ────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────── ► f 0 0x7ffff75d9850 free f 1 0x7ffff7b51c85 lsr_read_id+629 f 2 0x7ffff7b5e91b lsr_read_path+283 f 3 0x7ffff7b61822 lsr_read_update_content_model+770 f 4 0x7ffff7b59fc3 lsr_read_command_list+6819 f 5 0x7ffff7b5ab74 lsr_decode_laser_unit+708 f 6 0x7ffff7b6239d gf_laser_decode_command_list+333 f 7 0x7ffff7aa3061 gf_sm_load_run_isom+1505 ──────────────────────────────────────────────────────────────────────────────────────────────────────pwndbg> bin tcachebins 0x20 [ 1]: 0x5555555e1690 ◂— 0x0 0x50 [ 1]: 0x5555555e2ad0 ◂— 0x0 0xb0 [ 1]: 0x5555555dc540 ◂— 0x0 0xc0 [ 4]: 0x5555555d1d20 —▸ 0x5555555d2060 —▸ 0x5555555d2270 —▸ 0x5555555dc3c0 ◂— 0x0 0x140 [ 1]: 0x5555555d1b80 ◂— 0x0 0x1c0 [ 1]: 0x5555555d17a0 ◂— 0x0 0x210 [ 1]: 0x5555555dd8b0 ◂— 0x0 0x410 [ 1]: 0x5555555cee30 ◂— 0x0 fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty pwndbg> c Continuing. double free or corruption (out) pwndbg> x/10gx 0x5555555e06f0-0x20 0x5555555e06d0: 0x0000000000000000 0x0000000000000061 0x5555555e06e0: 0x00005555555e0698 0x00007fffffff6a50 0x5555555e06f0: 0x00005555555e2758 0x00005555555e2758 0x5555555e0700: 0x0000000000000000 0x0000000000000000 0x5555555e0710: 0x0000000000000000 0x0000000000000000
The text was updated successfully, but these errors were encountered:
fixed when fixing #1983 and #1984, thanks for the files
Sorry, something went wrong.
No branches or pull requests
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
An Invalid free was discovered in gf_svg_node_del(). The vulnerability causes a segmentation fault and application crash.
Version:
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
gf_svg_node_del-gf_node_unregister.zip
Result
gdb
The text was updated successfully, but these errors were encountered: